Beating the Insider Threat

What is the best way to plant rogue software inside an organisation?

The prevalence of electronic devices is amazing. Stand in any city station during rush hour and you are guaranteed that at least 80% of the people walking by will have some device capable of plugging into a PC and downloading data.

But do you know how much of your company's data is walking out of the door with your staff?

Securing access to PC based data is now crucial, and maintaining end point security is a must have for all businesses. This reports explores how this can be achieved.

Many would take the email route, sending in an attractive looking Trojan file hoping that some user would open it up and spawn a virus or malware out break.

A good example of this was the “I LOVE YOU” email that appeared in May 2000. The title of the email alone made many people open it, and within a short period of time 45 million computers world wide were infected with its virus payload.

Fortunately this type of risk is being actively addressed by both user education and technology.

With the increasing amount of excellent spam protection software available most organisations are able to provide defence-in-depth from such attacks.

User education and awareness has also improved such that employees are generally less likely to open attachments than in the past, knowing that it may be malware.

In fact one of the best ways of getting rogue software into an organisation is straight in through the front door in the guise of USB pen drives or other similar solid state devices.

In a recent experiment conducted in the United States 20 USB drives were dropped around a corporate car park.

They were made visible to the incoming employees but left so that they appeared to have fallen from someone’s bag or pocket.

15 of these drives were discovered by employees who promptly marched into their offices, past the security guard, swiped into the secure building and then placed the USB drive into their company PC.

They of course opened up the pen drive to find out who it belonged to, and probably what if any interesting data may have been on the device.

Of course the USB drive had a piece of Trojan software that quietly loaded onto the PC and then sat their monitoring keystrokes which were then sent back to the originator.

Luckily this experiment was just that, and not some attempt by a crime gang to target an organisation for financial reward.

Had it been a crime attempt the chances are that the organisation could have been subject to significant financial loss and more than likely a major risk to their reputation as the data loss news appeared in the press.

The prevalence of electronic devices is amazing. Stand in any city station during rush hour and you will guarantee that at least 80% of the people walking by you will have some device capable of plugging into a PC and downloading data.

This is great news for mobile workers and those that enjoy music on the move but a complete nightmare for those responsible for managing an IT infrastructure.

A good example are digital cameras which are available everywhere and are surprisingly cheap compared to cameras of less functionality a few years ago.

Unfortunately once they are plugged into a PC the storage space on the camera’s SD card can be used to remove company data.

Insider Threat
It is a mater of fact that at anytime in any organisation a percentage of employees would be looking for another job.

This move may be born out of boredom or the need to move on which most employers accept as part of managing a workforce.

A small percentage of these employees may, unfortunately, bear a grudge against an employer or see an opportunity to setup in competition with their employer using data stolen from within the organisation.

This type of insider threat is increasingly taxing the minds of those that secure IT environments as there is a need to lock down data whilst balancing this against legitimate access for a person’s day to day job.

The removal of data using USB devices can happen quickly and discretely – 4 GB memory sticks are common place.

In 2005 the FBI conducted a Computer Crime Survey to find that 44% of organisations have reported network intrusions from within their own organisations.

Many would not report such losses for fear of reputational damage, so the real figure is bound to be higher.

As well as employees that may have malicious intent we have a group of kind hearted workers that would not deliberately interfere with company systems but still pose a threat.

For example not many parents could resist their child when asked if they could print out their latest term report on the company colour printer.

Of course the child would load the report onto their USB memory stick and give it to their mum or dad along with a host of other files that happen to be on it.

You just know that the device would have accumulated a bunch of games, malware and viruses just looking for a chance to off load onto a corporate network.

This results in a direct injection of malware into the organisation’s network.

Compliance of IT systems also becomes an issue when considering unauthorised data access.

Dependent upon the legal framework in which your business operates there may be a requirement for executives to certify the accuracy of financial data that is being published.

There may be questions raised about the validity of this data if it can be found that it may have been removed or manipulated using devices connected to USB ports.

At this point corporate executives are likely to get very attentive to IT security as such failings can have very personal ramifications for themselves.

Dealing with the Threat

The answer for many organisations is to simply turn off the USB drive and all external access to the PC.

For some this makes sense as it provides a complete lock down of the system and only allows network based movement of data.

Unfortunately some hacker attacks are now so advanced that they can switch back on any drive access by manipulating the PC’s BIOS directly, negating the locked down machine.

Short of physically removing or, as has happened in some cases, gluing up drive ports it can be difficult to get away from this type of attack.

In reality, using key drives to move data from one place to another is extremely useful and can be justified to the business in many cases.

For other businesses having access to USB drives is critical as field workers come into the office with digital cameras or data collection devices needing to be downloaded onto the network for report creation.

In practice we need a mechanism to intelligently manage USB ports and enable the IT security team to monitor what is going on at any point in time.

GFI is a company that has a number of products to address network, content and email security.

They have recently introduced a new product called GFI EndPointSecurity designed to deal with the threat to organisations from portable storage devices.

Although we have been talking primarily about removable USB connected devices it is also important to remember that CD/DVD and floppy drives pose just as greater threat, although arguably may be less convenient or discrete than a USB pen drive.

GFI EndPointSecurity uses a group based protection model that utilises Active Directory.

With this approach computers can be placed into different groups each of which has an appropriate level of device access.

For example you may decide to create a group that contains field workers. They use digital cameras to collect photographs and need to download the images back in the office.

In their case they will be granted access to a USB port for use by the camera. Additionally the product provides granular control over the type of device allowed to connect to the PC, so that a camera may only have network access to copy its images across but not permissions to download corporate data back onto the camera’s SD card.

GFI EndPointSecurity also comes with an event log that will record every time a device is connected to a PC, even if that connection should fail.

Once connected it will also record what data has been copied from or to the device, providing an audit trail of device and user activity.

Support for the tool is via a remote deployment tool that will distribute agents onto each PC in the network ready to start the monitoring process.

In addition if there is a need to allow temporary access to a device this can be granted by the administrator using the central control console.

The reality is that digital media is here to stay. It is cheap, effective and convenient and provides users and corporates incredible flexibility when it comes to managing their data and their business.

With appropriate, sensible precautions from products such as GFI EndPointSecurity there is no reason why they should not have an ongoing place in corporate IT.