Historically, the approach to enterprise security has been to make the fortress bigger and stronger – to install more products, and write more policies. Yet despite heightened security awareness and cutting-edge tools, 2006 was the worst year yet on record for corporate security breaches – continuing the year-on-year escalation of security risk. The problem is, attackers are as advanced as the defenders – and the attacks don’t always come from the expected direction.
The fact is that the biggest threat to an organization lies within its boundaries. In its 2006 survey, “Information Security Breaches,” the DTI and PricewaterhouseCoopers found that 32% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners.
Similarly, law enforcement experts in Europe and the US estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly.
So securing the enterprise isn’t just about stopping external threats. It’s just as important to contain the threat from hapless or hazardous employees.
One of the key internal threats to corporates is spyware, because it’s all too often introduced without malicious intent, by employees that naively click through a couple of pop-up browser windows, or install an unapproved yet ‘cool’ application on the network. The situation isn’t helped by the myths that surround spyware.
These are the six most common spyware myths: It’s an isolated problem; Blocking at the gateway is good enough; Locking down the desktop is good enough; Drive-by downloads are a primary source of penetration; The problem comes from the outside in; No one wants spyware.
But the truth of the matter is somewhat different. Let’s look at the real situation that’s masked by each myth.
1. Most spyware comes in as the direct result of user behavior, whether that user is naпve or ill-intentioned.
2. Stuff comes in at the desktop all day long. Blocking at the gateway without securing the desktop PC doesn’t make security sense. It’s like locking the doors and windows of the house – with the burglar still in the basement – and not bothering to call the police. What’s more, gateway defenses cannot detect threats already on desktop PCs.
3. If “locking down” the desktop and restricting user installation were effective, there would be no need for antivirus software. Spyware is designed to get around acceptable use policies and exploits users’ inquisitive nature.
4. “Drive-by downloads” should never occur in a corporate environment, because they come from sites that users should not visit at work.
5. Sure, spyware comes from outside – because someone opened the door and let it in. Not recognizing this results in a porous security infrastructure.
6. True, no-one actually wants spyware, but it comes as part of that cool application that users do want. So spyware gets installed anyway.
So what can companies do to minimize internal threats?
First, make a Web filter a required part of the network security arsenal. This should prohibit users from visiting known spyware and ‘drive-by download’ sites.
Second, deploy an effective email filter that blocks spyware from entering the network via active HTML, attachments, phishing and spam. There also needs to be protection at the desktop to stop spyware as it’s introduced.
Finally, implement a solution that disallows running or installing programs that in turn install spyware.
Put simply, to keep the burglar out of the basement, organisations need to remove the ability of employees to let the burglars in, in the first place. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements.
Surfcontrol is exhibiting at Infosecurity Europe 2007, Europe’s number one dedicated Information security event.