Not a day passes without the IT world being reminded about the terrible threat of virii, trojans and those pesky "Internet hackers". As a matter of fact there is so much available on the topic that you might as well switch off your preferred virus newsfeed and assume that about 80% of all e-mail you receive is either viral or spam.
Of course the beauty of all this is that companies are looking at their perimeter as if it was the only chance of survival they had in the dark woods of the Internet. They believe anything their firewall or IDS vendor tells them, stare in awe at highly secure Windows-based firewall solutions (or indeed fancy webserver-based firewall products) and bask in the sunshine knowing that their enterprise is safe.
Once upon a time pretty much everyone quoted that 80% of fraud was internal, that is to say that it was perpetrated by someone with intimate knowledge of the enterprise he wanted to defraud. Take banks which go an extra length to make sure that cashiers can't walk out with cash or indeed many other "physical" examples. It would be pretty logical to assume that in the electronic world of Word documents, e-mails and assorted other digital documents this concern about internal fraud would remain.
Apparently not.
A few basic concepts are a complete mystery to many companies: separation of duties (or: "why should the engineering department see the finance servers?"), document tracing (or: "how the heck did this document get out?") not to mention basic IT security (or: "how did they break into this totally unpatched, wide-open, system?").
The reason for this internal debacle is simple: a combination of laziness and fashion. What makes you look like a digital hero? Fighting the wily hacker or securing the internal servers? The fact that the ever so dangerous wily hacker is more often than not a script kiddie barely out of elementary school is irrelevant, it is still more interesting than actually thinking about the real dangers for a company.
So what happens is that people comfortably log into key servers, prowl databases of confidential information and then walk off with the data. Managers often deny this takes place as their workforce is always invariably honest, happy and well-managed until they discover the inevitable "companyzsucks.com" website run by disgruntled employees... This is then followed by ample management chest thumping, sacking of the disgruntled employees and total disregard for the security of the data they might have had access to.
Some people argue that pentesting is the answer to evaluating internal security but think about it for a second: how could it possibly be the answer? What you have is an external team trying to get to valuable data.
Why don't you try asking your top systems manager to walk out with as much valuable data as possible and see what he does? Then try doing the same with some closet geek in accounts. If you follow this up with some sums about the cost of the wily hacker versus this exercise you might discover that installing a HIDS and proper inter-departmental firewalling is more cost-effective than spending millions on the latest fad in perimeter protection.
Posted by arrigo at March 15, 2004 12:33 PM