Soft on the Inside

As the arrest of an AOL employee today for allegedly pilfering screen
of AOL customers for resale to a spammer attests, internal IT
security at most companies is still a greater threat than being hacked from
unknown, outside assailants with malicious intent.

“There’s a saying in security: ‘Crunchy on the outside, soft on the
inside’,” says Barry Kaufman, CTO of the Intense School, an IT training
center in Ft. Lauderdale, Fla., that provides accelerated certification boot
camps for computer professionals. “And the general mentality out there is
perimeter security as opposed to comprehensive and internal security. While
you can technically do great things like patch systems and whole bunch of
other stuff, it’s hard to patch human beings.”

While worms, viruses, Trojans, external hacking and other outside threats
are ever increasing, 80% of hacks still originate from internal sources, as
do 80% of computer crimes, said Kaufman. Some of this is intentional and
malicious. Yet many security issues are simply caused by carelessness on the
part of system administrators unaware of the pervasive security holes in
their systems.

“If they turn just a basic passive scan on internally, they’ll see
everybody’s system is completely wide open unless they’ve gotten involved in
node security,” says Kaufman.

With so much attention paid to security issues over the past few years this
seems paradoxical, but it is understandable once you realize the average
security mentality stems from a medieval mindset: build high walls with
strong gates to keep the barbarians out and you’ll be safe. The problem is,
once the barbarians breech the walls (or bypass them via a tunnel or Trojan
Horse), most companies’ systems are wide open for attack.

Overcoming this mindset and building a better security mousetrap is really
about three things, says Gerry Wilson, CIO of Bedford, Mass.-based security
firm RSA Security: People, process and policy — and then technology, in
that order.

And, while technology solutions proliferate, most are defensive in nature.
Wilson prefers to promote a ‘good offense is the best defense’ strategy that
heads off attacks through ongoing employee training and security policies
and procedures that are strictly enforced.

“The easiest things for a CIO to do is to go buy a technology solution,”
says Wilson, “but the harder component is to surround that with processes
and people and the administrative policies that help that technology do its
job and do what it’s intended to do.”