[ISN] The Cybercriminal Inside

From: InfoSec News (alerts@private)
Date: Tue Jul 10 2007 - 22:16:58 PDT


http://www.forbes.com/business/2007/07/10/computer-security-internal-biz-biztech-cx_ag_0710mcafee.html

By Andy Greenberg
Forbes.com
07.10.07

The data breach that occurred at Fidelity National Information Services 
last week was a security professional's nightmare. And not just because 
of the amount of raw consumer data spilled onto the black market. By 
that measure, the 2.3 million users' files that were leaked can't 
compare with the 45 million customers' account information lost by 
retailer T.J. Maxx (nyse: TJX - news - people ) just last January.

In Fidelity's case, the volume of the theft was less troubling than the 
source: one of the company's own staff. After the breach, Fidelity 
revealed that the culprit was an employee at the payment processing 
company, one whose job granted him access to the company's database.

In fact, data breaches that come from internal issues arent unusual. 
According to Attrition.org's Data Loss Database, 104 of the 327 data 
breaches last year started inside companies, not in the hands of 
hackers.

And Martin Carmichael, chief security officer at McAfee Software (nyse: 
MFE - news - people ), says that internal data breaches are more likely 
than external attacks to reveal key private information. But how to 
protect servers when every employee is a potential data thief? 
Carmichael spoke with Forbes.com about Fidelity's data debacle, how that 
company and other breach victims can recover, and the problem of 
controlling employees' access to data without paralyzing their 
performance altogether.


Forbes.com: How should a company like Fidelity have protected itself 
from a data breach?

Martin Carmichael: When we look at Fidelity, it's a common situation: 
Companies are focusing on the perimeter between the company network and 
the external network. In the press you read cases about hackers and 
Trojans that come in from the outside and devastate companies. But if 
you look at the statistics, that's not where the biggest losses occur. 
More often they happen when an inside person takes assets or 
information.

So many companies are focused on perimeter security, when they should be 
asking, "What does our infrastructure look like? What are we doing to 
assure compliance within the boundaries of our firewall?", looking at 
that internal structure as well as that external structure.


Is this problem of data loss from internal leaks a new threat?

Not at all.


Then why are companies primarily focused on the security perimeter?

There's this mindset that "the people we hire, we can have confidence 
in." That isn't the case. Statistics tells us that criminals are hired 
at companies everyday, but there's this assumption of ethics and honor. 
We've built this mythos that people on the inside of companies are more 
trustworthy than those on the outside.

On top of that, external hacks have been sensationalized. Inside jobs 
haven't gotten nearly as much visibility in the press.


So how can a company protect itself from internal data breaches?

Every internal station needs to be protected. Take a look at our 
antivirus or other prevention software: It runs on each individual 
platform, rather than in a firewall construct. Each individual computer 
or server within your internal network has to be evaluated for security 
individually. Creating a terrific perimeter isnt enough. The internals 
have to also be hardened and capable of withstanding attack from 
internal staff.


But at some point, don't you have to give your employees access to data 
they need to work?

Sure. But from a security standpoint, one of the things that we need to 
do more effectively is balance risk and productivity. We need to define 
characteristics about what is risked and gained in every security 
decision.

Think about how software is designed. We should be thinking about the 
underlying characteristics of the software, not just fixing certain 
bugs. Take for example a piece of software that can change the 
background of your computer screen, like a Web browser. To do that, it 
has to run as a privileged entity with more access, and someone could 
use that to compromise your system. So how important is it to change 
your screen background? And what's the risk involved?

Similarly, you have to ask what kind of controls you give to a database 
administrator and what kinds of access they have. In many companies, 
people get broad privileges in order to increase their functionality. 
And you can end up with a database administrator who has control over 
everything, with no controls on that administrator himself.


How should a business like Fidelity recover from a big data breach?

You need to have a recovery plan before something even occurs. How does 
the news get presented? What is the effect on the company's stock? How 
do you manage the interface with shareholders? What's the overall 
impact? Your public relations, your CIO and your CEO will all be 
involved and each needs to know their role in a strategic plan.

Above all, you have to maintain integrity with the customers. You have 
to tell them just how their data has been compromised, and give them 
clear steps that you and the customers will each take to address the 
issue. Then you can take a financial look at the business and assess how 
the breach, like any disaster, will affect the bottom line.


Aside from the business and the public relations angle, how do you 
recover from a security standpoint?

There's no one size fits all answer. You have to look at the events and 
ask, "Was this anomalous? Could it have been prevented?" There has to be 
fault resolution. You need to really look at the underlying 
characteristics, and in most cases you can make specific changes. But 
often the temptation after a breach is to make security overwhelmingly 
burdensome. And in terms of the balance of risk and productivity, that's 
not the best solution either. Risk is never zero.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 10 2007 - 22:23:09 PDT