Security pros warned of enemy within

Security pros warned of enemy within

A Computer Security Institute conference in Washington late last month focused on insider threats instead of terrorists or hackers.

'Disgruntled employees are smart enough to know that the best place to attack is through the database,' Sen. Robert Bennett (R-Utah) warned more than 700 security specialists.

Keith Rhodes, the General Accounting Office's chief technologist, said he leads 'blue team' penetration testing at government agencies, trying to exploit systems' operational weaknesses from the inside. Target agencies know he is coming, when he will be there and what IP addresses he will be working from. Yet he invariably is successful at breaking in, he said.

'And believe me, dot-com ain't no better than dot-gov' at self-defense, he said.

Workers, disgruntled or not, leave open back doors and work around security measures for convenience, Rhodes said.

Exhibitors at the conference announced products to defend the inside of the perimeter.

Raytheon Co. of Lexington, Mass., announced the formation of SilentRunner Inc., a subsidiary that sells a namesake internal network security analysis system.

The SilentRunner product is about a year old and has been installed at several government agencies. It correlates network events and graphically displays data about security risks and vulnerabilities. The passive monitor works in conjunction with firewalls and intrusion detection systems to keep information from leaving an enterprise.

Camelot IT Ltd., an Israeli company with U.S. headquarters in New York, demonstrated its Hark automated access control engine for networks with more than 100 users.

Hark automatically generates highly granular access policies through statistical analysis of network traffic.

Manually creating and managing access policies and permission tables is labor-intensive and difficult to keep up to date, said Moti Dolgin, senior vice president and general manager of Camelot's Americas division. That results in policies that are too permissive and tables that get out of date.

Locked out

Hark builds policies based on the real-world behavior of users. Guardian agents on protected servers gather statistical data about resources accessed by each user. Access analyzers apply algorithms and set up access permissions for each user based on use patterns. The guardian agents can lock a user out of denied files or alert a central control server when policies are violated.

Dolgin said Hark typically reduces a user's access permissions by 90 percent over manually generated permission tables. Using it in conjunction with a manual access policy keeps an authorized user or an intruder from gaining improper access to resources by routine use.

Networks with fewer than 100 users do not supply enough data to establish reliable patterns, Dolgin said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above