Don’t Ignore Threats From Behind the Firewall

More than half of internal data theft crimes are carried out by low- and mid-level staff.

August 16, 2011
/ PRINT / ShareShare / Text Size +

Balanced testing

In order to manage threats to the enterprise and adhere to compliance regulations, financial institutions must have a comprehensive security strategy that can battle both internal and external threats.

Most organizations consider external penetration tests (EPT) to be a primary weapon in their security arsenal, and perform the tests at regular intervals. EPTs are conducted from a hacker’s point of view, mimicking real-world methods a hacker would use to exploit vulnerabilities in a network, compromise security controls, and access confidential data.

Although EPTs yield extremely valuable information, an organization can’t properly assess their network’s risk exposure or the likelihood that an existing vulnerability may be compromised without testing the internal perimeter in a similar manner.

An internal penetration test (IPT) is performed to exploit vulnerabilities that exist behind the firewall and assess the impact that a successful compromise would have on the system.

Depending on what systems and controls an organization wishes to evaluate, internal penetration tests can be conducted either from a hacker’s point of view or from the vantage point of a malicious employee.

Examples of scenarios that call for conducting an internal penetration test from a hacker’s point of view include:

  • Evaluating the likelihood and potential impact of an attack via a rogue access point prior to deploying an extensive wireless system; and
  • Assessing the risks associated with allowing third-party vendors to access restricted network resources.

An IPT performed from the vantage point of a “rogue user” (malicious employee) usually involves allowing the tester to have a standard network account and the same network privileges as a typical employee.

From this level of access, the objective of the test is to determine how far privileges can be escalated, as well as what confidential information may be insufficiently protected. This practical approach resembles a real-world scenario that demonstrates how a typical employee can use relatively low-tech means to access and exfiltrate sensitive data.

An IPT essentially picks up where external tests leave off, allowing the organization to gain a more complete view of its security posture. IPTs also help the organization fortify its internal security by identifying security gaps caused by improper configurations, file permissions, excessive user privileges and access levels, methods of exfiltrating confidential information outside the perimeter, and ways users can circumvent technical controls.

Just as important, testing the internal systems will help validate that the existing controls actually work as intended.

DAVID BLAZIER is marketing manager for TraceSecurity, a CUNA Strategic Services alliance provider. Contact him at 225-612-2121, ext. 31062.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive