Quis Custodiet Ipsos Custodes?

By Guy Bunker | December 9, 2010 | 1 Comment 

Guy Bunker

… or “Who will watch the watchers?” In a recent case a malicious insider has admitted, not of stealing information – but of, in effect, adding to it. As an IT insider he had access to the systems which dealt with loyalty cards and set up a number of bogus accounts and then filled them with points… that he could later spend.

A great deal of time and effort goes into protecting systems at the endpoint or servers in the datacentre and companies now at least acknowledge the insider threat… but when it comes to applications there is still a naivety of “all our people are good”. Which brings us to who is watching the people who are supposed to be watching the systems? Unfortunately there is very little that can be done to stop the determined malicious insider – after all they have the access to the systems given to them and often they carry out tasks they are supposed to, given that they have the authorisation to do so. However, this is where good application design and usage policies can help. For a start, all administrators should have their own usernames and passwords – no sharing. There should also be good logs / audit trails, especially for functionality requiring additional privileges. Finally, there needs to be some means of reviewing the log files – either automatically or manually… and preferably not by one individual (otherwise they could become the malicious insider). Often just informing people that this functionality and policy is in place will deter the potential casual insider… and for those who are not deterred at least you now have some evidence.

Guy Bunker

Data-Gain… Just As Bad As Data-Loss?

By Guy Bunker | March 10, 2008 | Leave a Comment 

Guy Bunker

There is a lot in the press about data-loss – some is inadvertent some is by the malicious insider and some is from hackers. However there is another side to this story – data-gain. What if someone brings information into your organization without you knowing – but that then gets you into trouble? OK, so it sounds a little far fetched, let’s use an example… Formula 1. In this case an employee from one team left to go to a rival and took information with him. The first team found out and the result, in court, was a $100m fine for cheating.

In this case the defence was that the information wasn’t known about and wasn’t used and … When looking at data-loss and how you can protect against it, it is also worth looking at data-gain, information that you shouldn’t have and while ‘not knowing’ may seem preferable at first glance, the head-in-the-sand defence doesn’t work in court.

Forewarned is forearmed.