Don Parker Blog RSS

All Blogs  »  Don Parker Blog  »  Security Central  »  Blog article: The insider threat: Fact or Fiction

The insider threat: Fact or Fiction

Well the threat of the trusted insider is no urban or IT myth. It is very much real, and everpresent. Though it is tough to get statistics in relation to actual computer crimes committed by trusted insiders, it is safe to say they are under-reported. What can you do though to mitigate this? There are steps that one can take. First and foremost in my mind is having periodic audits by external ie: third party, network security personnel. While not everyone can afford to do this it will go a long ways towards keeping everyone honest. Secondly, one could also have their internal network traffic analyzed on a regular schedule. This is both cost effective and also helps diagnose the state of your network ie: any viruses, worms, malware, or other shady business going on. It is something that I for one, certainly encourage my clients to do. Food for thought.

Technorati Tags: , , , ,

This entry was posted on Thursday, July 5th, 2007 at 2:33 pm and is filed under Security Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

11 Responses to “The insider threat: Fact or Fiction”

  1. oleDB Says:

    July 9th, 2007 at 9:56 am

    I disagree that the insider threat is as big as what many security people state. Its just another ploy by vendors to sell NAC and new applications/hardware, because they have already sold perimeter protection and AV solutions and need a new cash cow. I think most of the threat is from the outside and not until you’ve deployed proven auditable external protection and processes does the internal threat become significant. I did however hear in an FBI presentation that the number is roughly 30% of all their cases are Insider related versus external hackers. My reasoning behind this number, is that when Insider attacks do occur, there much more likely to involve large financial losses, thus drawing the FBI’s attention.

  2. C Riddock Says:

    July 10th, 2007 at 1:48 pm

    Insider threats perpetrated by disgruntled Admin or Security Engineers are the least reported because they are often the hardest to detect and fully evaluate. Skilled Engineers who have motive, opportunity and access and can erase traces of their misdeeds.

    It would take one or more engineers of equal or superior knowledge a significant amount of time to forensically analyze and recreate what may have been done to a network and what the long term effects might be.

    Catching rogue security engineers is even harder as they are the folks tasked with detecting and catching malicious users. That coupled with any level of forensic analysis trainging eclipses the kind of damage done by a BOT or other external threat.

  3. oleDB Says:

    July 16th, 2007 at 10:06 am

    That is the typical type of fear mongering that I\’ve come to expect. The reality is not even close to the movie-plot line suggested. Yes insider attacks like this do occur, but they occur on much lower frequency then all the fear mongers state. In fact, when asked for reliable data on these threats the conversation often goes silent. Yes there are some big news stories of particularly devastating theft of information cases, however the frequency of these events to all incidents such as outside attackers and malware is much lower. Like I said, its simply a scare tactic to sell more products or get a bigger budget. If companies just focused on the basics like patching/hardening, monitoring, and following best practices they would be much more secure then chasing white rabbits like a potential super elite inside attacker.

  4. Don Parker Says:

    July 16th, 2007 at 2:05 pm

    Fear mongering? I don’t really see where the fear mongering is. The insider threat is a real one, and albeit one that is hard to put a specific statistic to. Largely due to the under reporting of these incidents.

  5. oleDB Says:

    July 20th, 2007 at 9:42 am

    First off, all events are under reported, not just insider attacks. That argument is not worth arguing. I got my facts directly from the FBI, so I have a pretty good idea of what the numbers are.

    Second, people are playing up fears of insider threats for specific financial reasons. Yes the the threat is real, but not as big as many would like to believe. And I’m not speaking of the potential for damage, which is huge, but simply the likelihood of occurrence, which is very low. And the reality of it is, in many cases there is not much you can do. Are you gonna start searching every employee as the leave the building with financial data on a USB drive? What about the Fidelity incident? That guy was a DBA with full permissions. The only way that would have been stopped would be with a dedicated monitoring team in place. Even then it would have been reactive, not proactive.

    If you look at the total picture, a company is more likely to see a higher ROI focusing on security basics and protection from external threats, versus some remote possibility of a highly skilled insider attacker taking them down. Yeah I will concede the fact that most insider threats are really non-malicious in nature. Someone who accidently deletes some data. I agree that can and should be prevent by appropriate user controls and DR/Backup plans.

    I’m just so sick of people with agendas. Whether its to sell stories or push new security software/hardware geared towards “insider threats”, when most companies aren’t even doing the basics correctly. Please look at the total picture. For instance, a new unsecured network, no policy, no nothing. What poses the biggest threat? Sure as hell not insiders.

