Saturday, October 04, 2008

Insider Threat Prediction Materializing

As we approach the end of the year, I'm looking to see if my Predictions for 2008 are materializing. My third prediction was:

Expect increased awareness of external threats and less emphasis on insider threats.

Accordingly, I was happy to see the story Targeted Attacks, DNS Issues Hit Home in New CSI Report contain the following subtitle:

Insider abuse shows marked drop-off in 13th annual survey by Computer Security Institute

Ho ho, what does that mean?

While some threats are on the increase, CSI also found that others are on the downturn. Insider abuse dropped from 59 percent in 2007 to 44 percent in 2008, the largest shift recorded in this year's survey.

"I think there was a lot of hype around this last year, and now it's coming back to reality," Richardson says. Insider abuse numbers hovered at around 42 percent to 48 percent in 2005 and 2006 and then spiked last year, he noted.
(emphasis added)

I noted the annual CSI study supported my position on the prevalence of the insider threat in relation to other threats in my 2006 post 2006 CSI-FBI Study Confirms Insider Threat Post. Now, of course you can dispute the methodology of the CSI study, but even if it's only directionally correct it still supports my prediction.

After all the stories about attacks from a certain large far eastern country (documented in my "v China posts), widespread reporting on named botnets (remember when malware was named, not botnets?), and very public stories on attacking core infrastructure (DNS, BGP, now TCP), it's nice to see CSI-FBI respondents at least realize they're far more likely to be victimized by one of these forces largely outside their control.

I've discussed Incorrect Insider Threat Perceptions before, specifically that the insider threat is the one threat you can really control. Unless you're a police or military organization, you can't do anything about external threats. Anyone with firing power can do something about internal threats.


Security Application said...

Hey that was a good article...

J. Oquendo said...

Re: External versus Internal Threats... Verizon just released.

Verizon just released the 2008 Data Breach Investigations Report with some surprising figures.

1) Insider threat is overrated
2) Surprisingly Wireless (for the time being) isn't as bad as everyone thinks with physical access attacks coming in at a higher rate
3) Targeted versus Untargeted... People are just stumbling on holes as opposed to targeting them
4) High tech attacks... Overrated - Script kiddiots still dominant factor

Quoted: "Our findings indicate that data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization. In keeping with other studies revealing risks inherent to the extended enterprise,2 business partners were involved in 39 percent of the data breaches handled by our investigators. Internal sources accounted for the fewest number of incidents (18 percent), trailing those of external origin by a ratio of four to one."

Personally, I believe the numbers are skewed. In the matters of the insider threat, its likelier the insiders have adopted/learned stronger methods to cover their tracks, but that's intuition - not factual as there are no numbers to throw at this.