It happens every day: an employee who's out of the office wants to
get into his machine at work. Instead of using a more secure
method, he decides to email some files to his home machine, or
upload a file to Facebook, or use a popular PC file-sharing tool.
And the next thing you know, your organization is dealing with a
major data leak.
Despite years of education and training, many enterprise end users
still don't understand the risks of their network behavior,
according to companies that monitor such activity. And despite
years of warnings about data leakage, many organizations are still
getting burned.
"What we see, in many cases, is that people haven't been told what
they shouldn't be doing on the corporate network," says Adam
Powers, CTO of Lancope, a company that makes tools for monitoring
and analyzing network behavior. "They may have been told generally
that some technologies are off limits, but they haven't been told
explicitly what they can and can't do. In some cases, maybe they
have been told, but they make the decision to do it anyway --
they're willing to take that first call from IT telling them to
stop."
Most users aren't maliciously violating their company security
policies, but simply seeking ways to get their jobs done
expediently, says Rene Bonvanie, vice president of worldwide
marketing at Palo Alto Networks, which makes next-generation
firewalls that can track and control application and network usage
in large enterprises. "When companies set unrealistic rules -- like
limiting users to a very small email box capacity or restricting
the ability to attach files to messages -- users will often find
ways to get around them," he says. "Their motivation is not to
break IT rules, but to get their jobs done."
Unlike industry analysts and vendors that survey enterprises about
network behavior, both Lancope and Palo Alto Networks offer tools
that can "see" what users are doing on the network. Lancope's
products do detailed analysis of behavior in Cisco NetFlow
environments; Palo Alto Networks' firewalls can identify and track
the traffic generated by hundreds of different applications. Both
vendors say that when they do their initial analysis of a new
user's traffic, the IT and security staffs are always surprised by
what they find.
"They'll say, 'We don't have any of that kind of traffic, we don't
allow it," Bonvanie says. "Then we show them they have a lot of
that very kind of traffic. In fact, we often see very little
difference in the incidence of certain apps between companies that
have strong policies against them and companies that don't."
And as consumer technology improves, the problem is getting worse,
not better, Powers says. "A lot of people don't realize now that
the technology they have at home is actually better than what they
have at the office," he explains. "They feel they have unlimited
bandwidth because, with today's services, they have very fast pipes
at home. They feel they can use any app because they use them at
home. YouTube, Skype, Facebook -- they're standard in most homes --
and people don't understand why they can't use them at the
office."
Industry statistics support this assertion. In a study conducted by
Cisco in 2008, approximately 70 percent of IT security
professionals said that unauthorized use of applications accounted
for at least half of their organizations' data leaks. Eighty-three
percent of end users in the study said they used their work
machines for personal reasons at least some of the time; nearly
half of the users said they transfer files between work and
personal machines when working from home.
More recently, Palo Alto Networks issued its "Application Usage and
Risk Report" (AUR), which analyzes the data collected by its
firewalls at some 350 organizations. The report shows that
applications such as instant messaging, social networking,
streaming media, and even peer-to-peer file sharing are nearly
pervasive in all organizations, regardless of industry or
geography.
"One of the things that we consistently find is that enterprises
have a lot more email apps on their networks than they think,"
Bonvanie says. "Aside from the one or two that are officially
deployed, they sometimes find 20 or 30 other apps --not just
Webmail, but a whole range of email apps that shouldn't be there.
That has to be worrisome for these companies because sensitive data
could be sent out through any one of those apps without the company
knowing about it."
Powers says Lancope often finds users employing unauthorized
methods to "remote in" to their work PCs from other locations, such
as GoToMyPC.com or PC Anywhere. "In my mind, those are some of the
most dangerous misuses because applications like that are
essentially serving corporate data to the Internet," he says.
Not surprisingly, social networking sites, such as Twitter and
Facebook, were cited by all of the experts. "The bandwidth consumed
by social networking sites doubles about every six months,"
Bonvanie says. "And that's a concern, too, because the bad guys are
constantly coming up with new ways to use those environments to
hide or transmit malware or steal information."
Many users are also finding new ways to obscure their identities or
obfuscate the data they are transmitting over the Web, experts say.
Use of proxies, anonymizers, and tunneling is increasing, making it
harder to detect leaks or pinpoint their sources, they say.
So what can enterprises do about users' routine misuse of their
corporate PCs and network connections? Interestingly, the experts
don't advocate taking a hard-line stance. "A lot of companies try
to enforce it by implementing active controls on the PC, and users
hate that," Powers says. "It makes sense to shut down traffic that
has no business reason behind it -- like P2P file-sharing or file
transfers between the finance department and some region of the
world where you aren't doing business. But if you make the rules
too restrictive, users will try to find a way around them."
Bonvanie agrees. "Today, the most common scenario is that the IT
organization simply issues a flat-out 'no' -- no Facebook, no
Skype, no Google Apps," he says. "And what we see is that it often
doesn't work. Users are getting a lot smarter at getting around
security policy to do what they feel they need to do. What makes
more sense is to set a policy that users can live with, and then be
tougher about enforcing it."
Companies should set policies that recognize workers' needs to
access company data -- securely -- from home, and occasionally
employ their work computers -- securely -- for personal activities,
the experts say.
"Set a baseline for behavior that is acceptable for everyone, and
then monitor for activity that's beyond the baseline," Powers
advises. "If you can recognize unusual behavior on a certain node
or PC, you can then drill in and see what else is happening there,
and enforce your policy."