Friend or foe?-2004-05-01-Internal attacks can weaken your company, but there are lots of ways to minimize the risk.-Elizabeth Millard

It's the kind of stomach-dropping moment that every IT manager dreads. The network is attacked, and no matter how many safety blocks have been put in place or tough digital barriers erected, data gets corrupted or stolen right in front of IT's horrified stare. A mad scramble and firewall reset confirms that the attack is even worse than believed, because it's coming from a place that no one expected: just down the hall.

Internal threats aren't new for companies. Ever since the first employee had access to the first supplies cabinet, pilfering has been an issue. As computers got introduced, the capacity for theft and damage has increased. What many IT departments may not realize, however, is that the problem is much worse than they might think.

In a recent FBI security survey, 80 percent of the respondents reported insider abuse of their computer systems. Research firm Gartner has reported that 70 percent of incidents that cause money loss are the result of insider theft.

Although IT has undoubtedly locked down their networks and systems, it's likely that those controls were done with outsider threats in mind. Inside a company, employees usually have access to a variety of servers and equipment, because in order to swap files and share information, the technology controls need to be somewhat loose and easy. Unfortunately, those open doors can prove to be a bigger danger to company security than unknown hackers or miscreants trying to jump on a firm's wireless network.

Inside job

There are several ways that an employee can wreak havoc on a company system. Although focused, malicious attacks can be the most frightening, there usually aren't many employees who are tech savvy enough to bring down a corporate network through hacking. Most often, dangers occur when an employee has access to files or servers that should be better controlled, especially if those electronic paths lead to the accounts payable department.

Jeff Johnson, co-founder of Atlanta-based security monitoring firm Oversight Technologies, notes that in the last five years, employee theft through digital means has gotten out of control. "We've been calling them business hackers," he says. "They hack into the system and find a way to cut themselves checks and then cover it up."

One Oversight client had an employee who found a way to access the accounts payable system. He went into a vendor file, changed the vendor's name to his own, and cut himself an $80,000 check. Then, once the deed was done, he changed the vendor name back. He might have gotten away with it if he hadn't gone directly to a local check-cashing place that decided to call the company for verification.

Such incidents are all too common, Johnson says. Beyond that kind of fraud, employees can also be dangerous by either damaging equipment deliberately, or blithely downloading viruses or stumbling across networks by accident.

"It's a significant issue," Johnson says. "No matter how an employee poses a threat, either accidentally or on purpose, insider abuse is very real. IT needs to analyze their systems and do something to prevent these threats."

Locking down

One of the most important ways to keep information safe is to enlist the very people who pose a danger in the first place. Since network security breaches can sometimes be a result of carelessness on the part of a user, education can go a long way toward reducing the threat. For those employees who are a bit wilier and like to sneak around a network, educational efforts that mention policy enforcement may keep them in check.

"Having a security policy doesn't make sense if it doesn't make people obey," says Doug Landoll, president of Austin, Tex.-based network security firm Veridyn. "You need to set the guidelines through a policy, and then think about how to enforce those rules."

In crafting a security policy, IT departments should refrain from using standard boilerplate language about respecting company property and not using corporate resources for personal use. Although such policy templates may pass muster with company attorneys, it's far better to nail down the specifics of what's allowed and, most important, what won't be tolerated.

"Can you e-mail the company directory to someone outside the office?" Landoll asks, as an example of kind of incident that should be included. "What will happen if an employee tries to access a server they shouldn't be on? An IT department needs to clearly define what a breach is and work with HR to define what would be grounds for termination."

He adds that subsequent security training can be a challenge, simply because users are at different levels. However, it's crucial that training be done, since it often minimizes the risk of damage in the future. "Just letting them know that you're aware can sometimes be enough," Landoll says.

Tech to the rescue

Education and strong policies can reduce some of the threat, but for real protection, IT departments can also employ some technology to make sure that threats are kept to a minimum. Several companies have been developing tools specifically geared toward protecting networks and data from insiders.

Security heavyweight Check Point Software Technologies has come out with InterSpect, an appliance that includes defense technologies meant to help prevent or at least mitigate attacks from inside the network. Similarly, Ingrian Networks has been touting its latest product, DataSecure, which is designed to protect data while it's in storage, in use, and in transit among machines.

DataSecure uses a high level of encryption in order to work. Using powerful encryption for lessening internal risks is a growing area, and there seem to be quite a few products in development that help companies secure data while it's being routed from one employee to another. Shlomo Touboul, CEO at San Jose, Calif.-based security firm Finjan, notes that clients who were suffering from intellectual property loss have embraced their encryption-based application, called Mirage.

"With Mirage, an employee can send sensitive data outside the company," Touboul says, "but the person opening it will only see meaningless code." Also popular are monitoring services like those available at security firms like Oversight. Johnson says that with so many transactions taking place at a company, IT needs an effective monitoring tool that can make sense of questionable data transfers and unauthorized access requests.

Although insider threats have been a constant over the years, that doesn't mean it has to continue to give IT managers and CIOs nightmares for years to come.

"Security is a chain, and it's going to break at your weakest link," notes Landoll. "It's the job of every IT department to make sure both the internal and external links are strong."

