Tackling the Insider Threat

Linda McGlasson • October 4, 2007

It's About Protecting the Network Endpoints

Last week's announcement of yet another unencrypted laptop being stolen - this time it is retailer The Gap's recruiting vendor and its gaping lack of security (the vendor laptop was stolen with personal information of 800,000 applicants Gap Press Release ) opens another line of questions for financial institutions. Is the increased productivity of portable devices, (laptops, USB drives, etc.) worth the risk of infection or data theft? More importantly, are you able to defend your networks from the invasion of the external threats that seemingly pile up at your firewall due to the use of these endpoints?

What is the biggest threat for data loss? "Trusted" employees who are plugging in everything from iPods to external personal laptops onto your network and downloading everything from mp3s to the entire (fill-in-the-blank) Excel database.

If you're not cognizant of the insider threat in your institution, you need to rethink your security strategy.

To know where and when employees are accessing data means watching your endpoints. Endpoint controls can play a key role in preventing or reducing the insider threat, says Ari Tammam, an information security company executive. Financial institutions are doing a better job than many other companies because of the regulatory compliance that goes along with being a financial institution, but the threat is still present.

The CSI/FBI reports in recent years have all pointed to the fact that most attacks are coming from inside the network. Tammam, the channel vice president at Promisec, points to one of the FBI insider threat studies and notes, "Some endpoints are overlooked. Financial institutions are more conscious of endpoint security, but they still have to give their employees some leniency in order to get their jobs done. The trick to detecting insider fraud is to look at not just what they're opening and looking at in documents, but the context of what they're doing with that information."

Realize every institution has a set of user rules (or acceptable use policy) that must be enforced and repeated to the employees, he says, so they know absolutely where they can and cannot go.

The best example for a financial institution's "unknown" endpoint is the wireless network running outside of the institution, but which can attract endpoints that are left on by default, on laptops or other devices that are also connected to the institution's network. "Therefore it opens the institution's network to the possibility of data leaving the institution, absolutely without anyone knowing that it's going out," Tammam says.

Other endpoints that may not be secured at financial institutions and could make a network vulnerable include the mobile devices that management and bank executives rely on, including PDAs and the ubiquitous Blackberries. "These aren't new to institutions, and most are now adequately protected," Tammam says. "An institution will decide on a single type of device, and standardize the security protocols to protect it, and won't allow any others to operate on their network."

Shared folders on the other hand, have a great potential for compromised data, he says. "For large projects, it's easy to have information in shared folders -- it facilitates information flow." But as sure as that flow begins, it's hard to stop. "What if you accidentally save some sensitive or classified information to that shared folder, and that's just by technical or human error, not intentional. But now it has been made available to everyone."

Tammam recommends institutions run audits on their networks on a regular basis to find the hidden endpoints and other vulnerabilities, and with the findings of those regular audits also stress awareness/education of the institution's staff to avoid future security compromises.