Saturday, April 14, 2007

Exaggerated Insider Threats

I got a chance to listen to Adam Shostack's talk at ShmooCon. When I heard him slaughter my name my ears perked up. (It's "bate-lik".) :) I hadn't seen his slides (.pdf) until now, but I noticed he cited my post Of Course Insiders Cause Fewer Security Incidents where I questioned the preponderance of insider threats. I thought Adam's talk was good, although he really didn't support the title of his talk. It seemed more like "security breaches won't really hurt you," rather than breaches benefitting you. That's fine though.

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt

60 percent of the incidents involved organizational mismanagement

as a way to question my assertion that insiders account for fewer intrusions than outsiders.

At the outset let me repeat how my favorite Kennedy School of Government professor, Phil Zelikow, would address this issue. He would say, "That's an empirical question." Exactly -- if we had the right data we could know if insiders or outsiders cause more intrusions. I would argue that projects like the Month of 0wned Corporations give plenty of data supporting my external hypothesis, but let's take a look at what the Howard/Erickson paper actually says.

First, what are they studying?

Our list of reported incidents is limited to cases where one or more electronic personal records were compromised through negligence or theft... For this study, we look only at incidents of compromised records that are almost certainly illegal or negligent acts. For the purposes of this paper, we define electronic personal records as data containing privileged information about an individual that cannot be readily obtained through other public means.

So, they are studying disclosure of personal information. They are not analyzing theft of intellectual property like helicopter designs. They are not reviewing cases of fraud, like $10 million of routers and other gear shipped to Romania. They are not reviewing incidents where hosts became parts of botnets and the like. All of that activity would put weight in the external column. That's not included here.

Let's get back to that 60% figure. It sounds like my hypothesis is doomed, right?

Surprisingly, however, the proportion of incident reports involving hackers is smaller than the proportion of incidents involving organizational action or inaction. While 31 percent of the incidents reported clearly identify a hacker as the culprit, 60 percent of the incidents involve missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online.

Now we see that the 60% figure includes several categories of "organizational action or inaction". Hmm, I wonder how big the insider abuse or theft figure is, since that to me sounds like the big, bad "insider threat." If we look at this site we can access the figures and tables for the report. Take a look at Figure 2. (It's too wide to print here.) The Insider Abuse or Theft figure accounts for 5% of the incident total while Stolen - Hacked accounts for 31%. Sit down, insider threat.

Wait, wait, insider threat devotees might say -- what about Missing or Stolen Hardware, which is responsible for 36% of incidents? I'll get to that.

The numbers I cited were for incidents. You would probably agree you care more about the number of records lost, since who cares if ten companies each lose one hundred records if an eleventh loses one hundred thousand.

If you look at the corresponding percentages for numbers of records lost (instead of number of incidents), Insider Abuse or Theft accounts for 0%, Missing or Stolen Hardware counts for 2% while Stolen - Hacked rings in at 91%. Why are we even debating this issue?

Wait again, insider fans will say. Why don't you listen when the authors exclude Axciom from the data? They must be an "outlier," so ignore them. And now ignore TJX, and... anyone else who skews the conclusion we're trying to reach.

The authors state:

Regardless of how the data is broken down, hackers never account for even half of the incidents or the volume of compromised records.

To quote Prof Zelikow again, "True, but irrelevant." I'll exclude Acxiom too by looking at previous periods. In 1980-1989 Stolen - Hacked accounts for 96% of records and 43% of incidents, while Unspecified accounts for the remaining 4% of records, along with 43% of incidents. Insider Abuse or Theft was 14% of incidents and zero records, meaning no breach. In 1990-1999 Stolen - Hacked accounts for 45% of incidents but the number of records is dwarfed by the number of records lost in Unspecified Breach.

In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in "organizational ineptitude" rather than dedicated insiders out to do the company intentional harm.

I recommend reading the report to see if you find the same conclusions buried behind the numbers. It's entirely possible I'm missing something, but I don't see how this report diminishes the external threat.


Chris said...


The dataset upon which the paper was based has also been made available.

Your professor sounds like my kind of guy.

Adam said...

First, sorry I slaughtered your name. I did make sure I spelled it right. :)

Second, some comments in response are at "Bejtlich gets it: It's about empiricism"


Chris_B said...

This one is going to go on and on and on until we have some good data sets over several years of time. The other aspect is that it varies by location. In Japan, malicious or incompetent insiders are MUCH more of a problem. Google "winny japan self defense force" for any number of examples, or "maritime self defense force Aegis plans" for some recent anecdotes.

Rob Lewis said...

Is relying on network security to detect insider threats by authorized users really a pausible approach?

Could you really stop a compromised individual if he really was bent on revenge? Or if his family was being held at gunpoint?

Only access and audit control with policy enforcement at the data level (information-centric security) can really determine, and prevent unathorized insider activity.

PaulM said...

"That's an empirical question." Exactly -- if we had the right data we could know if insiders or outsiders cause more intrusions.

No, that's a semantic question. By definition, insiders don't cause intrusions. :-) I got that from this book I was reading called _Extrusion_Detection_. Perhaps you've heard of it.? :-)

All kidding aside, the reason the data is "bad" or at least scoped poorly is that it's the most consistent type of data on security incidents available because of disclosure laws. Until there's mandatory disclosure of a greater variety of incidents, the potential data pool that analysts can pull from will continue to be incomplete. Three simple facts dictate the outcome of the paper from the data:

1. Organizations only disclose when they know that private data has been breached.
2. Organizations report breaches regardless of intent or the presence of criminal activity. (example: Transposing street numbers on an envelope can lead to a breach.)
3. Organizations are much better at discovering breaches made through mistakes. (An outside hacker pilfering data through a vulnerable web app is a lot harder to discover than a missing laptop.)

Bad data collection and analysis in infosec is a pet peeve of mine and I actually think this paper is far better than most of the stats we see passed around. But until there's "better" data available, all good Insider vs. Outsider studies will look like this one.

Anonymous said...

Rob, I don't think Richard said anything about relying on network security in this post. In fact, in the past he has posted about the importance of combating insider threats with nontechnical means.

Rob Lewis said...

Insider threats should be combated with any means possible, of course, but non-technical means is one of the few courses available at the moment. You can count on 2 hands security offerings that operate inside the network as opposed to hundreds for edge security. Why? Not as evolved yet as the need is just being recognized, and it is a whole lot harder to do.

paulm makes a good point about the data regarding inside attacks that is collected, or not, in this regard. Since internal controls are just not there, how does the enterprise have any idea what authorized users do? And inside attackers may be IT people that can cover their tracks. Corporations are also loath to admit one of their own strayed.

I think there is a possibility that only a small fraction of the total damages may be actually reported/collected, and it is better to keep an open mind about it.