Addressing the problem of companies not taking insider threats seriously, the “Many Enterprises Still Don’t Recognize Insider Threat, Studies Say” article on DarkReading made some much-needed points about intranets not being the secure entities that many companies believe them to be. While the article’s primary focus is on traditional insider threats—with employees knowingly or unknowingly causing most of the problems—it got me thinking about different kinds of non-traditional threats.
The chief non-traditional threat that comes to mind is the occurrence of company workstations being infected with malware through non-technical users surfing the web. Since non-patched browsers are the norm in corporate America, an unsuspecting admin can have their workstation infected just by surfing the web. Once infected, the workstation can be used to take control of both internal and external company resources.
The number one way that most of these malware-based insider threats happen is through the use of scripting. For an example of what scripting can do, look no further than the Twitter attacks that occurred over the weekend (one on Saturday, the other on Sunday).
The most obvious fix for these all-too-common browser infiltrations caused by scripting is to go no-script by disabling scripting by default. Sure, it’s a pain, and employees are likely to complain, but is the potential compromise or loss of data really a risk that companies are willing to take? For some companies, the answer, (unfortunately) is ‘yes.’ Though it may be obvious to security professionals why disabling scripting is more necessary than optional, members of company management usually buy into long-propagated myths like anti-virus and anti-spam applications being enough protection for both internal and external threats.
If you find yourself in a company that is scared to take the plunge and go no-script, another way to help protect non-technical users and company data is through the creation of a whitelist. Far easier than creating a blacklist of ‘bad’ sites that users need to avoid, creating a whitelist cuts out time, money, and frustration by allowing users to only visit specified ‘safe’ sites.
If you find that a whitelist is also out of the question, I will use one of my oft-touted solutions: Encryption. While many companies feel that encryption for intranets is unnecessary (since they see intranets as being internal and therefore ‘safe’) the reality is that encryption is just as necessary for intranets as it is for external sources.
Another recent article on DarkReading pointed out that the default setting on Internet Explorer 7 and 8 can be unsafe for internal intranet-based Web applications. Since most companies use Internet Explorer as their default browsers, there is no denying the importance of intranet encryption.
But whether you go no-script, create a whitelist, or encrypt every last piece of data you have (which we highly recommend), consider compartmentalizing your data. Inventory it and rank it according to its sensitivity. Segment your network so that the important stuff is really protected. You can do this through creating multiple compartments: One compartment for general users, another part for the company employees that deal with sensitive information ‘a,’ another compartment for company employees that deal with sensitive information ‘b.’ That way, if your network gets compromised, you can protect the rest of your data so attackers don’t have access.
The bottom line is that traditional insider threats as well as malware-based insider threats need to be taken seriously if we’re going to move forward and keep our companies—and ourselves—secure.
If you’re looking for some additional ways to keep your company—and yourself—a little safer, we’ve put together a handy list of books that might do the trick.