If you're responsible for the security of your network and its data, you might want to shift your focus away from looking at your network from the outside in, and look at it from the inside out.
From a threat perspective, insider attacks can be thought of like an al-Qaida element operating within your walls. You might not see the threat or an actual attack on a daily basis, but you know the threat exists and you must plan for it. Similarly, attacks from the outside can be thought of as a Hamas-like element that exists outside your corporate boundary. Hamas-like attacks are more predictable and identifiable in nature, and as a result are easier to plan for. While both threats are serious, it's the attack from within that always comes as a surprise.
But how does one plan for an attack from the inside? The answer to that question is that there's no easy answer. If you start by assessing who has access to what, IT professionals themselves are at the top of the risk factor food chain due to their knowledge and pervasive access to key systems.
But from a practical standpoint, it's not possible to limit IT's access due to the nature of the job. However, you can certainly audit access, and there's no shortage of tools to do that. One genre of security tools that helps with the auditing and securing of internal threats is data leak/loss prevention systems. DLP systems come in a variety of flavors and protect against a variety of threats, and products in this space focus on everything from securing and auditing file access to monitoring communications and content leaks to encryption of USB devices and hard drives, all the way up through the definition and real-time monitoring of policy-based information access.
Unfortunately, it's no longer possible to simply lock down resources via user credentials and fall asleep hoping that your own employees won't attack you when you're not watching. The fact is that we need to set permissions accordingly and then monitor how those permissions are being used across a wide range of technologies. With DLP systems, much of the threats that you will find will be well-intentioned, like the marketing professional who decides to copy a customer database to a laptop for use on a flight. While that's certainly a legitimate business need, there also are security implications to consider when such sensitive data leaves the organization's walls.
But don't expect DLP systems to solve all of your problems on day one, because much like a home is built by first excavating a foundation, organizations must first identify what resources and information is vital, and then move on to identifying what personnel should have access to what resources. Simultaneously, acceptable use policies should be developed that dictate what information can be accessed remotely and what information can be stored on removable media. Once security and use policies are fully developed, DLP systems can then be used to enforce and report on those policies. According to Gartner, the leaders in the DLP space right now are Vontu, WebSense, Reconnex, and Vericept.
Do you use an enterprise DLP system in your environment? Share your experience here. I'm especially interested to hear about how you've used your DLP system to catch an intruder or thief red-handed.
