Insider Threat

[oleDB]

Anybody else see a slight flaw in books, teachers, or lectures always preaching that the Insider is the biggest threat to a computer network without adding any kind of background or caveats to the statement.

This type of statement has become law in the security community, but I feel its slightly misleading to the uneducated. The insider is only the biggest threat because security has been applied to the perimeter in a massively disproportional amount to whats applied internally. Security is often not as rigourous on the inside because it often impedes a companies business operations. Its much easier for companies to dump millions on firewalls and VPNs, then to spend much less on systems that your going to buy anyway with better access control. Its also much cheaper to enforce stricter policies on its users, but it will still come at the cost of potentially slowing down the business. For instance compare the cost of buying a brand new pair of enterprise class firewalls to the cost of buying more drive space for retention and aggregation of logs or turning up a tighter password policy on your network. I think the simple fact of the matter is that, if companies spent more money on internal controls and small amounts on perimeter controls, we would have a different story. Which is the bigger threat, unrestricted access for any an all outsiders or unrestricted access to employees?

[ogenstad]

Interesting, I'm just writing a fictional story about insider threat, I will be posting part 10 tonight. 

One thing you hear very often is that 80% of all the attacks come from the inside. But what you seldom see are facts backing up that number. Richard Bejtlich has written about it on his blog several times, the last post was just a few days ago:  Again, External Threat Is More Prevalent. Almost all facts I've seen says that the 80% rule of the insider threat is a myth.

I agree what you say regarding eggshell security, however if the employees have unrestricted access that can easily be used by a random attacker. An employee who doesn't know what he is doing can install some malware or trojan which lets the attacker in. One the attacker has controll of the employees workstation the rest of the network is at risk.

[tmartin]

Internal controls do get the shaft. But assuming that you have the basic external defenses against outsiders, the internals are the bigger threat because they generally have some knowledge of where the goodies are at and how poorly protected they are. They are also, of course, inside your external defenses already, and when their activity shows up in some logs, they are sometimes passed over as legit.

Think about fraud, which is basically all internal. Much of it occurs due to poor security, whether it be controls or lack of log and system review. I think too many pros focus on stopping the real cool "hacks" and ignore the fraud, which costs companies serious money and go undetected, on average, for 18 months.

In my last company, I assisted with 2 fraud cases that went 9+ years. That's bad controls and review practices.

[oleDB]

I think fraud can be external or internal, it depends on the company. Ours is decidely external probably 95% external to only 5% internal.

I think until you have proven and auditable perimeter defenses, the outsider is the bigger threat. I guestimate that most companies do not monitor their security specific logs in real time, they typically focus on availability metrics. A stock firewall and router config can easily be penetrated when no one is watching, all it takes is one open port and for a session to be initiated from the other side, which can be done easily. Then if you consider how many idiots don't update their network devices firmware, there's a whole other set of entry points. Like the other poster stated, the data doesn't really support the theory. For companies with proactive and knowledgeable security folks, then the insider becomes the biggest threat, but that sitiuation isn't the reality for most companies. If you also factor in malware into the equation, which is 99% from outsiders, then this theory becomes even more unsustainable. Its been preached so much to the IT community though, people often take it as law unquestioned.

[tmartin]

When I think of external fraud, I think of customers trying to cheat the company with false claims and the like; in my mind, it doesn't include system access.

When I think of internal fraud, I think of internal folks accessing and manipulating systems in ways they should not be able to.

It depends on your industry.

Any more thoughts, Ole?

[oleDB]

Thats generally how I view fraud too, anybody trying to manipulate a system, process, or person for illicit financial gain. System access could be apart of a fraudulent scheme or it could not, just depends. For me fraud is only a subset of all threats, which is what I'm comparing. The threat is always greater from the outsider until you can prove that you can block >99% of it, then the insider becomes a bigger problem. I think with the insider you have a low likelyhood that the attack will take place(factor how many internal incidents you have versus the total employee/contractor populace) versus how successful that attack will be. An insider has a really good chance of being successful if they so do chose to do this, because they know the systems and processes. An insider also has a greater chance of getting caught, a hacker in North Korea, China, etc can corrupt your databases and steal your confidential info and there will be no prosecution regardless of whether or not you identify them.