Ask just about anyone in IT management what they believe is a greater threat to database security -- employees and contractors or external hackers -- and you're almost guaranteed to hear, "The bad guy outsiders, of course!" Sure, a lot of people still quote the "80% of all attacks come from the inside" statistic, but the majority of people I talk to still fear the dreaded outsiders.
What's causing this ignorance of the insider threat? Is it the tribal belief that all insiders can be trusted? Is it the myrmidon-type mentality that everything we hear in the media is true? Or, is it just everyday people not knowing how in the heck to secure their internal network? I think it's all three.
Results from numerous studies cast a spotlight on the fact that the internal threat is
a much greater problem than we believe it is. It's naïve to think that breaking into internal databases and critical systems takes a lot of skill -- and it's absolutely incorrect. Facts show most people are using very basic methods for obtaining ill-gotten gains. Sure, anyone can download database reconnaissance tools, password crackers and vulnerability scanners. That's certainly a risk, but it's a small one.
We're giving malicious insiders too much credit for their efforts. By and large, all they're doing is using their own account or someone else's account to obtain unauthorized access to servers and databases in order to do their dirty deeds. And they know they're most likely not going to get caught. This isn't just theory. I confirm these vulnerabilities and network user beliefs in my security assessments month after month, year after year. Let this be a wake up call.
Rogue administrators are a reality, too, but there are a lot more "regular users" on the network that have access to sensitive information than there are administrators. Don't fall into the trap of believing it's the admins that do all the harm. Complicating matters is mobility. When users are offsite and out of mind, it's human tendency to believe that "a little peek won't hurt" or "no one can see me doing it" -- especially when malicious thoughts are present.
Combine that with readily-available applications that can control all aspects of the network -- including critical database systems -- from the convenience of a Treo or similar handheld device can't be good for business! This is especially true when little to no internal controls are implemented or are being proactively managed.
You simply cannot trust that everyone is doing the right things all the time. Employee abuse of trust is happening. Sure, it's not everyone. It's not even 10% of your users. It's likely just one, two, maybe three people, but that's all it takes to create a big problem. It's okay to trust, but do it only where it makes sense. Most people don't need their current privileges, much less the full administrative rights that are so easily handed out.
Protecting sensitive information from forces within the organization needs as much if not more attention than what's been dedicated to hardening the network perimeter against outside threats. The solution – on paper at least – is simple. Management will have to view things differently. They need to know that existing perimeter controls aren't enough and that moving perimeter security concepts inside the firewall is essential.
Management must realize that just because insiders have passed background checks and seem to be good people, they absolutely cannot trust in them completely. Perhaps more important, managers have to think for themselves and trust you, the administrator, as well as outside security experts when they're told threats and vulnerabilities do indeed exist. Then, they need to follow up with adequate support and resources to actually do something about the problem.
One of the most effective things you can do is to learn how to "sell" information security to others. In fact, communicating business needs, along with reasons for those needs, is a key piece for success in your job and in your career. If you like the job you're in and care about doing the right thing, why not take the reins and make it happen?
