In a briefing with Zecurion, a Russian software company that provides security technology, we spent a fair amount of time discussing the nature of the “Internal Threat” – the internal threat being the threat from your own staff, or possibly business partners that have access to your systems. It’s very difficult to pin down good data on this.

The Elusive Nature of the Internal Threat

Police everywhere are aware that bank robberies are often assisted by an insider. They can be pretty certain of it if the bank robbers turn up at a time when the bank just happens to have more money available to steal than usual or if the robbers turn out to be really well prepared for the security barriers that they have to get around. But unless the insider is caught in the act of being paid off, it’s rare that police will catch the insider, because proof is hard to come by.

The same is true of insider threats in respect of data breaches. If external hackers get in, it is really difficult to prove that they had help from the inside, but if they knew exactly where to go to steal data, then it’s highly likely that they did. Once you’ve broken into an IT network it isn’t obvious where to go and what to steal unless you have an insider’s knowledge.

Consider the following stats:

• Internally sourced breaches outnumber those that originate outside of the enterprise by a factor greater than 3:1. (Info-Tech Research Group, March 2009)
• Of companies reporting serious data leaks, 69 percent said their data security breaches were the result of either malicious employee activities or non-malicious employee error. (Ponemon Institute’s Survey on Data Security Breaches, 2008)
• Thirty-nine percent of security breaches were attributed to business partners. (Verizon Security Survey, June 2008)

This sprinkling of statistics suggests that the insider threat is probably the largest threat by far. The first of these is particularly worrying because it only gives you figures on known insider breaches. All these surveys gathered information from the victims who cannot know in many instances whether breaches were assisted from the inside.

Another survey (by Ponemon, February 2009, sponsored by Symantech) surveyed just under 1000 staff who had changed job in the last year. It provides the following information about staff and stolen data:

• 59% of employees who leave or are asked to leave a company and have access to proprietary information steal company data
• 67% of respondents who stole data used the stolen information to leverage a new job
• The stolen information consisted of customer data, email lists, contact lists, employee records, financial reports, confidential business documents, software and other intellectual property.

This creates an interesting context to consider. If staff can steal corporate data for their own benefit, then most of them will and do. Undoubtedly there is a difference in scale and value between stealing customer lists, which every sales reps I’ve ever talked to believes is theirs by right and stealing payment card data, which is equivalent to the direct theft of money. Nevertheless the threat from the inside is considerable. The statistics are suggesting that:

• Most staff member will steal information if they can
• Most data theft occurs from the inside

Zecurion: Adaptive Mutlithreaded Encryption

Zecurion’s products focus on data protection. Zlock locks out peripheral access to a computer (server, PC or laptop) and the Zserver suite encrypts data. Zserver is an interesting product in a number of ways. First of all, it is a soft solution that inserts itself painlessly between the application and the hardware – one of the rules of security software being that it should do its best never to get in the way. In my view, soft solutions beat hard solutions (use of encryption chips and other such technology) in this area unless there are performance issues. Soft solutions are more flexible to deploy. (This may explain why Zecurion has been able to quickly build up a user base of over 5000 in Europe.)

Zserver uses 256 bit AES encryption to write the data and it can be used with any application, so it can be used to write to any kind of media in any context whether writing on-line files or writing to back-up or writing to media for transportation. None of the data or the file allocation tables or any supporting files can be accessed without authorized encryption keys.

There’s an interesting nuance with Zserver’s decryption key too. Zserver allows a decryption key to be split into multiple parts, so that, say, each of three people are given a third of the key. In such a circumstance the data can only be read if all three provide their part of the key. It’s possible also to have a quorum based arrangement where 5 people are given a part of the key but if three people provide their part it will be enough to decrypt the data. So a quorum of any 3 from 5 will be enough.

Encryption and Data Protection

The neat thing about encryption as a defense for data is that – if it is implemented rigorously – it means that the only way to get at data is through an application. Essentially it closes the window on all alternative approaches to getting at data and thus it offers strong protection against the internal threat.

For the record, the Ponemon Institute’s Survey referred to above reported the following kinds of data theft in the security breaches surveyed:

• 39% involved confidential business information
• 27% involved personal information about customers
• 14% involved intellectual property including software source code
• 10% involved personal information about employees

This provides you with a reasonable idea of what needs protecting.