"What Can We Do? We Can't Fire Everyone, Can We?"
Obviously, you can't function without your employees. But you can help to mitigate the security risk that insiders post by setting up the following security strategies:
Tracking access to data
Periodic security reviews
The following sections provide suggestions.
Trained to be Secure
Organizations need to develop and deliver security-awareness programs. Such programs should ensure that all employees and contractors are aware of the organization's security policies and procedures, and their roles in following such policies and procedures. A part of this strategy should also be to educate employees on how to properly use technology to accomplish their goals (such as not keeping local copies of critical databases).
Not only is this an effective security precaution, but mandates for security training are turning up in government regulations, such as the Health Information Portability and Accountability Act (HIPAA) and the Government Information Security Reform Act (GISRA).
Training programs don't have to be long and detailed; in fact, you may want to keep any training session brief and concise to avoid losing your audience. It may even be desirable to make all or portions of your security-awareness program a computer-based training (CBT) program so that it will be available to employees at their leisure.
So Who Are You, Really?
Essentially, you need an in-house means of knowing who has what level of access rights to which data. This functionality is created by an enterprise-wide identity-management infrastructure, a relatively new security solution to hit the market, which creates the ability to perform user provisioning while also administering access control.
This infrastructure allows organizations to restrict access to data and resources to those who have a clear "business need" (the commercial equivalent to the military's "need to know" standard), as well as to track and monitor all access requests and the agents or processes that authorized those requests. In other words, a clear electronic chain is developed that tracks which users request accounts or access to certain data, and which managers or members of the IT or help desk staff create that account or grant access.
This setup can have the effect of discouraging users with ill intent from requesting accounts and access rights beyond their privilege level.
Halt! Who Goes There?
It's also important to track user transactions. Just as we try to log who enters and exits certain office buildings by requiring employees and visitors to show ID (driver's license, company badge, or other credentials), we should track access to our database servers and other critical repositories of information.
User transactions and activities don't have to be recorded at the keystroke or clickstream level (depending on the volume of that information and the size of the employee base). At the very least, however, you need to track and record internal traffic at critical servers and segments of the network, as well as the manipulation of data (such as insert and delete commands used in sensitive databases) and alteration of system configuration files. All of this information needs to be tracked in the same vein as any suspicious activity.
Even though this mechanism is not directly aimed at stopping harmful activity, knowing that these measures are in place may very well discourage the potential intruder. Taken with the previous countermeasure of restricting access to those with a demonstrable need and creating an electronic trail back to those who approved the access rights, this plan can go a long way toward securing the environment. Further, if malicious activity is performed, you can more easily track the perpetrator.
Change with the Seasons
Change-control measures follow from the previous point. There should be a means in place to control the current network and system configurations and to monitor all changes. This is partly to be able to identify deviations from the known configuration and partly so that system performance can be optimized.
Having a well-defined change-control process in place makes it difficult for unauthorized system modifications to go unnoticed for long periods of time. Of course, this implies that a change-control group will verify system configurations on a regular basis.
The ultimate goal of an overall network-security posture is that all security activities seamlessly merge into the standard business processes of the organization. Periodic security reviews are an important step in this process; if arranged and performed properly, a security review can reveal what's actually happening on the network. For example, a security review can determine whether the standard load is maintained on user workstations, and verify that internal users are not violating security policiesfor example, by installing a rogue modem. A security review can also catch the local database copy case discussed above.
A security review can also be a good way to check the readiness of the security staff. Perform a penetration test without telling the network and security administrators that one is coming, and see whether they're able to detect the activity. (Proper handling of the test is essential, of course, so that legitimate testers are not prosecuted.) A good test can provide a good assessment of the skill level of your in-house security staff.