The threat from within – the challenges of managing internal information security risks

Although it tends to be the main focus of information security, perimeter security can only provide protection if the internal network can be trusted. Janne Saarikko explains.

Companies are investing in information security to protect networks against external threats. But anti-virus solutions, firewalls, and Virtual Private Networks (VPNs), collectively referred to as perimeter security, can only provide security if the internal network can be trusted. Strong evidence suggests that internal networks cannot be trusted and that business-critical information is sent unprotected through corporate intranets. Traditionally, companies have put their information security efforts in perimeter security, protecting only the outer walls of the corporate networks. Internal information security has been a matter of trusting the employees.

Most security breaches do not originate from external hackers, viruses or worms, but from employees who, according to Gartner, commit more than 70 percent of unauthorised access to information systems. They are responsible for more than 95 percent of intrusions [1]. According to Computer Security Institute and FBI, an insider attack causes an average of 2.1 million euro in damages, whereas the average outside attack costs 45,000 euro [2].

The risks
The most obvious risk is the human factor. People having access to internal networks is always a threat that is very difficult to manage. The responsibility of attack should not be put on the shoulders of an individual employee. It is fairly easy to create a small piece of software that will attack the internal network once it is planted on any computer system within the corporate network. Distributing the program can easily be done by anyone, without any special computer skills. In most cases, the person who installs the malicious software is not aware of it.

Once a malicious program has been installed, it can cause harm in various ways. The most typical ways are:
1. Gaining user access and pretending to be a legimite user taking actions
2. Capturing confidential data for industrial espionage or other purposes
3. Destroying corporate data for creating financial damage
4. Causing network and system shortages to paralyse the company’s operations

Security threats arising from within are increasing the operational risks of businesses:
1. Potential loss of reputation in the face of customers, partners, investors
2. Risk of business interruption
3. Violation of legal and regulatory requirements to protect sensitive customer information.

The solution
Protecting against the threats arising from internal networks requires proactive actions in multiple areas:
1. Security policies must take internal security into consideration
2. All critical data in the computers must be protected
3. All users using critical data must be authenticated and authorised
4. All critical data communications must be encrypted end-to-end

If all of the above is not taken into consideration, the company network will be left exposed and vulnerable.

From the critical areas above, encrypted data communications is the least addressed in today’s corporate networks.

The alternatives
Information security should be an integral part of operational risk management, which covers areas such as human resources, physical security and general security. Managing internal security effectively involves implementation of confidentiality, data integrity, authentication and authorisation to mission-critical business applications as part of the corporate security policy.

Figure 1 presents a generic architecture of a corporate IT environment, including the supporting infrastructure and individual business applications.
Figure 1

Secure communications can be implemented in different layers of this architecture. Perimeter security solutions are often based on embedding security features in the IT infrastructure or business applications. Neither one of these approaches allow for end-to-end security. Integrated infrastructure security requires expensive and complex re-engineering projects and often involves dedicated hardware in front of the servers that need to be secured.

Embedding encryption and authentication in business applications requires code modifications to each business application. For enterprises this is rarely a viable option, given the amount and variety of client/server applications in use.

A new concept
A new category of information security solutions, managed security middleware, has the potential to overcome the limitations of network level and application integrated information security approaches.

Managed security middleware operates between the underlying IT infrastructure and the actual business applications as illustrated in figure 2.
Figure 2

This category does not rely on specific security functionality embedded in the IT infrastructure or business applications. This means that the complexity related to interoperability, overall system management and maintenance is reduced, and that centrally managed communications security can be brought to almost any client/server application.

Managed security middleware provides considerable cost savings by not requiring infrastructure or application changes. Also, the centralised management capabilities eliminate labour related to operating the security system.

When communications security is extended to end user workstations, new challenges arise in the form of training and helpdesk costs. Managed security middleware is a transparent security layer involving invisible security software in the user desktops. This minimises user interaction, training needs and helpdesk costs, giving an attractive return on investment. As well as protecting application communications, managed security middleware helps organisations implement cost-effective, technical countermeasures to improve operational risk management. Compared to traditional perimeter security alternatives, this new approach significantly reduces total cost of ownership and improves the return on security investment.

About the author: Janne Saarikko is director of global marketing for SSH Communications Security, a supplier of managed security middleware for businesses, financial institutions and governments worldwide. For more information, please visit www.ssh.com

References:
[1] Gartner, 2003 (http://security1.gartner.com/story.php.id.12.s.1.jsp)
[2] Computer Crime and Security Survey by CSI/FBI, 2002

SSH Communications Security are exhibiting at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. Now in its 9th year, the show features a comprehensive free education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk

•Date: 26th March 2004 •Region: Worldwide •Type: Article •Topic: ISM
Rate this article or make a comment - click here