Security policy first

At a minimum, your security policy should include procedures to prevent and detect
misuse, as well as guidelines for conducting insider investigations. It should spell out
the potential consequences of misuse.

Start by reading through your existing security policies, especially those regarding
incident handling. Rework sections that rely on trusting insiders. For example, your
incident-handling plan shouldn't require your team to contact the administrator of a
suspect system to gain access; he or she may be the culprit.

Next, make sure that your policy details the limits on access to and dissemination of
personal data about your employees, temps and others who might be targets of
investigations. Mishandling this data can have severe consequences, including legal
action. Specify who is allowed to access what data, under which circumstances, and
with whom they are allowed to share this information.

Finally, to protect the organization from allegations of unfair or unequally applied

penalties, make sure your security policy spells out the consequences of misusing
company resources.

2. Don't neglect physical security

Regardless of whether you "own" physical security, consider it your No. 1 priority.
Simply keeping people away from your critical infrastructure is enough to prevent
most insider incidents.

Consider what happened to Red Dot, a Seattle-area heating and cooling company,
where two janitors combed through garbage cans, desks and filing cabinets, stealing
employee and customer personal information. They obtained fraudulent credit cards
and illegally accessed bank accounts, stealing tens of thousands of dollars before they
were arrested.
Isolate high-value systems in restricted areas, and apply tight access control. You may
be tempted to rely on keycards -- they're flexible and inexpensive -- but they're only
single-factor authentication and can be lost, stolen or borrowed. The audit log may
show that Alice entered the computer room at 10:03:34 a.m., but what if it was really
Bob using her key?

Two-factor authentication -- for example, using a PIN and a keycard -- to augment

keycards will thwart card thieves, but obliging employees will still loan their cards
and PINs to colleagues.

Consider biometric authentication. Fingerprint scanners and similar devices are

popular, albeit expensive choices.

But securing your computer systems isn't enough. Thieves, or overly curious
colleagues, will grab sensitive information from unsecured hard copy. Make sure all
your employees have at least one lockable drawer in their desk or file cabinet for
securing sensitive information.

3. Screen new hires

In general, the more time you spend investigating an applicant's background, the
better. If your organization considers background checks too time-consuming,
consider outsourcing.

Background checks don't always tell the whole story, however. For example, a typical
check might verify the applicant's current address, but would fail to reveal that
someone living at the same address is a known con artist or a disgruntled ex-
employee.

Services such as Systems Research & Development's NORA (Non-Obvious

Relationship Awareness) can find such relationships. By combining information from
seemingly unrelated corporate databases, NORA can perform personnel checks -- on
employees, subcontractors and vendors -- as well as prospective hires.
4. Use strong authentication
Passwords are passé. Password-cracking technology is quite advanced, and stronger
passwords spawn forests of Post-it notes on monitors. And many employees share
passwords.

The alternatives are expensive, and general deployment is beyond the means of most
organizations. A more cost-effective compromise is to apply strong multifactor
authentication only to particularly sensitive applications or systems, such as HR or
accounting.

If you do deploy multifactor authentication -- combining user IDs and passwords with
tokens, smart cards or fingerprint readers, etc. -- be aware that these methods may not
plug all the holes. Once your session is established, a knowledgeable insider may be
able to spoof new transactions under your name or simply use your computer while
you've stepped away. Windows stations can be set to lock out users after a fixed
period of inactivity and require reauthentication.

5. Secure your desktops

You can't depend on users to be responsible for all their configurations, but if you're
using Microsoft's Active Directory service, you can use group policies to lock down
desktops across your enterprise.

Group policies allow a security manager to set configuration details for the OS and its
components (Internet Explorer, Windows Media Player, etc.), as well as other apps.
For example, you can change the settings for each of Internet Explorer's security
zones, enforce the use of your organization's content filtering internet proxy and even
forbid the use of unsigned third-party macros in Microsoft Office apps. Windows
itself comes with a number of sample template files, and more are available from
Microsoft's website or from the Windows or Office Resource Kits. In addition, make
sure access rights to network folders are applied on a strict need-only basis.

