Your employees need not be malicious to pose a danger to your enterprise.

Your employees need not be malicious to pose a danger to your enterprise.. Check it out:
(www.esecurityplanet.com Via Thomson Dialog NewsEdge)
Last month I wrote about the inside threat to your network and your company at large. In this column I'll offer two more examples of internal threats to your organization.

There are two types of employees that I like to call Dennis the Menace and Alice in Wonderland. They are bright, motivated, friendly and have only the best of intentions. They can also be your worst nightmare.

Dennis, for instance, sees some problem with the production code you use for your core business. He knows there s an easy fix, it will only take five minutes, and everyone will be very glad at how much better the system runs once it s fixed.



He rewrites the function, and replaces it in the module where he first identified the problem. What he fails to realize is that several other modules have dependencies and the change causes the production code to grind to a halt. Your network looks fine, everything should be working, but it s not.

If you have change controls in place, and critical file monitoring done by a centralized location, you would have already determined that Dennis was mucking about in the code. Additionally, you can identify which files were changed, and compare them to, or replace them with back-up code, and return to production with limited down time.

Certainly you don t want to be the one explaining to the CEO, CIO, or CTO what happened and why it took so long to do something about it. You also don t want to be the one responsible for informing customers about loss of data, down time and loss of revenue.

A change control process sets the framework for protecting all the parties involved. It allows for the identification and timely resolution of a snag in your code, but it also clearly identifies who is responsible for the change, and what the back out should be in case of difficulties.

In Dennis case, it also means that every time there s some difficulty, you won t be camped on his desk asking what he did this time. He ll be relieved to know that he isn t a scapegoat in bad situations.

Educating the Trusting

Then there s Alice. She will be the first to tell you she s not very technically inclined. She loves her computer, it lets her do so many things. She s working on a novel, she thinks the world wide web is amazing for its ability to tell you everything you ever wanted to know about anything.

And she believes it all. If it comes to her in email from friends, then it s obviously something she needs to see, sign, buy or try. After all, who on earth would know who she is and what her email address is?

We ve talked about this situation before, and we ll likely talk about it again. It is very difficult to educate the trusting to recognize the threats inherent in the virtual world. Teaching users to avoid suspicious sites sent in email and learning to recognize attempts to gain privileged information by unauthorized persons either via the web or email will go a long way to cutting down the number of compromises as the result of malicious web content.

Alice has another bad habit. She can never remember her password, so she s written it down and put it in a safe place. How many safe places can you think of? Want to bet it s one of the first three you can come up with? Let s see: bottom of keyboard, behind monitor, under edge of desk (next to last week s gum), or in Rolodex under computer. But they are such good hiding places ! (sigh)

The reason I bring this up is, if you ll recall from last month, there are all these people who have access to you physical spaces that you have little or no control over. Cleaners, caterers, contractors. If Alice isn t going to protect her password, do you think she s left her user name lying around? What s to prevent the hired help from taking advantage of the situation?

As we talked about before, in many situations, you have no ability to vet the employees of your contract labor. You also have limited ability to monitor work being done outside normal business hours.

You might be saying to yourself that Alice s laxness with her password and user name aren t really a major problem, since she doesn t have access to critical systems or data. But what does she have access to? Memos between the CEO and the CFO about the next round of venture capitalization? Plans for going public? What would the loss of this information mean to the organization?

In many respects, policy implementation regarding the use of the Internet, password strength, and replacement, minimizes certain aspects of these threats. Eliminating unauthorized software or applications improves the ability to control unanticipated vulnerabilities.

I want you to be able to look at your organization with an eye for security hotspots. Anyone can identify the unsecured fire door, or the modem tied into the office server. What you need to be able to identify is the invisible threat of the stranger at your door (contractors), the well-intentioned, and the dearly departed.

You can do a lot of things to handle these threats. Policy implementation can force updates to operating systems, enforce strong passwords and prevent the installation of unauthorized software. Education brings a better understanding to your employees about the threats they confronted with on a daily basis. Finally, knowing your employees as people with families, hopes and dreams, and problems as well. You can identify potential problem areas when you know the people who work with and for you.

On Wednesday, Sept. 27, I will be participating in a webcast discussing this subject. You ll hear about these employees and others in detail. Hopefully, you will gain better insight into identifying possible situations before problems arrive. I hope you ll join me. For more information, check here .

Internet.com Corp.

