Thursday, February 24, 2005

Insiders or Outsiders: Bigger Risk?

NetworkWorldFusion features a debate between two authors. One writes Employees [are] the biggest threat to network security. The other says Intruders [are] the biggest threat to network security. My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think. Outsiders, on the other hand, are frequently attacking and exploiting enterprises, but they are not often causing the sort of damage a rogue insider could.

What do you think? Which group presents the bigger risk? I decided to frame this question with respect to risk, since one can estimate risk using the equation

risk = threat X vulnerability X cost of asset (replacement) or "asset value"

On a related note, I found this October 2004 article by Anton Chuvakin to be interesting: Issues Discovering Compromised Machines. He begins by questioning the claim made by the authors of the book Exploiting Software, that "Most of the global 2000 companies are currently infiltrated by hackers. Every major financial institution not only has broken security, but hackers are actively exploiting them." While this is plausible, the level of exploitation is uncertain. Do intruders have complete control of all of these organizations, or are they contained in some manner? We will probably never see proof of this, but who knows what could happen after the latest T-Mobile disclosures.

On another related note, Microsoft security expert and employee Robert Hensing has been on a blogging tear. He is posting details of some incident responses he has done. They make for good reading.


Martin McKeay said...

I think the question is a little misleading to begin with. If you are looking at the insider threat as a possible source of boxes being compromised, than I would have to agree that the risk is much greater from the outside than from the inside. The number of probes and intrusion attempts from the Internet or other external sources outweighs the internal threats by a significant number, probably on the order of 10 or 100 times the internal threat.

But when I think about insider threats, I'm less worried about a malicious hacker compromising my database than I am a legitimate employee misusing the the access they've been given to the same database. As the IDS analyst, it is nearly impossible for me to have any visibility into this internal traffic, let alone differentiate between legitimate traffic and abuse of access.

Internal threats are usually less about a keystroke logger or compromised systems, and more about poor access controls in the database. Is that outside the purview of the network administrators? I think it has to be.

Anonymous said...

I would have to put a little more weight on insider threats. In addition to points already made, "insiders" sometimes cause accidental issues, disclosure of information, or installation of prohibited software. Malicious, evil insiders, I will agree are rarer than most people think, but the number of honest mistakes or simple non-compliance with security standards makes up a good chunk of incidents, and a very good chunk of the root cause of an incident (creating a vulnerability that an outsider takes advantage of).

In taking the question very strictly, I think internal employees are the bigger threat to network security.


Anonymous said...

this paper addresses this discussion nicely. slides 23-24 pretty much fill in some nice missing gaps. however, if i were an organization i would assume that any of the above, or even all of them could be working together against you (insiders, miscreants, state-sponsored, terrorists, international organized crime rings). it doesn't have to be paranoia, but it's a part of analyzing your risk. it's my personal opinion that corporate espionage is the highest risk for damage to the internet in general with lower occurances (maybe 2 to 10 times per year). however, this might not apply to your specific organization, as reliance on the internet or wifi or whatnot various place to place.