Hollywood has done much over the last several years to glamorize “script kiddies” and hackers. Swordfish, Sneakers, War Games, The Core and, most notably, The Matrix all portray their characters as misunderstood intellectuals or child geniuses that understand and relate with computers better than people. The computers’ logic and order provides a structure that is missing in the “real world.” They break into computer networks to prove that they can, to make a social statement, or in some cases, to change their math grades. As a result, public perception is that most data compromises are masterminded from outside the company or network and are directed by geniuses from an odd subculture. The news media perpetuates this idea by focusing on high-profile security breaches. Strangely, the media and press have furthered the cult of the super-intelligent uber-hacker to the point that their actions are often viewed as simply making a social statement. The result is that these individuals are often not really viewed as criminals. This is supported by the fact that Las Vegas plays host to hundreds, if not thousands of hackers, crackers, (and federal agents dressed as hackers), at DefCon every year. The subculture even has their own magazine called 2600 Quarterly.
    The assumption among most people is that the majority of systems that are breached are done so via an external source using some esoteric means. This stereotype of network compromises leads many that are unfamiliar with information security to spend the majority of their resources focusing on the external threats. Certainly, there are many threats that originate from outside the network that must be addressed to adequately protect information assets, but it is equally important to address threats that may originate from within the company. Too often companies take a ‘fortress mentality’ and reinforce their perimeter defenses while ignoring their internal security. This is analogous to building a large castle, surrounding it with a moat filled with alligators, and positioning archers along the wall. The lord of the castle can certainly keep his known enemies from entering, but what about the people he invites into the keep?
    The unfortunate fact is that the majority of data compromises are perpetrated or originate from inside the organization. It is not a comfortable feeling to know that, if you experience a data security incident, chances are someone that you hired may be responsible for it either directly or indirectly. Recently, a high profile case emerged in which an employee at AOL sold a customer email list to spammers for $28,000. This type of case is more common than one would like to believe. The 2004 FBI/CSI Computer Crime and Security Survey finds that the majority of data security compromises originate from company employees. Some sources estimate that as many as 80% of data theft originates from employees or within the organization.
    These figures can be daunting, especially for those that manage or own small companies with a close group of employees that have worked together for a number of years. These circumstances are very common in the payment services industry, where small companies seem to be more common than not. Employers may even feel guilty for implementing measures to mitigate the chance of a breach by one of their trusted employees. Fortunately, with industry and regulatory mandates for information security, compliance may offer employers exactly the opportunity they need to introduce these measures without casting any aspersions on the integrity of their “team.” It is important to realize that this article only addresses a few aspects of an information security program. The card associations and even the federal and state governments have additional requirements that must be met in order to comply.
    The most important aspect, as has been stressed repeatedly in this column, is the creation, implementation and enforcement of a well-rounded information security program, the foundation of which is a comprehensive information security policy. The information security policy should include, among other things, human resources (background checks, etc.), a data classification scheme, logical access controls, incident response and reporting procedures, and physical security. All employees should be required to read the policy, and to sign a form or otherwise acknowledge that it has been read, understood, and will be followed. Security awareness should be an ongoing function within the company for all employees, though the degree to which they are aware may vary according to job function.
    In that vein, it is critical that all employees be made aware of the procedures to be used to report a suspected data security compromise. The sooner a compromise is discovered, obviously, the better the chances of mitigating the damage. Giving all employees the ability to report any unusual activity or inconsistent data adds eyes and ears to the security team. The information security team may know how to configure a firewall, and read syslogs and IDS alerts, but they may not be well enough versed in the actual day to day activities to recognize unusual data activity the same way a business, or data analyst might. An incident is defined by CERT as “the act of violating an explicit or implied security policy.” These violations may include attempts to gain unauthorized access to a system or data. By empowering all employees to be ad hoc members of the information security team, the company as a whole can improve its security posture. Again, however, this tactic requires ongoing security awareness training and coordination.
    Another important method of mitigating the risk of internal compromise is to implement a comprehensive data security classification scheme and associated access controls. A data classification scheme allows employers to classify data based on criticality and confidentiality. Access to the data is then assigned based upon the classification of the data and the employees “need to know”. Based on the employees’ role in the company he or she is given access only to the information that is required to do his or her job. For example, someone whose primary responsibility is packaging orders would likely have no need to have access to customer credit card account numbers. The group or role might be labeled “packaging” and the access given would include information regarding customer orders. On the other hand, a customer service representative may need to access all of his or her customers’ information in order to provide timely and accurate service or dispute resolution. This employee would be assigned to the “sales” group and given access to customer information that is consistent with the needs of that group. Role based access controls allow network administrators to limit access to resources or data to authorized users only. The importance of proper logical access controls cannot be emphasized enough.
    Another measure that can be taken to protect data is to conduct background and reference checks on all employees. This has been common practice in the Information Security field for some time. In doing so, a company can mitigate the risk to data by making sure that they have not hired someone that has a history of financial fraud or malfeasance or even a background that indicates a pattern of hacking or other suspect conduct. Background checks can give the employer great insight into the potential for misconduct. At a minimum, any candidate for a position that will handle customer information should undergo a background check. In some states, employers can even conduct credit checks on prospective employees, though there is some liability attached to that. Always be careful to check the laws that may apply to ensure that your actions are not in violation.
    The most often overlooked aspect of information security is physical security. Most business owners tend to think of physical security as the domain of Loss Prevention. While this is certainly true, physical security is integral to “Data Loss Prevention,” if you will. Firewalls and penetration tests will not help if someone walks out of your facility with a server, or copies your customer files and leaves the premises. In addition, simply allowing access to your company’s critical assets may result in a compromise even if the assets are not physically removed. Network ‘sniffers’ can be attached to your network to steal critical information transmitted along you internal network resources. Among the physical security measures that should be implemented are visitor logs and badges, locks, alarms, and video surveillance. Locks and alarms will prevent unauthorized persons from entering sensitive areas in which customer data is either stored or processed. Video cameras act as deterrents to those that might consider misappropriating files or other data resources.
    While the external threats may sometimes be easier to address, it is important to realize that threats can originate from any source. This should not be taken as cause to begin eyeing all employees with a suspicious eye. It is meant only as a caution that, when it comes to information security, nothing should be taken for granted. Though it may provide some cold comfort to think so, script kiddies are not the single, nor even the most prevalent, source of compromise.