tag:blogger.com,1999:blog-4088979.post2215580283442653243..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: How Many Spies?Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-44305578743156472452007-12-21T07:34:00.000-05:002007-12-21T07:34:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-52655702173853773372006-12-29T02:34:00.000-05:002006-12-29T02:34:00.000-05:00yaa taa tas iryaa taa tas irAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35396125640756333932006-12-28T13:45:00.000-05:002006-12-28T13:45:00.000-05:00Richard, you're right on the money with all of the...Richard, you're right on the money with all of these threat management measures. However, I smell a hint of straw here. Insider threats can encompass everything from Stoopid User Tricks that let in external attackers, to grudge attacks, turf wars that escalate to security fights (yes, I've seen them), larceny, and pr0n collecting. It isn't just about theft of proprietary information.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-12898823891054175382006-12-28T09:58:00.000-05:002006-12-28T09:58:00.000-05:00With regards to Rob, you should check out this Mia...With regards to Rob, you should check out this Miami Herald article: http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_county/16332102.htm<br /><br />Basically, this lady (a convicted felon) got a job where she ended up working alone, at night, unsupervised in the accounting section of a Broward County (think Ft. Lauderdale) Labor Agency. She then wrote over $2,400,000 worth of checks to herself.<br /><br />Who caught her? The bank teller at her local branch office.<br /><br />I do agree with you that external threats are the greater of the two when proper controls are in place.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-34283954435599695402006-12-28T09:22:00.000-05:002006-12-28T09:22:00.000-05:00As part of #2, basically something auditable as we...As part of #2, basically something auditable as well. Data access should leave trails if it is technologically accomplished. Even presence can be audited with well-placed security cameras and electronic door locks.<br /><br /><br />I would bet that much like companies have no idea an attacker from the outside has been accessing their database from Oct 2005 until Nov 2006, that many orgs simply have no idea someone is coming in late at night and siphoning off a few files here and there, or using access to systems to host a few FTP accounts for some games for friends. Sadly, far too many orgs, when they do find this stuff out, either do nothing or do nothing more than waggle a finger and close the hole by technological means and bury it under the rug.<br /><br />Richard's #4 about enforcement is one of the weak points in my experience. It is easy when it comes to obvious criminal activities or porn-surfing at work, but anything except the obvious seems to baffle mgmt and hr.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-87291941423765160202006-12-28T00:11:00.000-05:002006-12-28T00:11:00.000-05:00External attackers are basically fishing; they do ...External attackers are basically fishing; they do not know what they are looking for. Insiders do.<br /><br /><br />In the Verton book I referred to in your last post, the US Attorney General estimated that the loss due to inside attackers in the US in 2004 was over $250 BILLION annually. I have read other estimates that the figure is now approaching up to $400 BILLION annually.<br />Without internal controls, how does one know what losses are occuring?<br /><br /><br />Some of these breaches are decidedly low-tech. However, if these figures are anywhere close to accurate, it would indicate that such losses are mostly hidden since there are few means to detect that they are occuring, or that current corporate management is so lame as to be basically incompetent with their heads in the sand. In any case, I do not read anywhere that the loss figures from external breaches are close to these amounts. Then again, corporations are loath to acknowledge their stupidity and negligence anyway.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15455370526478284842006-12-27T21:16:00.000-05:002006-12-27T21:16:00.000-05:00(#3) ... Make them resign them annually.
Excellen...<i>(#3) ... Make them resign them annually.</i><br /><br />Excellent! That should cut down help-desk costs immensely!<br /><br />Oh, re-sign? Ah!<br /><br />This is similar to the idea of automatic expiration (pioneered by Ranum). Proactive action is required to maintain access (or privilege). Lack of action results in garbage collection.Anonymousnoreply@blogger.com