Copyright 2003 Jupitermedia Corp. All rights reserved.
Republication and redistribution of Jupitermeida Corp. content is
Expressly prohibited without the prior written consent of Jupitermedia
Corp.. Jupitermedia Corp., shall not be liable for any errors
or delays in the Content, or for any actions taken in reliance thereon.

Copyright 2006 Jupitermedia Corp.
The opinions and views expressed in comments, blogs, etc. are those of the authors alone and not necessarily those of TMC, TMCnet, or its editors. TMCnet reserves the right to edit, delete, or otherwise make changes to the content that appears on these pages at its own discretion and as it deems necessary.
September 25, 2006 6:34 PM

Categories:

Post a comment
View Your employees need not be malicious to pose a danger to your enterprise. news in TechnoratiTechnorati bookmark Your employees need not be malicious to pose a danger to your enterprise. in del.icio.usDel.icio.us Slashdot.comSlashdot Submit Your employees need not be malicious to pose a danger to your enterprise. to Digg.comDigg

Listed below are links to sites that reference Your employees need not be malicious to pose a danger to your enterprise.:

Around TMCnet Blogs

  • Byrd's Eye View:
    One out of 6831
  • Communications and Technology Blog - Tehrani.com:
    Steve Wozniak to Keynote ITEXPO Las Vegas
  • First Coffee:
    Eliminating Outsourced Call Centers, Barging in IVR Menus, Best
  • Industry Insight:
    Attend the WebRTC Webinar and Learn More about the
  • Monetizing IP Communications:
    White Label Cool Mobile Voice Video IM App Vippie
  • On Rad's Radar?:
    Pieces of the Partner Puzzle, Part 1
  • Patriot Talk:
    Obama Refuses to use the word "Taxes" - Calls
  • Voice of IP:
    Myths and legends - cloud myths #1
  • VoIP & Gadgets Blog:
    WebRTC Screen Sharing Demo!
  • 4G: For Generations to Come:
    Spontaneous Combustion:The Realities Not the Myth of LIthium Batteries
  • Byrd's Eye View:
    Unified Policy Effort
  • Communications and Technology Blog - Tehrani.com:
    WebRTC Advisory Board Announced
  • First Coffee:
    Aspect and Nexidia Partner, Acme Packet and HP ACI
  • Gadget Inspector:
    Verizon Offering R2-D2 DROID 2!!
  • Going WiMAX:
    No Man is an Island, but Isle of Man
  • Industry Insight:
    2G Still Has Legs
  • Monetizing IP Communications:
    GoAnimate your Social Media Message, I Did for ITEXPO
  • Next Generation Communications:
    EARTH Consortium Shows the Way to 70 Percent Energy
  • On Rad's Radar?:
    Corporate Culture is Under-Rated
  • Patriot Talk:
    Democrats Trading Social Justice for Jobs
  • The Readerboard:
    The New Customer Self-Service: Ourselves
  • VoIP & Gadgets Blog:
    Windows 8 Sync Settings - Security Hole

    • Latest Whitepapers

  • Alcatel-Lucent The A.R.T. of Policy Management
  • When Machines Talk to Machines: M2M deployment can make your business systems smarter
  • Alcatel-Lucent Mobilize the Data Plan: The Alcatel-Lucent Smart Plan Solution
  • Selecting a Wholesale DID Origination Provider Part 3: Support, Number Porting, and Billing
  • Selecting a Wholesale DID Origination Provider Part 2: Monthly Recurring Cost and Non-Recurring Costs
  • Selecting a Wholesale DID Origination Provider Part 1: Footprint and Features
  • How to Sell VoIP, Part 2: Choosing what VoIP Services to Sell
  • How to Sell Wholesale VoIP Services, Part 1: Choosing your Target Market
  • Capture the Customer Experience with Web-based Solutions to Record, Search, and Analyze Conversations Between Customers and Agents
  • Beyond Call Recording and Quality Assurance: How Businesses are Using Speech Analytics to Close Critical Knowledge Gaps

    • TMCnet Videos

  • M2M Life Cycle; Integrating from Cradle to Grave
  • Bring Business Intelligence to M2M decisions
  • Delivering Useful Management Tools.
  • MashingUp M2M Solutions.
  • Bottling Up the Problems of Fleet Management.
  • Getting a Healthy Attitude toward M2M.
  • The Point of M2M is to Add Value.
  • The Cloud and the Social Machine
  • Cold Chain Management in Tropical Climates
  • OpenText offers details on its enhanced partner program