 |
Top Security News |
Computer Security Still Damaged By Social Engineering
Interesting article out of CIO magazine about Vista, and that while it is a highly secure operating system, with some neat things it can do, it still is not invulnerable to those programs that require social engineering to get the user to do something. For as long as there..
Collaborative Information Security Next?
Have anyone ever been on the phone with a client after the job, where the client wants more information, needs a copy of the report, or just wants to spend some time discussing the implications of the report that the company generated for them? The files are...
EBay Launches Web Smart Guide For Safety
According to a recent survey, a lot of Australians feel the online world is becoming a safer place to shop - 76 percent, to be exact. A significant portion - 58 percent - "did not think the industry was doing enough to educate people about security online," though. eBay is trying...
RSS Exposes Users to Attack
ZDNet reports from the Black Hat conference in Las Vegas that security experts are increasingly concerned about the potential for malicious attacks perpetrated through web feeds. SPI Dynamics examined a number of online and offline applications used to read RSS...
RFID Technology Vulnerable To Malware
RFID tags may become commonplace in the future, but not a lot of people are looking forward to widespread implementation. There was already concern that these "smart barcodes" would allow consumers' habits to be more easily tracked, and that the technology could facilitate identity theft. It turns out that RFID...
NSA Eyes Social Networking Sites
It was revealed last month that the National Security Agency has been tracking the phone calls of millions of Americans. Now, according to Newscientist.com, it looks like the agency has plans to expand the program to include the monitoring of social network sites such as MySpace. Individuals often give out all sorts...
Root Kit Hunter
I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn't su to root, and I couldn't even login at the console as root. I hadn't forgotten the password, but the system just wouldn't let me in. As it happened, I didn't have time...
|
|
|
01.03.07
Insider Threats
 By
Dan Morrill
Organizations in many ways contribute the actions of their employees.
Either through not wanting to lose a star player who sometimes does things that they shouldn't to not monitoring who is accessing what, and are those accesses in the performance of their job duties.
While organizations are contributing to insider theft, or insider damage to systems, from the CERT Systems Dynamics Workshop they found there are other contributing factors to not paying attention to what employees are doing. Those additional factors can be:
• Giving star players free reign because of fear of losing those employees.
• Ignorance (either on purpose or due to naivet) of indicators of insider threat
• Disregard for information security best practices.
• Poor human resource practices with respect to pre-hire screening of employees, ongoing monitoring of employees, and provision of facilities to help employees deal with problems (e.g., employee assistance programs, AKA EAPs)
• Lack of training and education of employees on the reliance and trust that the company has in employee job performance
• Lack of training and education of employees on the consequences of violations of employee trust, e.g., prosecution
• The tendency of organizations not to report the problem and seek legal remedy for fear of damage to their reputation does not deter future insider threat attacks
Many of us have worked in organizations that really did not pay attention to what we were doing or why we were doing it. Often we find it easier to just go do something, and ask for forgiveness later if it all goes south.
These kinds of work habits should be giving management some clear indications that they have employees who are not going to abide by company policy, or that company policy is weak or non-existent when it comes to dealing with rogue employees. Given the statistics that have been published at Dark Reading on the insider threat, having the company even somewhat participatory can open up the company to negative press, and economic or legal consequences of having a rogue insider.
Many of us want to trust our employees, but while we want to do so, not everyone is equally trustworthy. Bernie Ebbers of WorldCom fame was a church going, say a prayer before company meetings kind of person, but still had issues when it came to working within an ethical framework that would have allowed WorldCom to survive.
Looking at our information security employees, we need to judge the ethical frameworks that they work within, and knowing what they are doing on the job, with the accesses, that they have will help define if they have a suitable ethical framework for the company.
While no one is going to advocate big brother types of actions within any company, knowing what the employees are up to, and where they are going with the permissions that they have will help management make better decisions about how their employees view the ethical framework of the company in relationship to themselves. This will help companies develop a framework to assess and manage the risks involved with insider theft, or insider crime.
Source:
http://www.cert.org/
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
