Internal security threats at the Enterprise level

People, people and more people
Managing users is one of your biggest challenges. User Provisioning involves adding users to systems and applications when they join your organization. As they change roles, those rights need changing and when they leave those rights need deleting quickly and effectively. The user provisioning system needs to effect these changes correctly and rapidly to ensure users do not have too much privilege on systems that may breach the separation of duties principle and enable fraud to be more readily perpetrated. When they leave, you have to ensure that every single user account they have on every system is removed immediately otherwise they have the opportunity to easily gain unauthorized access to the business systems.

Research has found that any one user will be defined in a minimum of 17 places in your IT infrastructure. However, when that person leaves, it can take between 2 and 4 months to remove all the user rights, and even then, on average, 6 identities per user will be left on the system, making it easier for former employees to gain unauthorized access to sensitive business information.


Access, access and more access
Employees, partners and customers require secure access to business-critical applications spanning disparate platforms and operating systems, exposing you to security risks. Without correct management of this access, attacks on business information can take place. For example, disgruntled employees could access the HR records and find out about a colleague's salary package, or have access to other sensitive business information they should not be viewing. A careless employee could accidentally delete records from a database or make incorrect financial data transactions. If access to these resources is not tightly controlled, fraudulent activities could take place, such as financial records being changed. This may go undetected as the attacker could cover his or her tracks by amending the audit trails.

One area of exposure to data theft and virus propagation is the sharing of windows filestore directories. A user may create an adhoc share to enable a colleague to access some information on his system. Often this is done hurriedly and permissions are left to default to full permission for everyone. When the access is finished the share can often get forgotten leaving a gaping hole in your security.


Passwords
In today's IT environments users have multiple log-in IDs for the systems and applications they use in their jobs, resulting in many passwords for them to remember. When users have to remember so many passwords, they often choose simple or easy to remember passwords, like names of pets, or date of birth.

This creates security holes in three ways: firstly users need to find a way to remember all these passwords so they typically write them down where they can be easily seen by others; secondly the easy to remember passwords are simple to crack with today's hacking tools; and finally the personal passwords are often easily guessed by colleagues who know their personal circumstances, or through "social engineering" attacks where someone engages in a friendly conversation and can soon find out simple personal details such as children's names, pets names etc.

Of course, even with simple passwords users forget them, putting the IT helpdesk under strain because of the volume of calls (Gartner reports that 25% of all helpdesk calls are password related) and increasing the work load of systems administrators who spend their time re-setting passwords, instead of looking after the critical IT resources.


Desktop Antivirus tools
Anti-virus tools are a default part of an organizations security infrastructure. However, it can be a source of misuse if locally managed desktop Anti-virus solutions are used, as opposed to more secure centrally managed solutions. Firstly, locally managed Anti-virus allows the user to switch off the virus protection, as is sometimes requested for the install of other programs, and then forget to switch it on again. It also means users can alter the configuration settings, which could then making them in breach of your security policy and creating dangerous gaps in the virus defense. Without a centrally managed system, the role of the IT administrator is reduced to 'desktop surfing' - continuously going round each desktop with a floppy disk update. This is not only inefficient use of a highly skilled IT administrator; it is also a losing battle with the, sometimes multiple, updates a day, leaving the business exposed to attack.


WEB browsing and WEB-based Email
Browsing websites and using web-based email can seem an innocent activity to the user, but both activities can disrupt normal business activity. Viruses and malicious code can be hidden in web sites and downloads of unsigned ActiveX and Java executables can contain harmful hidden payloads. Other downloads, such as MP3s and images clog up network bandwidth causing restricted use for legitimate business activities or even causing server-crash. In addition, as gateway antivirus tools cannot detect web-based email activity, this means users can receive emails with dubious content, or damaging attachments that run onto the local desktop and server. In addition, users can attach confidential documents and send via these email accounts completely undetected, exposing the company to risk.


Instant Messaging and Chat Rooms
IM tools are typically used for personal reasons, and a large part of their day can be taken p with this type of chat, leading to reduced employee productivity.

IM has the same security issues as web-based email - users and potentially send and receive sensitive corporate data.

There are also viruses that are specifically aimed at IM systems (e.g. Choke virus). Antivirus tools at the gateway do not detect IM; so infected files can seep onto the desktop and hen into the network.

Chat rooms are another gateway for viruses as they bypass he gateway antivirus solution. Like web-based email, they also provide the means for confidential data to be transferred undetected. Add to that the new major threat that organizations need to be careful about - spyware. These are non-viral applications that can trace user behavior on the net or silently record key strokes and data transmission from personal PC's. This information can then be used by spyware creator to cause financial loss - as in capture of online userid and password for a ebanking application - or track a user activity on the net and breach privacy.


Update patches on servers
With so many applications, servers and workstations, how can company ensure they have the latest updates and most recent patches? The demand on IT time for maintaining system patches and updates is huge - each supplier website must be checked on a daily basis for the most recent updates s must the vulnerability web sites like CERT, Bugtraq, etc.

Having found vulnerabilities that may be relevant you then have to individually check each of your systems to see if it is applicable. This all adds to the resource and time needed, making it difficult to be up-to-date with the process. Even mail pushes don't relieve the issue, as these updates still need to be installed across your diverse IT environment.

This activity uses up valuable IT resource that could be used in other security areas, and becomes demoralizing for the IT administrator handling this task. This problem is compounded by the continually changing IT environment.

The result is that many organizations do not do this due to the time and expense, which is why so many of the recent viruses have been successful even though the vulnerabilities they exploit are well known and have patches available.