

How real is the insider threat? - rakkhi
http://rakkhi.blogspot.com/2010/08/how-real-is-insider-threat.html

======
tptacek
This post was so long and so scattershot that I wasn't able to keep it in my
head while I read it. So I skimmed and then jumped to the conclusion.

Backstory: do most companies suffer their worst exposure from outside
attackers hitting them from the Internet, or inside attackers to whom they've
given access?

While most of our business is software security, our backgrounds are all in
general/network security and, when schedules allow, for clients we have good
relationships with, we'll do the annual penetration test as well as
applications. So: we do a fair number of internal and external network
pentests every year.

Here's the deal: most large companies do O.K. --- often not great, but not
horrific --- on the external pen. But the internal is always a bloodbath.

Add to that virtually ever major criminal case or incident report, where,
whether or not external attackers were involved, the initial compromise was
abetted by an insider.

People have been questioning these "insider threat" numbers for over a decade
now. I'm sure the numbers are broken. Numbers always are. But the notion that
the threat is somehow less "real" than the external threat is naive, at best.

I think people like questioning the severity of insider exposure for two
reasons:

(1) Security vendors and service providers make most of their money on
services that address external threats (PCI assessments, network pentests,
scanning, perimeter security devices).

(2) Enterprise security personnel know they have no grip whatsoever on
internal controls; the most basic defenses and controls would cost tens of
millions of dollars to deploy correctly at an F-1000 company; so instead of
coming to grips with the risk, they'd much prefer to recast internal incidents
as "black swan" events outside of their purview.

------
m0nastic
I can't comment as freely on this as I'd like, but here goes my best shot:

The conventional wisdom that "insiders" make up the majority of threats has
been challenged for a few years now. I know our sales people used to love
touting about it to prospective clients, but what data exists (and it's far
from perfect) doesn't seem to hold that up.

In fact, the Verizon Data Breach Report for at least the last few years has
shown the overwhelming number of attacks to be external. You can view it here:
[http://www.verizonbusiness.com/resources/reports/rp_2010-dat...](http://www.verizonbusiness.com/resources/reports/rp_2010-data-
breach-report_en_xg.pdf)

While that report isn't gospel (as an industry we still struggle with sharing
data, even anonymized data), it's better than nothing.

My own personal experience in the industry isn't helpful, as although a good
95% of the forensic cases I've worked were insider-issues, they are a self-
selecting sample (clients decision to pursue a forensics investigation is in
many cases dependent on if the attack was insider vs. outsider).

Protecting from an internal threat is significantly more difficult than an
external one, it's towards the top of Mazelow's Hierarchy when it comes to an
organizations security posture.

The most famous case I worked on involved a group of accountants who embezzled
around 10 million dollars from their company, which they were able to do by
having one individual make the transaction and the other approve it (because
the client has implemented a system which required stock purchases to be
audited by an outside group).

Trust is a prickly thing, your internal security controls can only do so much.

I've spent the last ten years breaking web applications for customers, and the
general expectation has been to work from the position of an outside attacker.
That's what the client is generally worried about. Whether that's logical is
up for debate, but it's been my experience.

------
ax0n
The insider threat is real, but it's not often the pervasive enemy. Many
times, by empowering our users instead of making direct attempts to make
things harder to use, we help the insiders -- our friends and peers at the
office -- make better security decisions on their own. The moment they have to
start working around our security solutions is the moment they go from being a
good steward to doing things that may cause accidental data loss. We give our
users access to the things they need to do their jobs. We really ought to
trust them with that access and not make things harder than they must be.

------
rakkhi
I'm really interested in the opinions of those that read Hacker news. I'm
challenging one of the highly accepted views in information security, please
let me know if you agree or disagree and why. Thanks

~~~
ax0n
I agree with you, and I've been into information security now for more than
half of my life. I think there was a time where the insider threat held merit.
Just yesterday, though, I was able to propose a solution for the developers in
my company that will at once make their code deployments more efficient, make
build-out of new worker nodes a lot easier and improve the overall security of
our enterprise while earning us some major points for PCI compliance. That's
what security should be about.

Note: Compliance and security aren't inclusive, so it's worth mentioning them
separately.

