The Dangers Within

 

By Jenalyn M. Rubio
December 1, 2007

Apart from the traditional security threats to an enterprise’s IT infrastructure, one area which most companies still do not pay enough attention to are the internal threats—this was the consensus among security experts who spoke at the recent Computerworld Philippines Executive Briefing on IT Security.
They said the main culprit isn’t the oft-vilified malicious hacker. Instead, they blamed people inside companies as the biggest cause of security breaches.

In the past 10 years, there have been a steady increase of incidents involving internal threats, says Alexander Ramos, a consultant and computer forensic analyst at the Philippine National Police (PNP), adding that an insider with intimate knowledge of the corporate systems and processes, coupled with the motivation to either steal from their employer or cause damage, is often at the heart of most destructive hack attacks.

According to Ramos, internal threats are very real and should not be taken lightly as they present a major threat which the common security perimeter defense models are not well developed to deal with. “These incidents are dangerous because they expose vulnerabilities in your system. You don’t have an immediate defense for this because that person knows your system in and out and the only way to stop that is to shut down your system,” says Ramos.

Ramos was recently recognized by a leading international organization of experts in the filed of advance computer science studies and computer forensics and was named the 2007 Timothy Fidel Awardee for successfully investigating and combating one of the biggest global network of cyber criminals which attempted to paralyze and take control of major telecommunication networks worldwide.

Ramos points to two kinds of employees to blame for security breaches. They are the end-users or employees who do not conform to standards and policies and who are overly-dependent on the IT people; and the complacent administrators and IT staff who believe their systems are ‘invincible’ and who tend to be careless and inattentive to details. “So the safety nets have to be developed—spend time to learn the technology, set realistic and acceptable policies, and invest on knowledge and people skills,” he says.

Ensure Compliance

For his part, Amado Malacaman, Jr., vice president of the Information Systems Security Society of the Philippines (ISSP), identifies three types of internal threats: the unconcerned users who have no idea they are bringing in threats to their system security; unmindful executives who do not realize they are laying the groundwork for computer abuse and misuse by not setting up the necessary security policies; and the unchecked IT team who do not realize they are justifying their non-compliance to non-existing security policies.

Today, very few companies in the country have a designated IT security officer and the IT security function is assumed to be the responsibility of the IT people—which could be dangerous, stresses Malacaman. He said that IT people could, in fact, be the most dreaded internal threats to the organization because they have access to—and know the details of—most, if not all, files and systems.

According to the ISSP officer, IT people should have a set of rules to follow to ensure the security of the company’s business-critical data, just like the accounting people who have to follow a set of rules to ensure proper financial management.

“Tap a security person or team to ensure computer security compliance from all members of your organization, especially those in IT,” Malacaman says. He adds that security policies should be defined to determine whether programmers are connected to the production systems; who, among IT people, have access to files and systems; and determine whether everyone in the IT team need access to files and systems, among others.

Malacaman emphasizes that the only time a company does not need security is when it can operate its business without a computer, which is near to impossible in this digital age. “So even the owners and the top executives should understand security because relying on your IT people alone could be disastrous to your corporate health,” he says.

Possibly Related Posts:


  • Multiply
  • MySpace
  • Digg
  • Delicious
  • Facebook
  • Squidoo
  • Twitter
  • Yahoo Buzz
  • LiveJournal
  • Google Bookmarks
  • StumbleUpon
  • AOL Mail
  • DZone
  • Ask.com MyStuff
  • AIM
  • Share/Save/Bookmark
 
 
 

Comments

No Responses to “The Dangers Within”

Write a Comment