 |
| Elliptic Semiconductor chief technology officer Mike Borza. (Darren Brown, OBJ) |
Most companies trust their employees enough that they don't watch them 24/7, but what about in the virtual realm?
IT security experts agree the number one threat to data-oriented companies lies not out there, in the relatively chaotic bustle of the Internet, but rather from within your own company – theft, accidental data loss, lost wireless devices and cyberslacking all hurt companies more than most would like to believe, say the experts.
The OBJ spoke with Elliptic Semiconductor's chief technology officer, Mike Borza on the subject of ensuring that even seemingly harmless distractions at work don't cause big problems for the company.
OBJ: What did Elliptic do at its beginning to ensure internal IT security, and how does that differ from what you do now?
BORZA: We're in the business of providing security solutions to customers, and even though our focus is hardware, we take a very system-oriented view of the situation. So in that sense we started out better off than most startups, and with a much higher level of built-in security architecture than most small companies. So on day one, we started up with an internal LAN (local area network) which is quite open, and we do some authentication of devices with our LAN, using a variety of means – the principal one being DHCP, which is a host control protocol that's designed to automatically provision devices on our LAN, so it gives them addresses and names, and things like that. On top of that, we have access control lists that limit the devices that can attach to the LAN.
Other than that, the LAN is quite open. We set things up initially so everyone was in the same subnet, so we had one flat LAN for everybody, and then we implemented a very robust security architecture for our connections to the Internet. Since day one we've been attached to the Internet of course, and a lot of our business is acquired through the Internet, and in most cases we deliver our product through the Internet. So it was important for us to take the security of that kind of product delivery into account, right from day one.
OBJ: In terms of internal IT security, what do you see as the biggest threat facing your company?
BORZA: Because we're a very small company, and very focused, we tend to be quite trusting of our employees. And in that sense, our main loss mechanisms would be accidental – that's our assessment of our risk exposure there.
OBJ: How do you deal with user authorization issues, and things like that?
BORZA: Our DHCP has access controls built into it, so we're actually looking for particular devices that show up on the LAN, and any other devices are not granted any access to the LAN at all. That's one of the main mechanisms. In terms of user authentication, we're relatively lightweight here so we used password-based authentication. We don't have anything that uses biometrics, or security tokens, or things like that. We've also got a stringent set of rules on things like passwords and that kind of stuff, and those are actually enforced by software running on various servers.
OBJ: Do you have any kind of regulatory systems in place that monitor employee Internet use, to discourage so-called "cyberslacking" at work?
BORZA: We have a policy for what acceptable use is, and other than that policy we don't enforce it using mechanical or computerized means. So we don't have things like content filters, or any of those kinds of things, except on inbound connections. But in terms of outbound, we don't do any filtering although we keep logs of all of our activities, which go back extensively, in some cases we have server logs that go back years. And we have a very rigorous backup program, complemented by the fact that everybody's product data resides on the servers here. So we've got good control of that. It's like closing the barn door after the horses leave – if you're in the situation where you're reconstructing an incident, you're doing it for one of two reasons. One is to understand what your vulnerability is, and protect against similar failures in the future, or secondly because you want to go after someone that's compromised your business at some point.
OBJ: Is it a balancing act between employee trust, on one hand, and implementation of physical controls on the other?
BORZA: I think it is, and I think every company's situation is unique. If we had a very transient workforce where we're integrating work by contractors and things like that, we'd definitely lean more towards the mechanical side than we do. But in our case, since we have a small and long term employee base, it gives everyone incentive to row in the same direction. Everybody is part of the ownership of the company, so they all have an interest in seeing the company succeed together.
OBJ: Well that brings up a whole other point entirely, in that having respect for your employees may negate a lot of the risk in the first place, would you say?
BORZA: That's right. And we're quite liberal in our policies, we own the connections and servers, but we don't police them. So if people are doing what they need to be doing, and they're getting their work done, that's our main concern – the only other thing we monitor is that our product is not going out of the company inappropriately.
OBJ: How about wireless devices – how do you implement security on those?
BORZA: We do use those devices, and we actually implement some security protocols that are used in those spaces. One of the things that has happened – and I'd say it was a policy failure, but it happened once and we haven't needed to respond to it again – is that we had an open access point in our engineering lab. Now, the engineering lab by its very nature is a little bit segmented from the rest of the company, because we do a lot of network testing there and we don't want traffic floating around and causing problems in the rest of the company.
Nonetheless, it was a vulnerability, and it was one that was open for a little while, and that's very bothersome to have that kind of situation. So we had to think through a little bit about what we did, and we decided that it was a policy failure, so we strengthened the policy for what to do when setting up those kinds of devices in our lab. For the rest of it, it's just been a question of making sure people follow the policy. Other than that, we haven't had any other incidents, and even during this incident, our logs indicate that nobody accessed it. So even though we had a vulnerability we didn't have anybody take advantage of it.
We were fortunate that way. But that really was just a case of good luck, and not good planning.
THE EXPERTS SAY
Whenever we're talking internal controls, we're always trying to match up what ultimately is the risk, and what are the types of things that could be done from a generic perspective to address those risks. One of the more serious risks concerns wireless devices.
When you're dealing with the wireless aspect, you're dealing with another point of access into your company's resources. So there's certainly that level of risk that all these devices pose, and another thing is that if these devices get stolen, you're giving away data. What if you have your customer list on your Blackberry?
A lot of these devices aren't necessarily marketed to companies, and in a small company in particular, it can be very easy to fall into the trap of personal marketing – so you say here's what one can do for me, but I may not appreciate all the risks I may be exposing my organization to by going off and buying one of these devices.
So develop a use policy – what are your accepted devices? Technology changes on a daily basis, and there's always going to be that threat, so you need to keep it generic enough to capture some of those changes. Your security policy doesn't necessarily have to change – it's as simple as using passwords. How many people have a password on their cellphone or Blackberry to protect information?
Mike Abbott, senior manager, security/privacy group, Deloitte
The insider threat deals with the human nature side of security that organizations and security technologies are not well equipped to deal with. The inside attacker already has access and knows where the most valuable data is, and for that reason they can do the most potential damage to an organization. New hires are commonly accepted into trusted work places and given more access to data than they really need, despite the fact that they are barely known.
The most costly data breaches often come from inside attackers, but the total losses to insiders are estimated to be much larger, and hidden, because organizations do not have the means to determine what goes on inside the network. Many security products are network focused and are protecting the containers (the infrastructure), but not their contents (the data). The challenge of the insider threat is that it requires organizations to rethink their approach to security.
That starts with informing oneself of the insider risk and determining what data is crucial to the business, and who really needs access to it in their job. Security practices such as separation and rotation of duties, least privileges to systems and data, user education, logging and auditing are best bets. The limitation of auditing alone though, is that it often monitors infractions after they occur. The best technology to look for is one that enforces your security policies in the first place, and prevents infractions from occurring.
SMBs must protect themselves, because they may not be able to survive a serious insider attack, whereas the large enterprise may be better able to do so. They also have an obligation to protect private data or face possible legal consequences. To do nothing may result in disaster, since the proverbial "bad apple" could have copied valuable or sensitive information to carry out the door in the time it took to read this article.
Rob Lewis, Googgun Technologies
