Tales from the security trenches

“I’d tell you, but then I’d have to kill you.” Enterprises are notorious for refusing to talk about security measures they’re taking. But IT executives at two companies were willing to shed light on some of the ways they guard against internal threats. Here are some of their insights into best practices to control internal threats.

British Telecom

Twelve years ago, a reporter from one of Britain’s national newspapers took a temp job at British Telecom, obtained a password for a secure account, and used it to steal — then threatened to publish — some of the company’s most closely guarded information. “We have telephone numbers for people like the queen and the prime minister,” explains Alec Cartwright, a lead designer at BT Exact, British Telecom’s internal IT organization.

In the wake of that incident, the company developed internal procedures to protect against future inside threats, and has implemented those procedures using a range of technologies including IDS and firewalls. Today one key focus is protecting the company’s 1,200 Web-based applications, and making sure BT’s 120,000 employees have access to them only on a need-to-know basis.

To that end, British Telecom uses Netegrity’s SiteMinder as a central administration point “to tightly control what [users] can do, or what they attempt to do,” says Cartwright, who heads the SiteMinder implementation team. The software is linked to the company’s PeopleSoft HR system, he explains, “so as people leave the company, their access to systems is revoked.” The system also enforces password requirements and facilitates resets on a regular basis. It serves as an authentication system for internally developed applications, and it provides audit trails to show who is trying to access restricted information.

Cartwright says the system has caught insiders who attempted to log on to other employees’ accounts using invalid passwords, cycling through as many as 100 accounts one by one until they get locked out of each account. “It’s looking for patterns like that, and they do happen,” he explains. “People will cycle round a set of accounts… it’s really quite a sophisticated attack.”

Palm

How do you draw the line between legitimate employee tinkering in the line of duty and dangerous insider snooping? In an environment such as Palm, thick with developers trying to flex their coding muscles, the best defense is a good offense, explains Palm’s Director of Global IT Services Matt Archibald.

“Employees like to fiddle around with tools that will scan the network,” Archibald says. “Some of it is just people playing around, other times it could be … a contractor who’s doing work and they don’t want to go through the right processes to gain access to [a system], so they break into it.”

To keep ahead of such situations, Archibald utilizes a grab bag of tools, including Symantec’s Manhunt IDS product — “I’m a huge proponent of Manhunt,” he says — and penetration scanner utilities such as Network Associates Cybercop Scanner and public domain tools Nessus and Nmap. “It’s not just putting up defensive measures, its being as offensive as you can be,” Archibald says.

Specifically, he recommends constantly analyzing the network and performing unscheduled network penetration studies, using different tools each time. “Never tell anybody when you’re going to do them,” Archibald says, otherwise people “who want to have holes in their systems will turn off the open holes for the duration of the study.”

Archibald also recommends testing for vulnerabilities in OS and application configurations by doing deltas against the previous configuration or a policy baseline. Check for directory permissions, Archibald advises, plus changes to default security policies, or changes to how accounts are set and how files are shared. “Are there any back doors set, or is there anything in the configuration itself that allows an authorized user to gain access to privileged information, or change configuration settings on the system?”