Despite the litany of high-profile network attacks by hackers, crackers and data thieves, the biggest security nightmare for many organizations is an attack on critical everyday business processes by the trusted employees charged with their care.
Take, for example, the Florida Web hosting company that went out of business after a disgruntled employee used the company e-mail system to broadcast false accusations to the company's entire customer list. Or the New York brokerage house that found itself the target of a series of denial-of-service attacks launched by their own network supervisor, who was unhappy with his compensation negotiations.
Even Cisco has found itself on the receiving end of a number of well-publicized security incidents, including a couple of trusted accountants who abused their access privileges to give themselves an unauthorized and unearned $8 million stock bonus.
Trust is an essential pillar of the employer-employee relationship, and no organization wants to deliberately foster a workplace environment of suspicion and surveillance. While technology has solved many of the problems posed by hackers and viruses, security experts are the first to admit that there are few technologies that can protect against a trusted user with a bad habit.
Short of stationing a security guard at every desk, how does an organization ensure that its trusted employees and contractors don't accidentally or deliberately misuse the very
A number of young security companies think they have a solution and are growing them in the most unusual places.
An hour's train ride from Amsterdam brings visitors to the quaint and ancient city of Den Bosch, the heart of Holland's Silicon Valley. In this quiet countryside of lazy windmills and wandering canals, a dozen security and antivirus experts have been working for nearly two years on solving the challenge of protecting critical business processes from trusted users.
In this small community of 30,000 inhabitants Dutch security firm ThunderStore has been quietly testing their latest product called X-Tra Secure, a policy enforcement solution that aims to securely manage the behavior of trusted users, whether they like it or not.
X-Tra Secure works by connecting the organization's security policy to each individual user, enforcing that policy on every document, file, application and system the user has access to and doing so in real time.
If the user tries to ignore or circumvent policy (attempts to send in clear a document that should be encrypted, for example), the action is prevented (the document cannot be sent), the correct action is initiated (the document is automatically encrypted according to policy), the user is informed why, and a log is kept.
X-Tra Secure is not only being touted as a security solution, it's also being pitched as a valuable productivity and even an educational tool. By guaranteeing that trusted users obey rules and policies whether they like it or not, security administrators have more time to focus on other pressing security problems. And because X-Tra Secure explains its actions to users, that should mean fewer calls to help desks from perplexed employees and constant improvement in policy awareness. At least that's the theory.
One of the first customers to try X-Tra Secure was the University of Nijmegen, one of the leading universities in the Netherlands. Universities are notoriously difficult to secure because of their fluidity. They typically house tens of thousands of students, existing and new, across numerous campuses. And student populations have a well-earned reputation for constantly sharing electronic downloads and files, with insiders and outsiders, with little concern for security, policy and sometimes even copyright.
The biggest challenge for the University's MIS department, which supports more than 13,000 students and nearly 4,000 staff, was to prevent system crashes caused by the installation of illegal software, downloading of hacker tools and deletion of system files. According to the University, since X-Tra-Secure has been installed on their network, no system crashes have been reported.
Israeli-company Camelot won a lot of admiration and customers with their HARK! system. Using a slightly different approach to ?trusted user? security, HARK! worked by monitoring network activity and developing patterns of network use by authorized users in an effort to create an overall picture of which resources are being used, how and by whom. Unfortunately, Camelot didn't seem to be able to survive the predicted consolidation in the security industry and closed its doors at the end of 2001.
Harris Corporation offers a similar solution. Harris' Government Communications Systems Division (GCSD) says their Stat Neutralizer also works at the network level, watching out for unusual behavior patterns that could suggest a network intruder, a careless employee or a malicious insider.
Chicago-based Saecos is bringing similar security technology to the financial community, through its experience in building out the security infrastructure for Bank of America. However, the Saecos approach does not involve an off-the-shelf product, but rather a tailor-made mixture of plug-in components that focus on security's famous 3As -- authentication, authorization and administration.
Whoever succeeds in meeting this new security challenge, they are likely to prove the experts wrong. Technology will be able to enforce appropriate behavior, quietly but firmly, on all employees and insiders, taking one giant step closer to protecting the organization's most critical business processes from its most trusted users.About the author
Neal O'Farrell is CEO of Hackademia, a firm focused on security education. He is also an expert on SearchSecurity and answers your questions on e-mail, e-commerce and end-user security, as well as encryption. Read the answers Neal has provided to previous user questions, or submit one of your own.
Related book Building an information security awareness program
By Mark B. Desman
A reference and self-study guide, it goes step-by-step through the methodology for developing, distributing and monitoring an information security awareness program. It includes detailed instructions on determining what media to use and where to locate it, and it describes how to efficiently use outside sources to optimize the output of a small staff. The author stresses the importance of security and the entire organizations' role and responsibility in protecting it.
This was first published in March 2002