    The Insider IS NOT the biggest threat. I hate that stupid overused tagline. The Insider is the biggest threat, only after you’ve implemented a proven, auditable external defense and security best practices. If you can do that, which is an endless process, then start think about throwing money at insider threats.

  6. Don Parker Says:

    July 20th, 2007 at 10:01 am

    Well what can I say. You seem to be taking this rather personally, and somewhat aggressively. Secondly, you’re getting your facts directly from the J. Edgar Hoover building doesn’t exactly fill me with confidence. As for agendas…..I dont’ have any actually.

    Have a good one,

    Don

  7. oleDB Says:

    July 20th, 2007 at 10:55 am

    Sorry, I’m not targeting my comments to you, but the industry in general. And yes I am venting and dripping with sarchasm :-)

    The bottom line is there are no facts that support the notion that the insider is the biggest threat, when compared to all external threats. When you get some data that you think is reliable, please blog it. I am also surprised you wouldn’t lend credence to FBI data. It is integrated in the FBI/CSI study that people tend to pay attention to. I’m sure you’ve commented on it or read it in the past.

  8. Don Parker Says:

    July 20th, 2007 at 11:07 am

    How does the old saying go….”%76.2 of stats are made up”…. :-) I put more credence in what people tell me directly ie: people whose networks are hosed because of some ticked off employee. That is something I believe. That said, almost everyone in the computer security industry has an agenda to advance, or an axe to grind with someone.

    Personally I can’t definitively say that the insider threat is the biggest one. Likely it isn’t, though it is one of the more virulent ones ie: most lame malware is stopped by the content checker sitting at the Exchange level whereas an insider already has access.

    One could debate these things for some time. On another note I have already received a rather vitriolic response on a column I recently wrote from a reader of The Register. Just goes to show you that you can’t please them all.

    Thanks for taking the time to write,

    Don

  9. C Riddock Says:

    July 23rd, 2007 at 10:16 am

    I guess this is one of those debates that should get filed under the “chicken or the egg” category..:)

    As someone who is a security specialist (not an expert, but a specialist) and has worked almost exclusively within the “gummint” IT world, DHS, FBI, DOD and other three letter agencies for the last five plus years, I can tell you a couple of things with almost perfect certainty:

    1) Stats collected and published by the gov are skewed…99% of the time its not for deceptive or other nefarious purposes, its just that the folks who get the raw data and whip up the reports usually have no idea what they’re reporting. i.e. ST&E vulscan of a DoD domain revealed that a server had an IIS/FTP/SMTP and other unsecured services, is this really the case or is this “server” a honeypot? (True story).

    2) Most gov systems (once again dealing in the fed world) have no outside connectivity, no direct internet peering…and those that do, usually have it heavily locked down..the most commonly seen threat vector in these systems are users (malware, lameware,etc) and admins (malicious activity or tinkering) Admins that “tinker”, which there are in EVERY network….yes in yours too…..can and will have a more long reaching and profound impact than all other external threats combined…

    I have had the opportunity to work on some civilian networks and have run into some pretty sharp folks, the biggest roadblock to securing commercial enterprises is B-U-D-G-E-T……very few companies (fortune 100 excluded) want to spend the money on adequate security staff until after the big “hit”…most of the time, the Sr IT Engineer also doubles as the security practitioner. Pushing patches and running the latest A/V software is one voice in the chorus, I’m not an advocate of pricey security appliances or “One size fits all” security applications by any means….What I am advocating is “Common Sense”….if you have three admins, do they all need to be domain admin? What about auditing and logging settings…is anyone reviewing event logs….are ACLs set properly on %systemroot% and other default files/folders? A good number of these things can be done via GPO and are “set it and forget it” kinds of things…..but even with all this stuff in place, you still have to be vigilent and watch what your admins do….are they d/l the latest A/V sig and applying it? and hundreds of other “honey have you checked on the kids” kinds of things…

    Anyway, I rambled and bounces around and gave my two and one half cents….

    Cheers mates!

  10. C Riddock Says:

    July 23rd, 2007 at 10:29 am

    Quick epilogue:

    As I was writing this post, one of my new Admins was “experimenting” with GPO on an R&D test domain….needless to say, the “experiment” went badly….:) Wiped out a 7 server domain with about a half-dozen misconfigured GPO settings….lets see a BOT do that…:)

    btw….love these types of discussions…really gets the grey matter cooking…

  11. Don Parker Says:

    July 23rd, 2007 at 3:23 pm

    Hey ho,

    I have seen it many times where the complexities of the GPO has ruined many a sys admin’s day. Not that I am an expert at them for I most certainly am not. Actually, I would not mind being a sys admin in a large network for a year. That would certainly help me :-)

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center