HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 37 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Featuresarrow Opinionsarrow Insider Threat
EH-Net
May 20, 2013, 08:34:06 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
EH-Net > Features > Opinions (Moderator: don) > Insider Threat
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Insider Threat  (Read 5723 times)
0 Members and 1 Guest are viewing this topic.
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« on: September 05, 2006, 10:57:47 AM »
Anybody else see a slight flaw in books, teachers, or lectures always preaching that the Insider is the biggest threat to a computer network without adding any kind of background or caveats to the statement.

This type of statement has become law in the security community, but I feel its slightly misleading to the uneducated. The insider is only the biggest threat because security has been applied to the perimeter in a massively disproportional amount to whats applied internally. Security is often not as rigourous on the inside because it often impedes a companies business operations. Its much easier for companies to dump millions on firewalls and VPNs, then to spend much less on systems that your going to buy anyway with better access control. Its also much cheaper to enforce stricter policies on its users, but it will still come at the cost of potentially slowing down the business. For instance compare the cost of buying a brand new pair of enterprise class firewalls to the cost of buying more drive space for retention and aggregation of logs or turning up a tighter password policy on your network. I think the simple fact of the matter is that, if companies spent more money on internal controls and small amounts on perimeter controls, we would have a different story. Which is the bigger threat, unrestricted access for any an all outsiders or unrestricted access to employees?
Logged
ogenstad
Newbie
*
Offline Offline

Posts: 6


View Profile WWW
« Reply #1 on: September 06, 2006, 05:51:13 AM »
Interesting, I'm just writing a fictional story about insider threat, I will be posting part 10 tonight.  Smiley

One thing you hear very often is that 80% of all the attacks come from the inside. But what you seldom see are facts backing up that number. Richard Bejtlich has written about it on his blog several times, the last post was just a few days ago:  Again, External Threat Is More Prevalent. Almost all facts I've seen says that the 80% rule of the insider threat is a myth.

I agree what you say regarding eggshell security, however if the employees have unrestricted access that can easily be used by a random attacker. An employee who doesn't know what he is doing can install some malware or trojan which lets the attacker in. One the attacker has controll of the employees workstation the rest of the network is at risk.
Logged
Security Fiction
tmartin
Recruiters
Newbie
*
Offline Offline

Posts: 46


View Profile
« Reply #2 on: September 15, 2006, 06:00:41 AM »
Internal controls do get the shaft. But assuming that you have the basic external defenses against outsiders, the internals are the bigger threat because they generally have some knowledge of where the goodies are at and how poorly protected they are. They are also, of course, inside your external defenses already, and when their activity shows up in some logs, they are sometimes passed over as legit.

Think about fraud, which is basically all internal. Much of it occurs due to poor security, whether it be controls or lack of log and system review. I think too many pros focus on stopping the real cool "hacks" and ignore the fraud, which costs companies serious money and go undetected, on average, for 18 months.

In my last company, I assisted with 2 fraud cases that went 9+ years. That's bad controls and review practices.
Logged
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« Reply #3 on: September 18, 2006, 10:54:24 AM »
I think fraud can be external or internal, it depends on the company. Ours is decidely external probably 95% external to only 5% internal.

I think until you have proven and auditable perimeter defenses, the outsider is the bigger threat. I guestimate that most companies do not monitor their security specific logs in real time, they typically focus on availability metrics. A stock firewall and router config can easily be penetrated when no one is watching, all it takes is one open port and for a session to be initiated from the other side, which can be done easily. Then if you consider how many idiots don't update their network devices firmware, there's a whole other set of entry points. Like the other poster stated, the data doesn't really support the theory. For companies with proactive and knowledgeable security folks, then the insider becomes the biggest threat, but that sitiuation isn't the reality for most companies. If you also factor in malware into the equation, which is 99% from outsiders, then this theory becomes even more unsustainable. Its been preached so much to the IT community though, people often take it as law unquestioned.
« Last Edit: September 18, 2006, 10:56:31 AM by oleDB » Logged
tmartin
Recruiters
Newbie
*
Offline Offline

Posts: 46


View Profile
« Reply #4 on: September 22, 2006, 08:32:00 AM »
When I think of external fraud, I think of customers trying to cheat the company with false claims and the like; in my mind, it doesn't include system access.

When I think of internal fraud, I think of internal folks accessing and manipulating systems in ways they should not be able to.

It depends on your industry.

Any more thoughts, Ole?
Logged
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« Reply #5 on: September 22, 2006, 01:16:34 PM »
Thats generally how I view fraud too, anybody trying to manipulate a system, process, or person for illicit financial gain. System access could be apart of a fraudulent scheme or it could not, just depends. For me fraud is only a subset of all threats, which is what I'm comparing. The threat is always greater from the outsider until you can prove that you can block >99% of it, then the insider becomes a bigger problem. I think with the insider you have a low likelyhood that the attack will take place(factor how many internal incidents you have versus the total employee/contractor populace) versus how successful that attack will be. An insider has a really good chance of being successful if they so do chose to do this, because they know the systems and processes. An insider also has a greater chance of getting caught, a hacker in North Korea, China, etc can corrupt your databases and steal your confidential info and there will be no prosecution regardless of whether or not you identify them.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.071 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.