There are a number of prudent corrective actions your organization should take to close the security breach from internal threats.
Perform background checks. Look seriously at your hiring processes and procedures. Background checks must be performed on job applicants before they're hired. This means checking references carefully, not just with a cursory phone call. Find out why the applicant left previous employment, do a check on his or her driving records at the Department of Motor Vehicles, and even a credit check. If the applicant is applying for a position in your MIS department, invest in a background check through a private investigative agency. Terrorists are interested in getting jobs that will provide them access to information via computer systems, or grant them access to install malicious programs to get informationor to corrupt it.
Address potential threats from corporate intelligence organizations and terrorist groups. Organizations like Society of Competitive Intelligence Professionals (SCIP) use a systematic program for gathering, analyzing, and managing information that can affect your company's plans, decisions, and operationsotherwise known as corporate espionage. You should review these programs because malicious attackers use similar methods. Having the attitude of, "We're small or not important" or "It won't happen to us!" is a surefire way to become a victim of cyberterrorismand to become an unwitting collaborator.
Consider the possibility of damage done by employees. You might not like to believe that the people you hired so carefully could become a threat to your company. But, for better or worse, employees have inside access to your organization and have the opportunity to modify or destroy your data, and even damage your network. Though it's close to impossible to thwart damage to your network from an employee or contractor bent on doing harm, keeping good long-term backups and having a disaster recovery plan in place can go a long way toward circumventing an internal threat.
Test the recoverability of your backups on a regular schedule. Speaking of backups, a malicious computer user can cause small corruptions in data over time that, if not regularly checked by restoring backups, will not be discovered until it's too late. Furthermore, just knowing you have backups available is not enough. Testing is important to know that in the event of a disaster critical data will be available for recovery, and to know what special steps may be needed to restore that data.
Address the possibility of malicious code or products placed inside your organization. A malicious computer user in your organization can find ways to corrupt or add backdoor features to applications or programs that could either be devastating to your company or create large security problems down the road. So have an audit/review process in place for data, source code, security access, and proceduresand keep it up to date.
Enforce password policies at all levels. As any good security officer knows, there's much more to a good password policy than setting passwords and specifying the frequency of password changes. Consider adding these suggestions to your password policy:
Regular users should have a minimum password length of 8 characters.
The root user should have a minimum password length of 11 characters.
Make all users change their passwords every 30 days.
Users must have at least one non-letter character in their password.
Establish a lockout after five bad login attempts.
Establish a password history that doesn't allow a user to reuse any of his or her last 10 passwords.
Don't allow users to use their usernames as their passwords.
User accounts should be terminated before the employee's last day.
The corrective actions listed above are just the beginning. Policies should also be developed around the following questions:
How does your organization handle its information?
How can people get that information?
What use of your network is permitted?
What use of your network is prohibited?
What assurances do you have that your network is secure? What additional assurances are needed?
What types and frequency of audits are required?
What controls are in place or are needed?
Finally, educate yourself to what's happening in the real world by periodically checking the following web sites:
The corrective actions listed here are not intended to be the end-all of security shields against this threat. Though not foolproof, they're a good start and at a minimum should be put in place at your company or organization.