Information Security Management: How Dangerous User Behavior Puts Networks at Risk
As CIO at Bunker Hill Community College, Bret Moeller embraces students experimenting with the technology and information security management as part of their education, but he’d prefer if their independent studies didn’t involve hacking into the college’s network.
“There are some students who discover at school that their whole point in life is to hack into the college’s network to either glean information they have no right to access or to simply kill the network to prove they can do it,” said Moeller, who works to manage and secure the Boston-area college’s network.
“We can detect scanning on our network and we try to lock things down as much as possible or not allow software on workstations, but sometimes there can be a hole in our protections. We can’t control the end users to the same degree one can in a corporate environment, but we still have to do as much as possible to secure the environment from end-users,” he said.
Yet, Moeller may have more in common than he realizes with the corporate network and security managers.
Recent research from the Ponemon Institute revealed that a majority of users disobey company security standards — and they do so knowingly. In addition, survey data just released by RSA shows that trusted insiders “create data exposures of extraordinary scope” through their everyday behaviors.
“End users are smarter than ever. The advent of the PC at home and not just work anymore, as well as the ability to look up and verify what the IT people are saying to you, is a different world,” said Steve Moore, technology leader at Mary Kay Inc. in Dallas.
In addition, users can easily find detailed accounts of how to sidestep corporate policies, available from countless Internet sites and even laid out clearly in publications such as The Wall Street Journal.
With compliance regulations a constant factor, IT executives are caught between a rock and a hard place.
“We’re constantly trying to balance the need for expanded access to information and the requirements to protect information from unauthorized and inappropriate use,” said James Kritcher, vice president of IT at White Electronic Designs Corp.
in Phoenix. “We now have an expanding number of accounts, passwords and other mechanisms to manage access to various resources. The resulting overhead and complexity increase the likelihood that inappropriate access may be granted.”
For instance, users can unwittingly grant inappropriate access to co-workers, friends, and family if they share too much information or neglect to update passwords.
One area Craig Bush finds lacking among users is password security. He said the company has policies in place to ensure passwords aren’t abused or revealed, but users consider managing passwords more of a hassle than a safeguard.
“It’s funny how end users just don’t think passwords are a big deal and think we are just here to make their lives miserable when we request them to change or update passwords,” said Bush, who is network administrator at Exactech Inc. in Gainesville, Fla. “General password security is an area I see lacking among most end users. They just don’t realize there is a technology that can use their passwords to get information and corrupt the entire network.”
Other times, it’s the more technology-savvy users who cause the most trouble. Users have tried to deploy consumer wireless routers at work, said Martin Webb, manager of data network operations, Ministry of Labour and Citizens’ Services, Province of British Columbia, Canada.
“Consumer routers are shipped with all the security settings turned off, which makes it easier to deploy, but it also immediately creates holes with security on the network,” Webb said. “It seems to be an innocuous thing and usually they are deployed without malicious intent, but it is still something we have to stay on top of or we are at serious risk.”
Mixing business and personal life
Another common problem is when users try to take their work home with them, but wind up taking more data off corporate networks and premises than they should. For instance, thumb drives, or USB flash drives, used improperly could bring a company to its knees, according to Albert Ganzon, director of network services and engineering at Pillsbury Winthrop Shaw Pittman LLP, an international law firm in San Francisco.
Being responsible for securing company and client data puts Ganzon into a state of heightened alert, considering information saved on a thumb drive is nearly impossible for him to secure.
“Thumb drives make it so easy for someone to download a copy of anything and just walk out with it. We can’t catch that before it happens; we can’t turn the USB drives off without debilitating other valid functions of the drives,” he said. “It is critical for us to keep client data confidential, and it’s a very touchy area when the potential of leaks occurs.”
Ganzon doesn’t necessarily believe users intentionally put the network, the company and its clients at risk, but when working to get their jobs done they may sidestep certain security policies and information security management without considering the potential repercussions.
“If that data is lost or stolen, well, people just don’t understand the risk they pose at times,” he said.
Christ Majauckas agreed. The computer technology manager at Metrocorp Publications in Boston said users, in some cases, believe they are following the policies yet continue to pose a significant risk with their actions. For instance, one of his security pet peeves is users who download e-mail attachments from personal accounts while logged onto the corporate network via their company PC.
“Downloading e-mail attachments from the personal e-mail is one of the main sources for virus attack,” Majauckas said. “If they use corporate mail, we check that for viruses. But they think it’s better not to use corporate e-mail for personal use, so instead, they open the mail in such a way that we can’t scan for viruses. I am not going to rely on Google to check for viruses on my network.”
For Koie Smith, IT administrator at Jackson, Tenn.-based law firm Rainey, Kizer, Reviere & Bell PLC, users trolling the Internet and visiting personal sites such as MySpace or Facebook represent a big risk, so much so that he uses a Linux-based proxy server called Squid for content filtering and to shut down access to those sites.
For one, he is quite certain the sites aren’t being used for work purposes and on top of that, Smith said he finds those sites and others are ripe with spyware ready to latch onto his corporate network.
“Even though we need the Internet for productivity reasons, browsing the Web is obviously a concern because users can pull down spyware or a virus. Without adequate protections on the computer — or even in some cases when there is — viruses in the wild can still cripple your network by one user browsing to a site they shouldn’t be going to,” Smith said. He added that the content filtering also serves to protect the user and organization legally. “There are things our company can’t have happening in the workplace, and unrestricted Web browsing opens the door for that.”
More Education Required for Information Security Management
Bruce Bonsall, CISO at MassMutual Financial Group in Springfield, Mass., worries most about the intertwined work and home life of most corporate employees that leave networks open to security holes and employees vulnerable to attacks.
He said he also gets concerned when a user population isn’t as educated about security policies or potential threats as they should be.
“It’s not realistic for me to think that people are going to stop mixing their personal and work lives. We have to rely on them to practice good hygiene when opening links and try to prevent all the sewage that is out there from backing up into corporate networks,” Bonsall said.
For him, targeted attacks such as phishing and whaling concern him because they could take advantage of users not keeping up with corporate education efforts.
He said technologies such as network access control and security information management can help protect the network, but only to a certain degree. As attacks get more sophisticated, user education is the only option.
“The bad guys are going after high network staff and senior executives, which is very disturbing. The more information they use that relates to the target, the more likely someone will get tricked, even savvy end-users,” Bonsall said.