Analysis: Cyber raids fuel calls for training, monitoring

LONDON Fri Jun 17, 2011 6:50pm EDT

U.S. Department of Homeland Security (DHS) employees work on the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) operational watch floor where they monitor, track, and investigate cyber incidents in this handout photo taken October 29, 2009 at the Idaho National Laboratory in Idaho Falls, Idaho. REUTERS/Chris Morgan/Idaho National Laboratory

U.S. Department of Homeland Security (DHS) employees work on the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) operational watch floor where they monitor, track, and investigate cyber incidents in this handout photo taken October 29, 2009 at the Idaho National Laboratory in Idaho Falls, Idaho.

Credit: Reuters/Chris Morgan/Idaho National Laboratory

Related Topics

LONDON (Reuters) - Employers rushing to boost cyber defences after a rash of U.S. online break-ins won't block spies and thieves by simply throwing technology at the problem, since their core weakness is often badly-trained and -managed workers.

In the cyber realm, as in other areas of security, the human factor is a pervasive vulnerability, be it theft by malicious "insiders" or inadvertent breaches by employees clicking on a compromised link, analysts say.

More rigorous training may not end the abuse of corporate cyber systems -- the sophistication of some hacker tactics is so great that 100 percent security is probably unattainable -- but it can significantly reduce the risks, specialists say.

The same goes for the adoption of intrusive new ways of monitoring employee online behavior and compliance with good cyber practice, some security specialists say.

"(High-tech) Bells and whistles are no use if you don't have trusted, loyal and well-informed staff," said an industry executive who spoke recently at a closed door cyber seminar.

Many experts say much more can be done to tighten security at the "endpoint" -- in other words, people -- rather than place excessive reliance on clever software, important as that is.

Some experts see a need to carry out security vetting when hiring key staff, for example computer system administrators.

"Technology is only a part of the problem -- all systems are composed of people, processes and technology -- you only need to break one of the components to attack the system," said Steve Purser, a senior expert at the European Network and Information Security Agency, a European Union body.

He said there were no hard and fast rules about monitoring staff online because data differed in sensitivity and context.

"The important point is to communicate the rules to staff and to ensure that the rules are being followed," he said.

The need is urgent, not least because employers are worried recession may swell the ranks of staff in line for retrenchment who plan to take proprietary data with them out of the door.

Some are queasy about the notion of intruding on employees' online work. But then, analysts note, hackers are doing exactly the same thing -- and imperiling jobs into the bargain.

"It's the people side of the equation that is letting the bad guys through right now," Neil Fisher, Vice President of Global Security Solutions at Unisys Corp told Reuters.

He was referring to 'phishing' attacks, a hacker ploy to obtain data such as passwords or bank details by posing as a legitimate institution.

"KNOW YOUR INSIDER"

In advanced "spear-phishing" campaigns hackers craft personalized e-mails, often using data available on social media websites, duping recipients into downloading attachments that launch malicious software that takes over their computers.

Such ploys are suspected in at least some recent prominent attacks, which have targeted entities such as the International Monetary Fund, Central Intelligence Agency, the U.S. Senate, and companies such as Citigroup and Lockheed Martin.

Mohan Koo, CEO of Dtex Systems (UK), said most organizations tended to over-prioritize the risk of external threats, a tendency he said was prevalent in the financial sector.

"For years now investment banks have lived by the motto Know Your Customer' today it's more critical that they focus on Know Your Insider' because that is where they have a weakness."

"The problem is that most organizations don't monitor their insiders with a sufficient level of granularity to quantify the threat to their business. If they did, the shock would be sufficient to spark a significant change in their approach."

A March 28 study by computer security firm McAfee and U.S. government consulting company SAIC said the most significant threat reported by organizations when protecting information was data leaked accidentally or intentionally by employees.

ECONOMIC PAIN MAY RAISE RISK OF ABUSE

The risk of malicious theft of data or intellectual property by insiders for private gain or to boost value to potential new employers may rise as Western economies struggle, analysts say.

A 2011 survey of cyber crime by Verizon, the U.S. Secret Service and the Dutch High Tech Crime Unit noted concern among industry experts that financial strain would cause an increase in insider abuse, although evidence was sparse so far.

An 2010 Imperva cyber security company study of 1,026 people in several business districts in London showed that if rumors were circulating about possible redundancies, 37 percent of respondents said they would want to take information with them.

Tony Dyhouse, a security expert at Britain's ICT Knowledge Transfer Network, told Reuters a lot of the insider threat was actually "from people who are no longer inside."

"They've left the company but they still have access credentials, they may still have site passes and computer access. All too often people leave the company and their accounts are not closed down.

"People are aware of the value of data and they will try and keep things and send information home. They actually take preemptive action, so 'now I am going to get my own back, or at least I am going to make sure I have the capability to do so'." (Editing by Philippa Fletcher)

FILED UNDER: