HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.

The Virus Time Machine (e-Book)
Product ID: 00000007

... What You Need to Know (and Wish You Knew Before) About Removing Virus and Malware Infections Before you start down the path of trying to fix a virus infection on your computer, you should really understand what's invol ... More »

Non-Member Price: $4.99

November 2008 Posts

Archives
  Scott Wright's Security Views
Blog Entry

It's not that you can't trust them, but...

Thursday, November 20th 2008 @ 2:54 PM (not yet rated)    post viewed 1027 times

Originally posted - March 13, 2007

Like it or not, the sad reality is that the insider threat exists in virtually all organizations. Given the right set of circumstances, almost anyone can yield to temptation. In my view it takes a combination of Policies, Awareness, Risk Analysis, Preventative and Detective Safeguards, Audits and Sanctions, as a minimum to be able to say you have done any kind of due diligence in securing your organization’s information. Take any of the recent daily news stories (as they start to become non-News), such as the Texas baby kidnapping, or the Tampa airline firearms smuggling

The insider threat comes in many different scenarios, some of which may not seem to be insider-related. For example,

  1. Someone who seems normal, but whose home life is just stressful enough that they are open to that “one sure thing” that would help solve their financial problem. All of a sudden the circumstances open up for them, and nobody is watching.
  2. Someone who leaves an organization under difficult circumstances, maybe not even notable as threatening by management. They may have had access to a number of passwords, or knowledge of how the security systems work, and how to get around them. They may feel a need for revenge or compensation at a time when they think nobody would take notice (possibly before the whole organization knows they are no longer with the organization).
  3. Someone who has good intentions, but inadvertently helps someone to gain access or information that could allow them to gain access. This is the insider side of the Social Engineering threat.
  4. Even more to the Social Engineering side, an outsider with good knowledge of security procedures within an industry (and maybe even a uniform), such as in the baby kidnapping case, can fool enough people in the organization that a lack of awareness poses an insider threat, since the attack didn’t come through the firewall of the network. It should have been caught on the inside, but wasn’t.

These are just a few examples. Without a complete set of security policies and implementation there are just too many scenarios that you might not think of. A good counter to the insider threat involves a methodical sensitivity or risk analysis that identifies what information, assets or business systems can be compromised, and how much it would impact the organization, its partners, or its customers.

The combination of policy, awareness and other safeguards provide layers that make it more difficult for an insider threat to succeed without being caught. Most of all, if employees or anyone with access knows that the chances are slim, and the consequences of being caught are high, the risk becomes much more manageable.

In a strange kind of twist, some people think that their procedures or safeguards are so obscure, nobody would think they could get away with an insider attack. That’s called Security by Obscurity, and it is rarely a good idea on its own. However, there is a balance needed between letting people know the safeguards are there (deterrent safeguards), and keeping the details vague enough that people don’t know where the weakest points are.

There is a saying that says “Trust, but verify”. We all want to trust our employees, but they must know that they are accountable, and it is in the organization’s best interests, and those of its clients, to put the right safeguards in place to monitor and counter insider threats. It shouldn’t be a privacy debate. The company’s assets are its own, and it has an obligation to protect them.

Share

My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

Site Meter

add a comment  rate this post: very bad poor average good fantastic!
Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.