Monday, September 18, 2006

Insider Threat Study

I received a copy of a study announced by ArcSight and conducted by the Ponemon Institute. I mention this for two reasons. One, it highlights issues regarding the meaning of security terms. Two, the content is worth a look.

First, the email I received bore the subject "Are Executives the Cause of Insider Threats?". I wondered if the study examined if executives were the parties with the intentions and capabilities to exploit weaknesses in assets. That's what a threat is, and a study that implied executives (and not corporate minions or IT staff) were the real problem would be noteworthy in its own right.

Near the beginning of the report I read the following:

The survey was sponsored by ArcSight, an enterprise security management company, and queried 461 respondents who are employed in corporate IT departments within U.S.-based organizations.

For purposes of this survey, we define the "insider threat" as the misuse or destruction of sensitive or confidential information, as well as IT equipment that houses this data, by employees, contractors and others.


They're actually talking about attacks caused by insiders, not "insider threats." Working with their language, an insider threat would be "those who misuse or destroy sensitive or confidential information, as well as IT equipment that houses this data."

The report continues:

"Insider threats occur because of human error such as mistakes, negligence, reckless behavior, and sometimes even corporate sabotage."

Not really. Insider threats take advantage of vulnerabilities caused by mistakes and negligence. Insider threats employ reckles behavior (if not truly intending to cause harm) or corporate sabotage (if intending to cause harm) as attack methods.

Our survey sought to answer the following three questions.

1. What are the root causes of insider threats and how do information security practitioners respond to this pervasive IT and business risk?


They actually mean "what are the root causes of vulnerabilities that are exploited by insider threats, and how to infosec practitioners mitigate risks?" To truly address root causes of insider threats, one would analyze the motivations of threats themselves, like greed, malice, etc.

2. What technologies, practices and procedures are employed by organizations to reduce or mitigate insider-related risks?

That's great. Risks is used appropriately.

3. What are the issues, challenges and possible impediments to effectively detecting and preventing insider threats?

I would say "detecting and preventing attacks by insider threats."

The following are the most salient findings in our study: Data breaches go unreported. While we seem to be inundated with reports of data breaches, we may not know the full extent of the problem. More than 78% of respondents said that there has been at least one and possibly more unreported insider-related security breaches within their company.

Wow, that's a lot. Let's look for evidence in the report.

Table 11 reports that over 78% of respondents know of an insider-related security incident that was not publicly disclosed.



Notice Table 11 asks "Do you know of an insider-related incident in your organization (or any other organization in your industry) which was not disclosed to the public or to law enforcement?" (emphasis added)

That 78% figure doesn't mean that "more than 78% of respondents said that there has been at least one and possibly more unreported insider-related security breaches within their company" at all! In fact, there could be zero unreported breaches in the surveyed companies, and all respondents answering "yes" could be pointing to the same incident at someone else's company.

This idea is backed up by the following finding:

Table 7 shows that over 59% of respondents believe that insider-related problems are more likely to occur outside of their departments or organizational units.

So almost 60% of respondents think problems are likely to happen someplace else. That reminds me of surveys that say parents think schools in general are poor, but the school their child attends is fine.

While I think there is some interesting data in the survey report, I would keep my analysis in mind while reading it.

2 comments:

JC said...

Richard,
I believe Dark reading is hosting a webinar on this on Monday September 25 http://www.darkreading.com/webinar.asp?doc_id=28032
It should be interesting to see how this is presented after your review of the study. Should generate some interesting questions at the end, if they are allowed.

Anonymous said...

This kind of stuff is pervasive.

I sat in on a Webinar last week entitled: "Webinar: Protecting Your Customers’ Data from Insider Security Threats". During the Webinar they kept mentioning things like: '70% of all threats are internal'.

This was to sell a product that sat on the desktop and monitored the user to ensure "compliance" with policy.

Oh, and BTW: This is also being discussed as it will allow us to meet audit requirements of the government.