A global IT service provider with 39,000 employees and thousands of computing devices is sure to be a tempting target for digital desperados. But which attack scenarios are most likely to keep the security chief up at night? Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, lists three:
He's not alone. Of 307 IT professionals who responded to a February SearchSecurity.com survey about their intrusion defense programs, a majority said their biggest concerns are insiders whose computing habits put sensitive data at risk and the spyware and other malware they let in. Those are the threats they most want their intrusion defense tools to address, but they're not always pleased with the results.
"Spyware is a huge problem because the AV vendors have largely let us down," Bixler said. "The main vendors are starting to step up, but they were two years late to the table as far as I'm concerned. Spyware is another flavor of virus, and the last thing I wanted was another tool to put on everyone's desktop to take care of what's essentially another virus."
Where the worries are
When asked what aspect of their intrusion defense tools they would most like improved, 35.6% of respondents said they want better detection and prevention of insider threats, such as employees abusing policy and downloading proprietary information onto flash drives.
More than 32% said they want better spyware prevention, fewer false positives and the ability to separate serious attacks from network noise. More than 30% want a better way to detect unknown/zero-day attacks, while 25.8% want better virus and worm prevention and 25.2% want a better way to correlate threats to vulnerabilities.
Asked what would prompt them to switch to a different IDS/IPS vendor, 45.4% said a different vendor's product would have to better detect and prevent attacks. More than 35% said they'd switch if a different vendor's product were easier to install, administer or manage.
If another vendor's product offered a wider array of security functions and features, 33% would switch. More than 32% would migrate to a different vendor whose product better integrates with the enterprise infrastructure; and 25.2% would make the move if it were less expensive while providing as much security as their current tool.
Of all the insider threats Bixler worries about, wayward mobile devices weren't always high on his list. That changed the day a departing employee turned in a laptop without telling the IT staff what the password was.
"I went on the Internet looking for freeware to set the administrative password on the box," he said. "It took eight minutes from the time I found the right freeware on Google to when I was able to open the laptop. I did this while talking on the phone and I'm not particularly good at this stuff."
User education a big weakness
Jeremy Martin can understand why IT professionals are so concerned about insiders. He's a Colorado Springs, Colo.-based penetration tester who spends his working days trying to bust into the networks of large commercial enterprises and government entities like the U.S. Department of Defense.
He'll start with a basic scan and work his way through the network until he's found all the vulnerabilities. He dabbles in social engineering, sending out phishing e-mails to see if anyone will open them. His goal is to show clients where they are weakest on security and how intruders are getting in.
As for spyware, Martin said in most outbreaks a bad infection can be traced back to users with bad computing habits.
"Spyware is an issue in that people open an e-mail or visit a site they shouldn't, then the spyware is dropped onto the machines," he said.
Words of advice
When clients ask him how they can seal security holes, Martin offers this advice: Employees across the board must learn their organizations' security policies and follow them consistently.
"You need to make sure everyone understands the policy through training," he said, adding that people must know what is and isn't considered appropriate use of the Web, e-mail and so on. Plus the usage policy must be consistent for top executives and junior employees alike.
City of North Vancouver IT Manager Craig Hunter, whose department oversees workstations used by 350 employees, agrees user education is important. But he said the average employee will never become an information security expert.
"The best you can do is embed security into systems so the users don't see it," he said. His philosophy: "Make it easier for users to do it right than to do it wrong."
The best defense is always layered
Looking at big picture, Bixler, Martin and Hunter agreed that user awareness is only one part of a larger, layered defense. That way, if an intruder punches through one end of the network, he would be stopped by devices and procedures deployed in other parts of the network.
"It's also important to have software that monitors activity not just on the network but also on the individual PCs," Martin said.
One word to the wise, he added is to use one AV vendor on the network and another on desktops. "One vendor may update signatures more quickly and broadly than another," Martin said. "So with both, you have better coverage."