Create a Know Your Users Program
Banks work with the US Federal Govt in an arrangement called the "Know Your Customer" program. While the guidelines for Know Your Customer are complex, the goal of the program is to allow the banks to work together with the govt to root out suspicious financial activity by their customers. They know that the banks are more capable than the govt in identifying their customer's normal activity and activity that seems possibly suspicious.
While I have my concerns about the Know Your Customer program, there is some value in it. There are just too many things that you can't do from an IT security point of view to control who has access to the data in your organization. In many cases data is breached because people who have legitimate access to that data misuse their access. A recent example is the data security breach of passport information on the Presidential candidates in the US. The people who accessed that information didn't hack into the system, they had legitimate access and used it. The problem was not a technology problem, it was a policy problem. And there are many data security issues that can only be addressed as policy problems.
Given this fact, you need some way to help figure out, in advance, which users may represent a potential security problem in advance. One way you can approach this problem is to create your own "Know Your Customer" program for your own users. You observe the behavior of your users, and you can encourage your users to observe the behavior of other users and report suspicious computer use to you and your team.
What should you be looking for? Here's a short list of behaviors that might indicate that a user is a potential security risk:
- The user who overtly makes it clear that he doesn't care about security policies or procedures
- The user who frequently forgets passwords, loses smarts card, or who has frequent inexplicable computer problems
- The user who takes too high an interest in computer security policies or procedures.
- The user who tries to hide his screen when you walk by
- The user who makes it a point that he would prefer that you don't come down to his computer and that you just give instructions over the phone
- The user who has a number of encrypted folders on a desktop machine, where the user's primary job role doesn't require encrypted folders on the local machine
- The user who brings in a number of "gadgets" that can be used to copy data to and from his computer
- The user who asks other users for their passwords.
- The user who gives out passwords to other users
- The user who always comes in an hour or two early
- The user who always comes in an hour or two late
Remember, these are just general guidelines and the goal is to get a step ahead on a user that might turn out to be a security liability on your network. If you find that there a person shows a number of behaviors that seem suspicious, then you might want to consider extra auditing of that person's access to data on the network. File and object access auditing for all users and all files on the network is somewhat unrealistic, but when you can target your efforts on suspicious individuals, it makes it easier to track those individuals activity more closely.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)