Insiders or Outsiders: Bigger Risk?

NetworkWorldFusion features a debate between two authors. One writes Employees [are] the biggest threat to network security. The other says Intruders [are] the biggest threat to network security. My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think. Outsiders, on the other hand, are frequently attacking and exploiting enterprises, but they are not often causing the sort of damage a rogue insider could.

What do you think? Which group presents the bigger risk? I decided to frame this question with respect to risk, since one can estimate risk using the equation

risk = threat X vulnerability X cost of asset (replacement) or "asset value"

On a related note, I found this October 2004 article by Anton Chuvakin to be interesting: Issues Discovering Compromised Machines. He begins by questioning the claim made by the authors of the book Exploiting Software, that "Most of the global 2000 companies are currently infiltrated by hackers. Every major financial institution not only has broken security, but hackers are actively exploiting them." While this is plausible, the level of exploitation is uncertain. Do intruders have complete control of all of these organizations, or are they contained in some manner? We will probably never see proof of this, but who knows what could happen after the latest T-Mobile disclosures.

On another related note, Microsoft security expert and employee Robert Hensing has been on a blogging tear. He is posting details of some incident responses he has done. They make for good reading.

Comments

Anonymous said…
I think the question is a little misleading to begin with. If you are looking at the insider threat as a possible source of boxes being compromised, than I would have to agree that the risk is much greater from the outside than from the inside. The number of probes and intrusion attempts from the Internet or other external sources outweighs the internal threats by a significant number, probably on the order of 10 or 100 times the internal threat.

But when I think about insider threats, I'm less worried about a malicious hacker compromising my database than I am a legitimate employee misusing the the access they've been given to the same database. As the IDS analyst, it is nearly impossible for me to have any visibility into this internal traffic, let alone differentiate between legitimate traffic and abuse of access.

Internal threats are usually less about a keystroke logger or compromised systems, and more about poor access controls in the database. Is that outside the purview of the network administrators? I think it has to be.
12:29 PM
Anonymous said…
I would have to put a little more weight on insider threats. In addition to points already made, "insiders" sometimes cause accidental issues, disclosure of information, or installation of prohibited software. Malicious, evil insiders, I will agree are rarer than most people think, but the number of honest mistakes or simple non-compliance with security standards makes up a good chunk of incidents, and a very good chunk of the root cause of an incident (creating a vulnerability that an outsider takes advantage of).

In taking the question very strictly, I think internal employees are the bigger threat to network security.

-LonerVamp
5:53 PM
Anonymous said…
this paper addresses this discussion nicely. slides 23-24 pretty much fill in some nice missing gaps. however, if i were an organization i would assume that any of the above, or even all of them could be working together against you (insiders, miscreants, state-sponsored, terrorists, international organized crime rings). it doesn't have to be paranoia, but it's a part of analyzing your risk. it's my personal opinion that corporate espionage is the highest risk for damage to the internet in general with lower occurances (maybe 2 to 10 times per year). however, this might not apply to your specific organization, as reliance on the internet or wifi or whatnot various place to place.
8:23 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more