Soft on the Inside

Single sign-on, for example, is great for employees tired of multiple
passwords and the post-it notes they rely on to remember them, but it can
lead to a wide open back-end once the initial password is breached. That is
why node security is becoming more popular, but this is really just a
smaller, more pervasive version of building walls. Intrusion prevention is
the latest thinking in security and the reason RSA’s business is booming,
says Wilson.

The first level of defense, however, is still strong authentication. Wilson
promotes a two-factor authentication schema that involves something you
have, like an ATM card and something you know, like a PIN number. RSA sells
a system where the user has a token of some kind — the ‘have’ — that syncs
up to a system password generator that changes passwords every 60 seconds,
and a static PIN number the employee remembers.

Using this system, the password changes every 60 seconds, providing a good
layer of initial security, i.e. authentication. From there policies and
procedures take over as well as node security and a system of checks and
balances to ensure someone in marketing isn’t accessing financial data and

Another reason the medieval mindset is no longer effective is the porous
nature of most corporate networks, says Matt Kovar, an analyst with the
Yankee Group in Boston.

“Companies and their applications are accessible through so many different
network connections or application connections that there is almost no real
defined perimeter any longer,” says Kovar.

This why security vendors like Check Point Software Technologies are
focusing more attention on ‘rules-of-engagement’ at the application layer.
This is different from node security, which is basically a server-, or OS-,
level perimeter defense, says Kovar. Application-layer security focuses on
point-to-point connections within the network to see who is accessing what
and if that access should be considered valid.

“That’s the area where organizations are trying to identify. What are the
patterns of communication that should be operating on their network and
trying to identify what falls out of the norm,” he says. “The application is
where the new attacks are going. Are they outside? Are they inside? Many
times the outside attack needs an inside accomplice, if you will, either
witting or unwitting.”

And once you connect to partners, vendors, suppliers and customers, the
internal threats increase exponentially. Even though these groups are
technically external to your company, access to the network brings them
inside and makes them an internal threat.

So, while worms and viruses are problematic, and hackers are endemic to the
Internet, these threats are really quite minor compared to the potentially
more damaging insider threat. Rarely, according to experts, do hackers
actually do much harm or steal. More than likely, planting their ‘flag’ to
claim bragging rights is the justification for their efforts. Like it or
not, employees, and lax or non-existent policies and procedures, can cause
the most damage if left unchecked.

“What you need to do is think like a criminal,” says RSA’s Wilson, “and say
‘If I were someone trying to do this, how would I do it?’ And try to put in
some policies, procedures, education, training, awareness, checks and
balances, etc. to mitigate the risk.”