These are just a couple of examples where company networks have been easily infiltrated from within or by insiders and suffered major financial damage which in extreme cases have been difficult to recover from.
So far we have shown attacks that are premeditated where the intention is specifically to cause damage or steal information. However, there is the accidental damage by the ignorant or unaware employee or insider that does not realize he is causing any harm to the company. The example above is a combination of the two (accidental and intentional) where the attacker uses that employee’s ignorance in the hope that whoever receives the CD will in fact run it on his PC and forget about the company policy which prohibits the use of unapproved media. This is the exact reason for the prohibition but these prohibitions are difficult to enforce.
In a purely accidental breach an employee may inadvertently disable the personal firewall on their PC allowing any number of malicious applications to enter unhindered. If a personal firewall or content inspection is disabled on a PC, employees can surf to virtually any site on the net and inevitably get infected with malicious applications or dialers which are predominantly found on the most popular recreational sites such as pornography and file shares. Another example may be a salesman who wants to synchronize his PDA, which has wireless connectivity, with is PC. During the same process the modem functionality has been activated on the PDA enabling unauthorized access to his PC, especially if there is no security enabled on the wireless connection. These are just a few examples of the multitude of internal security breaches that can bypass the gateway and access the corporate network.
How does a company protect itself from its own users who intentionally or accidentally can cause serious damage?
In light of the fact that most employees either do not read the company’s security policy or forget its content as soon as they have read it and the fact that it is difficult to enforce this policy anyway other than the threat of terminating the contract with an employee. Companies have to invest in internal security systems that complement existing gateway security solutions and provide real time threat detection that minimizes the window of opportunity for threats to become major security breaches.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.