The current economic climate has caused new challenges and headaches for IT staff, particularly when it comes to security. Many companies are forced to reduce headcount, often in one bulk movement. This can lead to a high volume of potentially disgruntled staff separating from the company at one time, putting pressure on an already stretched IT department with numerous – at times hundreds or thousands - IT accounts to deactivate. When handled manually, this sudden jump in workload can open the enterprise to a significant lag time between when employees leave a company and the time at which their account access is disabled, exposing the company to risk of unauthorized access while those accounts remain active and exploitable.

Of course, not all network breaches come from disgruntled former employees. They can just as easily sit with a current employee or even someone completely disconnected from the organization, otherwise known as the opportunistic hacker.

According to the most recent Identity Theft Resource Center (ITRC) data breach report, 656 data breaches were reported in 2008 in the U.S. alone, a 47% increase from the 2007 figure of 446 data breaches.

Financial services companies reported more than 18 million records were breached last year. Overall, more than 35 million records were compromised in 2008, according to the ITRC. Another survey from the Ponemon Institute this past February found that 59 percent of ex-employees admitted to keeping company data after leaving their employer. This is a statistic that should be taken into account when considering the potential risk or impact any one of these employees could have when leaving to work for a competitor.

For an IT administrator, it is important to prevent a breach or attack as early as possible. Ideally, you would want to be alerted to an issue while it is happening, rather than spotting something unusual in a log file days later, or when a breach of confidential data falls into the hands of a national newspaper.

Taking inspiration from the antivirus technology community, where the analysis of unusual system behavior is key to detecting new viruses, Network Behavior Analysis (NBA) is an approach that bolsters the overall security measures and alert systems in use within a given organization. It works by analyzing and mapping normal day-to-day activities such as:
• Who accesses which servers and when
• Data transfer peaks
• Authorized external access
• Which network services and applications are used and when
• The use of removable storage devices

This kind of NBA needs to be performed on an on-going basis in order to build an accurate profile of what is ‘normal’ for the organization, as well as to enable IT staff to spot anomalies as they happen.

According to the ITRC, insider theft has more than doubled between 2007 and 2008, accounting for 15.7% of all reported breaches.

A recent example of this was the attempted data theft from investment bank Goldman Sachs in early July 2009. While working for the company, a computer programmer is alleged to have downloaded copies of the source code from a proprietary trading system and taken them off-site without authorization. Code was downloaded to his home computer, as well as to removable memory sticks to allow it to be passed on.

This data theft was detected while it was taking place, not long after the event, when IT staff at Goldman were alerted to a surge of data leaving Goldman’s servers that did not match the normal network body language profile. From there it was a simple process to determine where that surge was heading.

The result of this detection was that the offending programmer was arrested and charged with stealing top-secret application code

You do not have flash or javascript support.

Average (0 votes)

Reply