- Companies that would have trouble compiling a list of their networks' users and detailing the level of access that those users have don't know who is on their network and are sitting ducks for cybersabotage, a group of industry experts say.
Weak user passwords, inconsistent policy enforcement and lackadaisical user access management have made corporate network users the number one cyberthreat to sensitive business data, said experts during a webcast sponsored by Irvine, California-based Access360, a company that specialises in resource-provisioning management.
"The user, while juggling even more IDs and passwords in today's environment, continues to be the weakest link," says Mark Ford, an analyst at the Secure eBusiness Group at Deloitte & Touche in New York. "We must gain control of the weakest link before we end up in an identity crisis."
For example, dormant user accounts and accounts belonging to users who are no longer employed by a company are "the classic problem for cybersabotage," says Brian Anderson, chief marketing officer at Access360. "Those are the equivalent of locking the door but leaving the window open."
The growing problem of insider threats is no secret to most IT managers. In fact, in the most recent survey on cybercrime by the FBI and the San Francisco-based Computer Security Institute, 81% of corporate respondents say the most likely source of attack was from inside the company. In addition, the US Treasury Department reports that insiders committed 60% of the computer intrusions reported by banks and other financial institutions in the first four months of this year.
The problem, says Mike Hager, vice president of Network Security and Disaster Recovery at New York-based Oppenheimer Funds, is that corporations have spent about 80% of their security dollars to protect against outside threats when, in fact, 80% of all attacks come from the inside. The misdirection of resources has led to misperceptions about cyberthreats among senior executives, says Hager. "If we don't educate senior management about what the real threats are [then] we don't get support from them," says Hager. "That's the number one threat."
Hager understands firsthand how easy it is for insider access to be abused. During a recent audit of his own corporate enterprise, Hager managed to crack 800 user passwords in three minutes using a standard password-cracking tool. Within 36 hours, he was able to crack all 27,000 passwords being used throughout the organisation.
The ability to crack weak user passwords is particularly important because the answer to the question, "Will a hacker be able to get into the network?" will "always be yes," says Hager. He recommends that companies focus on enterprise security using an approach that responds to the following questions: Can attackers get in? Where can they go once they get in? And, What can they do?
Ford recommends that companies return to the centralised security concepts employed during the mainframe days, including role-based access control for all users. The automated tools that exist today to do this for companies will improve security and also offer a substantial return on investment, says Ford.
Identity management, says Ford, offers cost containment and revenue enhancements by enabling companies to increase the number of customers and business partners they can support. It also can accelerate time to market while decreasing the cost of user and network administration. In fact, one company that Ford consults with on a regular basis reduced its administration costs by $US75,000 per month by automating user identity management, he says.
In the short term, companies should work to get senior managers to realise the value of corporate data, says Hager, who was on the 32nd floor of Tower 2 of the World Trade Centre when the first tower collapsed after the terrorist attack on September 11. "After having everything in our corporate headquarters totally lost, you [realise] real quick how valuable it is," he says.