6. Segment LANs
Host- or network-based intrusion detection systems deserve a prominent place on the
roster of your internal defenses, but finding good monitoring points can be
challenging.

Host-based systems usually deploy agents, but network-based systems rely on LAN
sniffers. Monitoring a single internet connection is easy, but finding good locations --
choke points -- inside often-chaotic LANs can be more difficult. Ideally, you'd have
one sniffer for each LAN segment. In a large network, this is unwieldy, impractical
and will probably overwhelm you with worthless alerts.

A better tack is to treat your LAN as a series of enclaves, each of which comprises its
own zone of trust, segregated by firewalls at the point where each connects with the
corporate backbone.

7. Plug information leaks

Sensitive information can flow out of your organization through email, printed copies,
instant messaging or by people simply talking about things they should keep to
themselves. Combine security policy and technology to stanch the bleeding.

First, make sure your policy details restrictions on disseminating confidential data.

Technology can help, starting with the intrusion detection system (IDS). Scan your
business plan for unique phrases that you wouldn't expect to find anywhere else and
configure your IDS to alert you whenever it sees these telltale snippets on the
network.

Email firewalls can scan the full text of all outgoing email.

Digital rights management tools restrict distribution of documents by assigning access

rights and permissions.

8. Investigate anomalous activities

You probably collect reams of log data from your internet-facing servers: Unix
syslogs, Windows event logs, firewall logs, IDS alerts, antivirus reports, dial-up
access logs or any of a number of other different audit trails. But what about your
internal LAN?

Unlike external attackers, insiders generally aren't careful about covering their tracks.
"It's as if the attacker doesn't expect to be caught. Generally, none of the insider
attacks we have seen were difficult to investigate," said Peter Vestergaard, former
technical manager at Danish security consultancy Protego. "The biggest problem has
been that companies don't have sufficient logging. In one case, almost no one knew
that logging on a nondomain controller NT/Win2K server is disabled by default.
Therefore, little or no log material was available."

Once you've got the log files, you're left with the often-difficult task of sorting
through them for suspicious activity. "In all the noise, it's hard to identify a particular
person trying to get information on the network," said an information security officer
for a large U.S. insurance and financial services company, who requested anonymity.
His company uses a home-brewed analysis engine that combines information from
several different logs and looks for questionable patterns.

If you have the money, network forensic analysis tools can analyze the flow of
information throughout your network.

9. Refocus perimeter tools and strategies

By applying your perimeter tools to the inside of your network, you can greatly
increase your security posture, often at little cost. Step one is internal patching. You
wouldn't dream of putting unpatched web or email servers on the public internet, so
why should you settle for them on your LAN?

Step two is securing hosts by eliminating unused services and locking down
configurations.
Once you've got the basics covered, you can add more external tools to your internal
repertoire. If you're already using vulnerability assessment tools for your internet-
facing services, scan your internal network for very little additional cost. Begin by
scanning your most critical servers, like internal email, web and directory servers,
then prioritize other systems and scan them in order.

10. Monitor for misuse

Your security may require direct employee monitoring -- from video cameras to
keystroke logging. Research suggests that as many as one-third of all employers
perform such monitoring to some degree.

Before jumping on the bandwagon, though, make sure you know what tools are
available to you and what constitutes legal monitoring in your jurisdiction.

Web content filters are useful tools, since they can be set to block pornography,
competitors' websites and hacker tool repositories, all of which figure prominently in
common insider security threats. In general, you can safely employ these as a matter
of policy for all your workers.

If you need more detailed information about what specific employees are doing, you
must exercise a bit more discretion, but you still have plenty of options that offer
keystroke recording, application activity and window title logging, URL visit history
and more.