Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Data Leakage Threats From External Contractors

Telindus : 07 July, 2010  (Special Report)
With recent heavy focus on the insider threat, Nick Burrows of Telindus UK examines the external threat to company data from contracted employees and outsourced staff accessing corporate data
The recession has, without a doubt, had a detrimental impact on the buying power of CIOs and CISOs who are under ever more pressure from the board to deliver more, for less. Further, with a preference for OPEX expenditure to cut overheads there has been a trend for organisations to increase their use of outsourced contractors and external staff; all of whom have a real business need to access the corporate network. With increasing incidences of insider threats - 59 per cent of employees that admit stealing company information say they did not have permission to access that data - it is imperative that the CIO protects the corporate network from data leakage. The need to maintain a solid security posture within a reduced budget, and a reduced workforce, is proving harder than ever before.

Insider threat is much more than just industry hype. In June, a Bank of America employee admitted stealing sensitive data from the call centre he worked in and trying to sell it for cash. Earlier this year, in March, investigations began into the theft of data of up to 24,000 clients of HSBS Holdings, a private bank in Geneva, by former IT employee Herve Falciani. Falciani tried to sell the stolen data for more than £2m. And these are just the 'big ticket' data thefts we hear about. Given that three quarters of employees say they can email data out of their organisation and 70 per cent can download data onto a USB stick without trace, this indicates that many organisations are leaving their networks wide open to data leakage.

The reality is that staff are more willing than ever before to steal data - particularly those that have left the company. In a Ponemon survey looking at Data Loss Risks During Downsizing, 39 per cent of employees said they had taken customer information with them when leaving a company. Even more worrying, 24 per cent were still able to access the computer system or network after they had left the company. At a time when organisations are still having to lay-off staff, the risks of insider threat become much more real.

CIOs don't just have to protect their networks from disgruntled current or outgoing staff, the increasing use of external staff and contractors means they have to grant 'guest users' access to the corporate network. More than just being able to monitor and control the flow of data internally and externally at the hands of these external (and retained) staff, these guest users often bring with them their own devices that need to be able to access corporate resources. The concern here isn't necessarily based on an assumption that every external contractor is hell bent on data theft, but that by connecting to the network with an 'out-of-business' device, file-level security is potentially at risk, exposing the network to viruses, Trojans or worms.

The impact on the business from downtime, data corruption and disruption can be just as damaging as data leakage, and both must be mitigated against. If the guest endpoint is not effectively managed, the CIO leaves the network open to significant problems, alongside infection, if one of these unmanaged endpoints happens to be configured in 'dangerous' mode. Beyond these threats, there is also a very real risk that in allowing guest users uncontrolled access to corporate networks, the organisation is unwittingly breaching compliance regulations and risks significant financial penalty.

Ultimately, these organisations have to - and want to - allow guest users to access company data, but must be wary of allowing indiscriminate access to all parts of the network. There has to be a default best practice for when a guest user or guest device needs to connect to the corporate network, and this needs to set individual access permissions based entirely on each users identity and trustworthiness.

However, it's not always as 'simple' as defining access policies. Here is a 'check list' of four criteria CIO's would benefit from keeping front of mind when choosing a solution that will protect their network from the potential risks of external guests, as well as addressing insider risk and compliance:-

1 Secure Guest Network Services:

There are two primary goals for a Secure Guest Network Service. Its first use is to detect non-corporate users or devices and its second function is to provide limited connectivity to authorised guests. Identity-Aware Networking will automatically place non-authenticated users/devices into a dedicated Guest VLAN, which is then separated from the corporate network and set access parameters.

Today's networks are either anonymous or provide visibility at the IP or MAC address level - both of which expose the network to malicious attacks. To prevent unauthorised access to the network at this level, Identity-Aware Networking grants access based on specific user identity controls. This prevents users' from accessing data unauthorised to them and provides the organisation with visibility over user behaviour. By mapping IP addresses to user IDs, CIOs can monitor user actions and deliver a full audit trail upon request.

2 Monitoring, Containment and Automation

One of the most basic of security tools, the monitoring of network traffic provides one of the strongest forms of protection by detecting and containing dangerous endpoints. This is made significantly more effective as network security solutions become identity and application aware, essentially allowing much more granular control of who is accessing which network resources. Authorisation and endpoint security posture checking also ensures that any device not owned or managed by the business is immediately detected and given access only to what corporate security policy allows. This automated process is crucial in detecting and mediating against dangerous behaviour.

3 Mitigation of Insider Threat

There are six requirements for any corporate network to meet to reduce the risk of insider threats:

* Coordinated, enterprise-wide access control
* Authorised network and application access
* Identity based behaviour anomaly detection and mitigation
* Identity and application aware firewalling for central data stores
* Third-party device collaboration and interoperability
* Comprehensive, identity-enabled logging and reporting

4 Legislative Compliance

To ensure the organisation is compliant when both insider and external staff are accessing the corporate network, the solution needs to deliver against these four criteria:

* Prevent unauthorised access of the network, applications and data, and provide instant authorisation for data access
* Check and assess the devices' security posture both before and after connecting to the network
* Offer policy enforcement that is cross-network and consistent, incorporating identity enabled profiling, auditing and logging of data trails
* Provide hardware and software that is hardened to meet recognised standards such as the US-based Federal Information Processing Standard (FIPS)

Insider threats and the risk of external access to the network are non discriminatory and pose a threat to any organisation regardless of size or sector. Whether malicious or accidental, the introduction of viruses or Trojans to the corporate network or the loss of data through insider theft or carelessness can lead to serious repercussions for the organisation including loss of customer confidence and unwanted remediation costs. Add to this the need to ensure regulatory compliance and more recently the possibility of heavy fines for non-compliance, and the CIO is under significant pressure. The reality is that a network access control (NAC) solution can support all these requirements. Typically seen as either a means of preventing unauthorised external access to corporate networks or a means of enforcing endpoint security and compliance; NAC is the essential foundational ingredient that allows the CIO to meet the threat of data leakage head on.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo