Internal Attacks: How to Protect Your Data

A consultant -- about to be let go - installed a logic bomb in a script in one of his employer's servers. Luckily it was found before any damage was done. Had it not been found, it would have shut down thousands of data center servers. While few employees -- even those under threat of firing or layoff -- would do such a thing, Ron Koch, Ernst and Young's security competency leader, told Government Technology that the economic downturn has the potential to increase the possibility of insider attacks motivated by workforce reductions. And even one disgruntled former employee with access can create havoc, especially if budget reductions have curtailed security.

In a recent security survey by Ernst and Young, 25 percent of respondents witnessed an increase in internal threats and 13 percent reported an increase in internally perpetrated fraud. "Employees might not feel the same level of loyalty to the company as they had in the past because they feel that their job may be in jeopardy. I think a lot of it has to do with the uncertainty that they may be feeling in their jobs or they may have become a victim of workforce reduction," Koch said.

Have a Plan

The key to mitigating these risks is to have a formal response -- an effective, functioning, mature plan put in place well before an event happens. The day before an organization plans to downsize is too late. Agencies and organizations should have a documented set of procedures and assigned responsibilities that get executed in the event of a workforce reduction. Organizations should also have strong controls around identity and access management. It is important to understand the access that each employee has and to have an automated procedure to rapidly disable that access so that a terminated employee can't misuse it.

"In a lot of organizations, users have much more access than they really need for their jobs. Employees who have been with the organization for a long period of time tend to accrue access over time that never gets taken away. Organizations should inventory the access that each employee currently has and see if it's really necessary and if not, take it away. This was you can at least limit the scope of an attack that a person could execute," Koch said.

Data Protection and Data Leakage Prevention

Another aspect of IT security that Koch believes is still not quite mature in its deployment yet is data protection and data leakage prevention. Those tools would help prevent the inappropriate or unauthorized copying of data to removable media, personal devices, or transmission of that data across the network or via e-mail. "I think good logging and monitoring is very important to be able to either detect an attack in process or at the very least be able figure out what happened after an attack and provide forensic evidence if necessary for prosecution or action after the fact," Koch said.