Insider actions and the fight against network threats

External and internal threats are driving enterprises to the edge, costing them millions of dollars and forcing them to constantly find new ways to protect their networks. But whether threats originate from outside or inside an organization, there is always one person in a position of control -- the insider!

Because users play such a critical role in network security, the OSI stack has been extended from its seven layers to include the eighth layer - the human layer. Layer 8 is where technology interfaces with users and it addresses security in the network by controlling user actions through identity-based policy creation.

Insiders lead attackers inside the network
Internal users have the easiest access to sensitive corporate data, applications and resources in the network. They are increasingly using multiple protocols like email, IM, P2P, FTP, HTTP and Web 2.0 for their business communication needs, giving rise to multiple points for data leakage and threat entry.

User behavior is the most unpredictable and this has put the most precious asset in enterprises - corporate information - at high risk. Ignorance about security policies, lack of up-to-date knowledge on network security, malicious intent for financial gains and aversion to corporate policies and practices can prompt an insider to pass on sensitive information to outsiders.

Consider this example: A disgruntled employee wanting to get even with his previous organization sent email to a former colleague, asking him to look at some photos on his Geocities website, which is a Yahoo! portal. Because the ex-colleague knew the sender of the email, he went ahead and logged into the site using his Yahoo! username and password to access the photos. What he didn't realize was that the login page was a fake and the miscreant now had his login details. He was still oblivious of what had happened as he was redirected to the Geocities page with the photographs. The attacker now had the ability to log on to Yahoo! using the ex-colleague's identity and could get away with confidential corporate information because Yahoo! was the standard mode of communication in the organization. He could easily misguide customers and put the enterprise at risk. He could even install malware and keyloggers in the network to wipe out or send information at their discretion.

Data leakage in enterprises can cripple the business and may lead to loss of goodwill and trust among its customers. Thus, whether intentional or not, insider actions can make or break enterprises. Insiders thus play the most critical role in facilitating external and internal attacks in enterprises.

Attackers know this and have identified internal users as the weakest and the most critical link in the security chain. They have shifted their strategy from large-scale attacks to small, user-targeted attacks. Attackers are studying the user psychology and predicting user behavior to launch highly-focused social engineering attacks on insiders.

Balancing network security and business flexibility
Suspecting outsiders' intentions is more common and easier than handling threats from insiders. It is impossible for an enterprise to know who among its employees is being targetted. This is especially true because most enterprises align their security decisions based on the IP address information of users instead of their identities. Working with the a lack of user identity information, most enterprises deploy a strict common security policy for access to network resources. But such blanket policies restrict business flexibility and productivity among users, forcing them to compromise on efficiency of their duties. Thus, enterprises need to balance network security with business flexibility to allow users to perform optimally in a secure network environment.

Importance of user identity in network security
Security systems that incorporate broader policy setting criteria like user identity, work history, experience, work profile, hierarchy, department, and others are important to adapt network security with changing user profiles. A concept of the user threat quotient can be calculated by rating users on their susceptibility to an attack and policies can be created based on the quotient value to proactively thwart any network attack. Thus, identity linked to user activity and profile needs to be woven into the security solution for comprehensive network security against blended network attacks. Network activity logs with user identity information allow enterprises to make informed and intelligent decisions about potential threats caused by insiders.

Conclusion
As threats targeting insiders evolve rapidly, enterprises need to pinpoint who the attacker or the victim is. It is important to know who is leaving the door to the enterprise open, and shut the door before network threats can gain entry. The only way to do this is by developing identity-based integrated security solutions that give complete information on what the user is accessing and which applications he is using while he is logged into the network.

With attackers increasingly exploiting insider-linked vulnerabilities, the security industry needs to innovate on identity-driven solutions. The human factor of security, or Layer 8, is more important than ever in the OSI stack to determine how to effectively fight against targeted attacks that are using enterprises' own trusted users against them.

Editor's Note: The opinions expressed in this article are solely those of the author and do not necessarily reflect the opinions of ITworld.