March 18, 2008, 2:14 PM — External and internal threats are driving enterprises to the edge, costing
them millions of dollars and forcing them to constantly find new ways to protect
their networks. But whether threats originate from outside or inside an organization,
there is always one person in a position of control -- the insider!
Because users play such a critical role in network security, the OSI stack
has been extended from its seven layers to include the eighth layer - the human
layer. Layer 8 is where technology interfaces with users and it addresses security
in the network by controlling user actions through identity-based policy creation.
Insiders lead attackers inside the network
Internal users have the easiest access to sensitive corporate data, applications
and resources in the network. They are increasingly using multiple protocols
like email, IM, P2P, FTP, HTTP and Web 2.0 for their business communication
needs, giving rise to multiple points for data leakage and threat entry.
User behavior is the most unpredictable and this has put the most precious
asset in enterprises - corporate information - at high risk. Ignorance about
security policies, lack of up-to-date knowledge on network security, malicious
intent for financial gains and aversion to corporate policies and practices
can prompt an insider to pass on sensitive information to outsiders.
Consider this example: A disgruntled employee wanting to get even with his
previous organization sent email to a former colleague, asking him to look at
some photos on his Geocities website, which is a Yahoo! portal. Because the
ex-colleague knew the sender of the email, he went ahead and logged into the
site using his Yahoo! username and password to access the photos. What he didn't
realize was that the login page was a fake and the miscreant now had his login
details. He was still oblivious of what had happened as he was redirected to
the Geocities page with the photographs. The attacker now had the ability to
log on to Yahoo! using the ex-colleague's identity and could get away with confidential
corporate information because Yahoo! was the standard mode of communication
in the organization. He could easily misguide customers and put the enterprise
at risk. He could even install malware and keyloggers in the network to wipe
out or send information at their discretion.
Data leakage in enterprises can cripple the business and may lead to loss of
goodwill and trust among its customers. Thus, whether intentional or not, insider
actions can make or break enterprises. Insiders thus play the most critical
role in facilitating external and internal attacks in enterprises.
Attackers know this and have identified internal users as the weakest and the
most critical link in the security chain. They have shifted their strategy from
large-scale attacks to small, user-targeted attacks. Attackers are studying
the user psychology and predicting user behavior to launch highly-focused social
engineering attacks on insiders.
Balancing network security and business flexibility
Suspecting outsiders' intentions is more common and easier than handling threats
from insiders. It is impossible for an enterprise to know who among its employees
is being targetted. This is especially true because most enterprises align their
security decisions based on the IP address information of users instead of their
identities. Working with the a lack of user identity information, most enterprises
deploy a strict common security policy for access to network resources. But
such blanket policies restrict business flexibility and productivity among users,
forcing them to compromise on efficiency of their duties. Thus, enterprises
need to balance network security with business flexibility to allow users to
perform optimally in a secure network environment.
Importance of user identity in network security
Security systems that incorporate broader policy setting criteria like user
identity, work history, experience, work profile, hierarchy, department, and
others are important to adapt network security with changing user profiles.
A concept of the user threat quotient can be calculated by rating users on their
susceptibility to an attack and policies can be created based on the quotient
value to proactively thwart any network attack. Thus, identity linked to user
activity and profile needs to be woven into the security solution for comprehensive
network security against blended network attacks. Network activity logs with
user identity information allow enterprises to make informed and intelligent
decisions about potential threats caused by insiders.
