Posts Tagged ‘hacker’

The Insider Threat: What CIOs Need To Know

Monday, October 12th, 2009
CIOs Know That Insiders Represent The Biggest Threat (c) - 2004

CIOs Know That Insiders Represent The Biggest Threat (c) - 2004

When you think about someone trying to make off with your company’s private data, what comes to mind? Some wily Russian hacker who sneaks into your company’s network through the backdoor? Perhaps you need to update your thinking. A recent report from Cisco revealed that the real threat is coming from insiders. What’s a CIO to do?

Identifying The Threat

By now all CIOs realize that their corporate networks and data are under almost constant assault. However, most of the steps that CIOs have taken to secure their networks have been designed to defend themselves against the attacker who comes from the outside.

Information that was revealed in the Cisco report included that workers are sharing corporate information with outsiders for a variety of reasons. These include sharing data simply in order to get an outsider’s opinion on something, to show off work that they’ve done to others, etc.

On top of the active taking of corporate data, Cisco’s report revealed that some 66% of those who responded admitted to engaging in activities that would allow someone else to access corporate data (things like not logging off and then leaving their computers on at work overnight!)

Data Loss Prevention

If a CIO ever wants to get to sleep again, something has to be done to solve the data loss threat that insiders pose to the firm. There is no magic bullet, but one approach to dealing with this problem is to deploy a data loss prevention (DLP) suite of tools.

In true “big brother” fashion, a DLP suite generally consists of a network scanner coupled with multiple tools that allow an IT department to collect information on what data is being used and by whom.

Before moving forward with implementing a DLP solution, CIOs need to take the time to prepare to use this new set of tools. The steps involved include:

  • Secure The Important Stuff: before you go worrying about trying to secure how data is used throughout the enterprise, first identify the most important data and ensure that it is locked down.
  • Close Your (Network) Doors: before you can worry about insiders doing you harm, you need to make sure that outsiders can’t get in. This requires analyzing both your network ports and the protocols that the company’s network is using to make sure that they are secure.
  • Create A Baseline: in order to detect when the wrong things are being done, you need some way to detect them. Creating baselines such as point-in-time content signatures for sensitive data stores is a first step in doing this.
  • Start Inspecting Traffic: the way that you can prevent information from going to internal sources that don’t have a need to know is by installing automated network traffic inspectors. Setting parameters so that notifications of data breeches are flagged will do a great deal to prevent data loss by internal threats.

Final Thoughts

The value that a CIO brings to a firm is that he / she is able to harness IT resources in order to help the company succeed. As part of this task, the CIO is also responsible to make sure that sensitive corporate data remains secure from both external and internal threats.

CIOs that learn how to deploy DLP solutions in order to protect against the data loss threat from insiders will be better at finding ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Since most firms have no idea about what to do with their corporate research facilities, responsibility for the labs often falls under the control of the CIO (because most firms don’t know what to do with IT either). Great. So what’s a CIO to do when he/she is responsible for a corporate R&D lab?

Tags: , , , , , , , , , , ,
Posted in security | 1 Comment »

Kevin Mitnick Speaks About IT Security

Wednesday, April 29th, 2009

Kevin Mitnick is a reformed computer hacker who now provides security consulting

Kevin Mitnick is a reformed computer hacker who now provides security consulting

I had an opportunity to attend a very large IT health care show up in Chicago awhile back and I was surprised to discover that Kevin Mitnick, the somewhat infamous computer hacker, was scheduled to give a speech.

Now even though I don’t move in computer security circles that much, I know about Kevin Mitnick. I know about him because I read Tsutomu Shimomura’s book Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-By the Man Who Did It. If you’ve never read the book, I can recommend it. In a nutshell, Mitnick was a hacker who had evaded capture until he ticked off Shimomura who is a computer security pro. After he did that, Shimomura went after him with a vengeance and eventually helped the authorities catch him and send him to jail.

Now here in America, we all enjoy a good comeback story and that’s basically what Kevin’s been living. He has reinvented himself as a computer security consultant and by all accounts appears to be making a very nice living for himself.

Kevin Mitnick's Business Card Contains Lock Picking Tools - Talk About Unique!

Kevin Mitnick's Business Card Contains Lock Picking Tools - Talk About Unique!

Since getting out of prison, Kevin’s been quite busy. He’s an author and he’s written two books: The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers.

Kevin is actually a pretty good speaker. The focus of the speech that he gave was to remind CIOs that no matter how much they have invested in firewalls, RSA tokens, and passwords that change every 90 days, it’s social engineering that they need to fear the most.

Kevin’s speech basically consisted of stories in which he would tell how he had broken into various computer systems using a variety of low-tech methods. These included making phone calls and asking for cell phone source code (thanks Motorola!) or simply doing dumpster diving to collect scraps of paper with usernames and passwords on them.

Kevin pointed out that one of the most valuable items that he had ever gotten his hands on was the corporate directory for GTE. Once he had this, he had everyone’s phone number and knew who was the boss of who. With this info, he could place calls to get more and more information.

Kevin’s stories and his continuing success on the right side of the law this time should serve as a reminder for all of us that at the end of the day, it’s the people who work in an IT department that are your weakest link in security. If you fix this issue, then you’ll be much closer to having a secure organization.

Have  you ever had a problem with someone trying to gain access to your department / network by using social networking? What do you do to prevent “dumpster diving” from being successful at your place of work? Would you ever hire a convicted hacker to help you improve your cyber security? Leave me a comment and let me know what you are thinking.

Tags: , , , , , , , , , , , ,
Posted in security | No Comments »