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services

3PAR, Accellion, Acronis, Actional, Active Endpoints, ActiveGrid, activePDF, ActiveServers, ActiveState, Actuate, Adaptec, Agile Software, AGiLiENCE, Agilysys, Akorri, AlachiSoft, Alter Logic, Altor Networks, Altova, AMD, AMDAHL, Amentra, Amyuni, anacubis, Apani, APC, Appcelerator, AppSense, AppStream, Array Networks, Ascential, Astaro, Attune Systems, Autodesk, AutoVirt, Availl, Avanade, Azul Systems, Barracuda Networks, BEA Systems, B-hive, Black Duck Software, Blackbaud, Blade Network Technologies, Blue Coat, Blue Lane, BlueArc, BlueNote Networks, BluePheonix Solutions, BMC Software, Borland, Bristol Technology, Brix Networks, BroadVision, Brocade, Burton Group, Business Objects, CA, CalAmp, Cassatt, Cast Iron Systems, Catbird, Cayenne Technologies, Ceedo Technologies, Cenzic, Certeon, CiRBA, Cisco Systems, Cision, Citrix Systems, ClearApp, ClearCube Technology, CollabNet, Compass America, Composite Software, Compugen, Compuware, Configuresoft, Continuity Software, Coraid, Courion, Coyote Point Systems, Crescendo Networks, CSC, DataCore, DataSynapse, Dell, Desktone, Digipede Technologies, Double-Take Software, Ecora Software, EDS, eG Innovations, Egenera, Elastra Corporation, Electric Cloud, Embotics, EMC Corporation, Emulex, Endeavors Technology, Enigmatic Corporation, Enterprise Management Associates, Entuity, EqualLogic, Ericom Software, ESRI, EVault, eXludus Technologies, F5 Networks, FalconStor, FastScale Technology, Foedus, Force10 Networks, Fortisphere, Forum Systems, Fujitsu, GemStone Systems, Getronics, GlassHouse, Green Hills Software, Grid Dynamics, GridGain Systems, GT Software, Hitachi, HP, Hyper9, Hyperic, IBM, ICEsoft, IGEL Technology, Illumita, ILOG, IMEX Research, Information Builders, Ingres, InstallFree, Integrien, Intel, Intellium, International Computerware, iTKO LISA, JBoss, Juniper, KACE, Kidaro, LeftHand Networks, Leostream, Lifeboat Distribution, Liquid Computing Corporation, Liquid Technology, Lynux Works, Mainline, ManageIQ, Managed Methods, ManageSoft, Marathon Technologies, McAfee, Mellanox Technologies, Microsoft, Mid-Atlantic Computers, Mindbridge Software, Mindreef, MKS, MonoSphere, Motorola, MQSoftware, mySoftIT, NASTEL, Ncomputing, NEC, Neocleus, NeoPath Networks, Neoware, NetApp, Netegrity, Neterion, Netuitive, Neverfail, Nexaweb, NextAxiom, Nimbus, Nimsoft, Niyuta, NoMachine, Novell, ONStor, Opalis Software, Open Kernel Labs, OpenSpan, OPNET Technologies, Optaros, OpTier, Oracle, Pano Logic, Parallels, Parasoft, Perforce Software, PHD Technologies, Phoenix Technologies, Phurnace Software, Pillar Data Systems, PlateSpin/Novell, Progress Software, Prolifics, ProSync Technology, Provision Networks, QLogic, Quest Software, Racemi, Raritan, Raxco Software, Red Hat, Reflex Security, Resolution Enterprises, RingCube Technologies, Riverbed Technology, Rogue Wave Software, RSA Security, Sagnet Solutions, SanDisk Corporation, SAP, SAVVIS, ScaleMP, Scalent Systems, Seanodes, Secure Command, Secure Computing, Sentillion, Shavlik Technologies, ServInt Internet Services, Silpion IT Solutions, SIMtone, Skytap, Skyway Software, Software AG, Sonasoft, SourceGear, Splunk, StackSafe, SteelEye Technology, StillSecure, StoneFly, Stonesoft, Stoneware, StoreVault, StrikeIron, STT WebOS, Sun Microsystems, SunGard, Supermicro Computer, Surgient, SWsoft, Sybase, Symantec, Systar, TBD Networks, Tenfold, TheInfoPro, Thinstall, Third Brigade, TIBCO Software, Tidal Software, Tideway Systems, TOA Solutions, TRANGO Virtual Processors, Trend Micro, Tresys Technology, Trigence, Tripwire, Ulteo, Unisys, United Devices, VaST Systems, VDIworks, VeeAm Software, Verari Systems, Verio, VeriSign, Vicom Computer Services, VirtenSys, Virtera, Virtual Iron, VirtualLogix, Virtugo Software, Virtutech, VisionCore, Vizioncore, VKernel, VMLogix, vmSight, VMware, Vordel, vThere-Sentillion, Vyatta, WaveMaker, Web Age Solutions, WSO2, Wyse Technology, XDS, XenoCode, Xiotech, xkoto, Xsigo Systems, Zenith Optemedia, Zeus Technology.