Comments on: Bad Behavior – Thoughts on the Malicious Insider http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Alex http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/comment-page-1/#comment-6663 Alex Tue, 03 Jun 2008 14:15:28 +0000 http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/#comment-6663 To pile on.... In addition to the "not helpfulness" that Gary pointed out - those numbers, like any global/national/industry level statistic have meaning only in context. A specific entity (business, gov't, etc...) will actually find the past 10 years of history a more meaningful metric, defined by what an insider incident *is* in their context. It's kind of like trying to tie your budget to an industry norm. Who gives a rip what the rest of the industry is spending? Your spending has to be in the context of management's tolerance for risk. To pile on….

In addition to the “not helpfulness” that Gary pointed out – those numbers, like any global/national/industry level statistic have meaning only in context. A specific entity (business, gov’t, etc…) will actually find the past 10 years of history a more meaningful metric, defined by what an insider incident *is* in their context.

It’s kind of like trying to tie your budget to an industry norm. Who gives a rip what the rest of the industry is spending? Your spending has to be in the context of management’s tolerance for risk.

]]> By: Gary http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/comment-page-1/#comment-6633 Gary Tue, 03 Jun 2008 09:01:01 +0000 http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/#comment-6633 Was there any factual basis whatsoever for those numbers or were they simply plucked out of thin air, I wonder? Multiplying two pure guesses together merely amplifies the guesswork. Such numbers are really not helpful. Even if it were supported by some evidence, the proportion of insider vs outsider attacks is also not very helpful. This is apples vs pears. Insiders, in the main, hold trusted positions with wide and deep access to systems, knowledge of values etc. They can observe and explore many systems, processes, network packets etc. without fear of being caught or sanctioned. They can commit their frauds and other attacks over an extended period, choosing their opportunities carefully. Outsiders have less knowledge of the specific internal configs, systems, apps, processes, data sets etc., greater technical barriers to exploring and compromising them, fewer opportunities to penetrate/exploit and (arguably) more chance of being caught at least at the perimeter. Some of them may have greater motivation and skills than insiders, but not all. For the organization, internal incidents such as staff frauds may be very costly but are less likely to be disclosed publicly, limiting the reputational damage. Outsider frauds etc. are probably more likely to end in disclosure and prosecution, hence perhaps reputational damage. G. Was there any factual basis whatsoever for those numbers or were they simply plucked out of thin air, I wonder? Multiplying two pure guesses together merely amplifies the guesswork.

Such numbers are really not helpful. Even if it were supported by some evidence, the proportion of insider vs outsider attacks is also not very helpful. This is apples vs pears. Insiders, in the main, hold trusted positions with wide and deep access to systems, knowledge of values etc. They can observe and explore many systems, processes, network packets etc. without fear of being caught or sanctioned. They can commit their frauds and other attacks over an extended period, choosing their opportunities carefully. Outsiders have less knowledge of the specific internal configs, systems, apps, processes, data sets etc., greater technical barriers to exploring and compromising them, fewer opportunities to penetrate/exploit and (arguably) more chance of being caught at least at the perimeter. Some of them may have greater motivation and skills than insiders, but not all. For the organization, internal incidents such as staff frauds may be very costly but are less likely to be disclosed publicly, limiting the reputational damage. Outsider frauds etc. are probably more likely to end in disclosure and prosecution, hence perhaps reputational damage.

G.

]]> By: Fred Herman http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/comment-page-1/#comment-6350 Fred Herman Sat, 31 May 2008 02:51:27 +0000 http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/#comment-6350 This article resonates with the typical American response to problem solving, throw money at it and it will get solved. The real solution to insider security threats involves a paradigm shift from employee as consumable supply to employee as valued asset. When the company has no loyalty to the employees, don't expect the employee to have much loyalty to the organization. The last IT manager I spoke to said "I don't involve myself in that HR stuff...." Well, the nexus of human relationships is a system much like a computer network. The more emotionally detached from the system, the easier it is for the individual to become a rogue access point. The solution to the problem doesn't require the right software package, it requires more interpersonal bonding in the corporate culture. American society focuses more on the success of the individual then concern for the welfare of the society. Call me a socialist if you will, but the truth is still, "garbage in garbage out" if you know what I mean.... This article resonates with the typical American response to problem solving, throw money at it and it will get solved. The real solution to insider security threats involves a paradigm shift from employee as consumable supply to employee as valued asset. When the company has no loyalty to the employees, don’t expect the employee to have much loyalty to the organization. The last IT manager I spoke to said “I don’t involve myself in that HR stuff….” Well, the nexus of human relationships is a system much like a computer network. The more emotionally detached from the system, the easier it is for the individual to become a rogue access point. The solution to the problem doesn’t require the right software package, it requires more interpersonal bonding in the corporate culture. American society focuses more on the success of the individual then concern for the welfare of the society. Call me a socialist if you will, but the truth is still, “garbage in garbage out” if you know what I mean….

]]> By: Michael http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/comment-page-1/#comment-6313 Michael Fri, 30 May 2008 17:48:56 +0000 http://www.bloginfosec.com/2008/05/30/bad-behavior-thoughts-on-the-malicious-insider/#comment-6313 I understand the reasoning. But I've also seen the numbers for insider attacks vary from 40% (CERT) to 80% (various) with many numbers in between. That makes me question the veracity of these statistics. Where do they come from? What constitutes an attack/incident? Do they differ by industry? I've been an infosec professional for over a decade and while I am sure I have not seen all the insider (or outsider) incidents that occurred on my watch, the number of occurrences and ratio of outsider to insider attacks suggests numbers in the 70% and above range are wildly overstated. To me a figure like 96% suggests a large population of a company are in the midst of a massive pillaging of its assets somehow unbeknownst to the hapless infosec pro or the other four honest people left in the company :) The last few years, outsider attacks have become more prevalent. It is easier to anonymously email malware than it is to infiltrate an organization or bribe someone I should think. Whatever the case, to my mind, the key point for the infosec pro is to get a good handle on their company's specific threats and risks because I guarantee that it varies from industry to industry, company to company. I understand the reasoning. But I’ve also seen the numbers for insider attacks vary from 40% (CERT) to 80% (various) with many numbers in between. That makes me question the veracity of these statistics. Where do they come from? What constitutes an attack/incident? Do they differ by industry?

I’ve been an infosec professional for over a decade and while I am sure I have not seen all the insider (or outsider) incidents that occurred on my watch, the number of occurrences and ratio of outsider to insider attacks suggests numbers in the 70% and above range are wildly overstated.

To me a figure like 96% suggests a large population of a company are in the midst of a massive pillaging of its assets somehow unbeknownst to the hapless infosec pro or the other four honest people left in the company :)

The last few years, outsider attacks have become more prevalent. It is easier to anonymously email malware than it is to infiltrate an organization or bribe someone I should think.

Whatever the case, to my mind, the key point for the infosec pro is to get a good handle on their company’s specific threats and risks because I guarantee that it varies from industry to industry, company to company.

]]>