When a Stranger Calls

By: (CISSP, CISA, Security+)

Publication: The Colorado Banker , January/February 2010

The first 30 minutes of the low-budget, 1980s film When a Stranger Calls are possibly the scariest 30 minutes I experienced growing up...The movie begins with a girl showing up to a couple's house to babysit for the evening. After putting the kids to bed, she receives a call from someone saying, "Have you checked the children?" She thinks the caller might be her boyfriend trying to trick her, but soon realizes she should be scared. The man continually calls back, so she calls the police and asks them to monitor her phone. The next time he calls, she tries to keep him on the phone long enough for the police to trace the call, but eventually gets scared and hangs up. The scariest 10 seconds of the scariest 30 minutes of my life happen when the police immediately call her back and say, "Ma'am, the call is coming from inside the house."

You might be wondering what this movie has to do with Information Security on your bank's network. The reason this movie scared so many was that it introduced the idea that dangers can come from inside the house. When we're home alone, we lock the doors and feel safe. To know that a terrible person could be calling from inside the house is just not something we're prepared to handle. The same is true for our networks. You may have installed an expensive, top-of-the-line firewall and Intrusion Detection/Prevention System (IDS/IPS). You may have locked down your ports and implemented excellent patch management. You might be invisible to would-be hackers. But how can you protect yourself when "the call is coming from inside the house"? Though the question is too often left unasked, the answer is simple: access control. Access control is any system that enables an authority to control access to areas and resources in a given environment. It can be as simple as locking a door or as complex as implementing logging and monitoring on certain files.

Hopefully, you have already defined many levels of access control for your employees, but there are still a few elite who possess all the proverbial keys to the kingdom. They're called domain administrators, and I would venture to bet no one knows what files they're accessing. Banks generally do a great job of keeping human resource documents and board meeting minutes away from most bank employees and rightfully so...salaries and other confidential bank information are located in these files. But what is stopping your new IT guy who's fresh out of college from looking to see who got a raise this year? Or to see what cutbacks or layoffs the board voted on last month? Your network administrator really does need access to all areas of the network, but there are ways to monitor such access. You can set parameters on your server to log access to certain files and folders, like board minutes or payroll information, and then either have someone monitor the logs or have an email sent to appropriate personnel when those files are opened. Knowing these controls are in place on your network will deter most people from satisfying their curiosity.

Data leakage is another threat from the inside to consider. This is the intentional or unintentional release of secure information to the outside. To give your employees the benefit of the doubt, I think most data leakage happens by accident. Most people don't realize what they're doing is putting your information at risk. There are many network tools on the market you can put in place to manage the risk associated with authorized individuals leaking data. They are called leak prevention or extrusion prevention products, and they can stop data from leaving the network or alert someone when information is sent. These products station themselves at the "exits" and scan each passing packet. Disabling USB storage devices on the network will also prevent employees from taking bank information out or bringing malicious software in.

There are many other ways you can protect your network from inside threats. Just knowing the danger exists and putting some mitigating controls in place will help prepare you for a "call coming from inside the house".