A chain is only as strong as its weakest link, and your security is only as strong as your worst employee. Employees have been, are, and will remain the single biggest threat to network security. Yes, crackers remotely breaking into our network is big and scary and we need to do whatever we can to stop it. However, if you think its easier to do that than to send an email posing as a member of the IT department and ask for a username and password you are very mistaken.
And it's not just stupid users that are a problem. We all hate the guys that write down their account information on a sticky note and put it underneath their keyboards but a bigger worry is that pissed off disgruntled worker two cubicles over that hates his job and wants nothing more than to get even with the evil pointy haired boss. If you don't believe me try it out for yourself. Go hang around a large company on Friday after work. Watch the employees as they leave the office and try and find a really pissed off looking one. Go up to said person, pretend to be from the same company, and offer them a beer. Once they're good and sloshed offer them a way to “get back at management”, $500 dollars, a promise that nothing will be traced back to them, and all they need to do is give you their username and password.
Go ahead, try it. Send out fake emails, entice employees into giving away information, see how many of your own employees can be tricked into compromising your security. I think you'd be surprised. Just like Medco was surprised in 2003.
Yung-Hsun Lin worked in the IT department of Medco Health Solutions Inc. in 2003 when they were in the process of being spun off from Merck & Co. Lin feared that the change in the company would end up costing him his job so he wrote a logic bomb and set it to go off on his birthday. His birthday came and went but there was a problem in the code. Lin fixed the code and set it to go off on his next birthday, but this time around another administrator found the code and alerted the proper authorities. Even though the logic bomb didn't go off the time and money required to fix the system was substantial.
Holy heck! Lin didn't even know if he was going to be fired, he just feared that he would be. Some people are just crazy...
So what can you do to safe guard your network from your own users? Security policies! Every company should have them, and every company should use them. Will the IT department ever ask for your username and password? What should you do if someone asks for your account information? Who do you talk to about security concerns? All these questions and more should be thought of, along with appropriate answers for your company.
Making the policies isn't enough. People in the IT department should know all the security procedures by heart already, but those procedures do no good if your employees don't know them! Make sure everyone knows the policies, make sure they are available in hard copy for anyone that asks for them and make sure everyone knows the consequences for not following them.
Finally, be visible. If you are in charge of network security then take a few minutes each day for face time. Walk around your office. Try and spot written down account information. Check for running unlocked computers with no one using them. The idea is not to find infractions of the policies and punish people, but to keep people aware of the policies and let them know that you're keeping your eyes on them.
*NOTE* Lin was recently sentenced to 30 months in jail and ordered to pay a fine of $81,200 to Medco. The servers Lin was targeting contained software applications relating to clients clinical analysis, rebates, billing, and managed care information.
- Why do we need end users again?