Tuesday, July 11, 2006

Of Course Insiders Cause Fewer Security Incidents

Today's SANS NewsBites points to this eWeek article, which in turn summarizes this Computer Associates press release. It claims "more than 84% [of survey respondents] experienced a security incident over the past 12 months and that the number of breaches continues to rise."

The SANS editor piqued my interest with this comment: "(Honan): It is interesting to note that this survey highlights the external threat is becoming more prevalent than the internal one." (emphasis added)

"Becoming more prevalent?" This is Mr. Honan's answer to this part of the CA story: "Of the organizations which experienced a security breach, 38% suffered an internal breach of security." That means 62% experienced an external breach, or perhaps less if one could not determine the source of the breach.

I highlight "becoming more prevalent" because it indicates the speaker (like countless others) fell for the "80% myth," which is a statement claiming that 80% of all security incidents are caused by insiders. I document in Tao the history of this myth. I challenge anyone who believes the 80% myth to trace it back to some definitive source. If you do you will find it leads nowhere reputable.

If the 80% myth were true, security would be a fairly easy problem to solve. The biggest problem I see with modern digital security is the inability to remove threats from the risk equation. In other words, victims of secuirty incidents lack the personal power to eliminate threats; only the police or military can really remove threats from the picture. Since the police is ill-equipped and overwhelmed, and the military similarly not well-positioned to eliminate threats, attackers continue to assault with impunity.

However, if the majority (the vast majority, if you believe the 80% myth) of threats are internal, this completely changes the situation. To immediately and irrevocably alter the risk equation, all an employer or organization needs to do is identify and fire or remove the internal bad apples. Problem solved. "Oh, that's too hard," I'm going to hear. Maybe, but compare that option (which happens every day) to identifying, apprehending, prosecuting, and jailing a Romanian.

Since organizations have the tools to largely remove the insider threat, but security incidents continue to be a problem, insiders must be dwarfed by the size of the outsider threat community. However, as I've said elsewhere, insiders will always be better informed and positioned to cause the most damage to their victims. They know where to hurt, how to hurt, and may already have all the access they need to hurt, their victim.

The bottom line is that the number of external attackers far exceeds the number of internal attackers.

6 comments:

Chris_B said...

Shame on you! Are we talking about "Threats" or "Threat Agents" here? By picking up that old saw about 80% and mixing terms, you confuse the issue even more. Also even if 38% of reported breaches were internal that does not mean that 62% were external it just means that the remaining responses are not described in the CA puff piece. Beware of statistics designed to sell product.

Considering that the word Threat has been misused for so long, In my mind the assertion can be made several ways:

1) 80% of all damages are caused by insider Threat Agents

2) 80% of all Threat Agents are insiders

3) 80% of the number of systems compromised were the result of an insider Threat Agent.

I'll bet someone else can come up with more ways to play with the numbers.

Richard Bejtlich said...

Chris_B,

"Shame on you"? Please, first read what I wrote.

"That means 62% experienced an external breach, or perhaps less if one could not determine the source of the breach."

Second, I have always explained that "threat agent" is a poor term for which I simply substitute "threat." Differentiating between "threat" and "threat agent" causes too many people to think "threat" = "vulnerability" and "threat agent" = "party".

Anonymous said...

I am glad someone finally threw the yellow flag on the insider threat (all of those secretaries and businessmen/woman attacking servers and workstations.....). I think this gets pushed so much so you will buy 10X the gear you don't need.

Last time I checked Sandy Burger was able to smuggle State secrets out in his socks (as did good old Fawn Hall), and a high speed VA employee decided to go home with half of America's info on his laptop. These are the items that should be focused on for insiders, the lose/theft of information that they are authorized to view. Too many times industry gets this mixed up with what is viewed as traditional security threats.

Didn't Mr. Burger only get his hand slapped for such a large infraction?

wpn said...

It's a floor wax AND a dessert topping! Insiders can be both threats and vulnerabilities. But I'm also skeptical of this report, because I know from my own experience that most organizations don't fully report their insider incidents. Either they categorize them differently (as "HR problems" or "fraud" but not as "computer security"), or they don't report them at all for fear of image problems. It's much easier to report external attacks and play the innocent victim. But I don't consider virus or spyware infestations to be on the same level as, say, theft of confidential information or intentional disruption of services.

Chris_B said...

Richard,

I strongly think its important to educate people on these terms. By the strict dictionary meaning threat is approximately equal to threat agent, but to use a physical example of the difference, fire is a threat to assets whereas an arsonist is both a threat and a threat agent. When considering countermeasures one should take both aspects into account.

Also I still think you picked a bad example to make your point. Both the article and press release are vague as is the original saying. Also as a previous poster pointed out, there exists no agreed upon definition of the insider threat in terms of computer security to begin with. You may well have an important point, I just dont think you made your case well at all.

Richard Bejtlich said...

Chris_B,

Try reading my books, articles, are dozens of blog posts on this subject. I'm not about to repeat myself every time someone tries to challenge me with a comment. Try searching for taosecurity threat.