I was reading this post by Richard Bejtlich and it reminded me of a little pet peeve.
It seems some people out there criticize Richard for focusing more on external threats than the big bad, “internal threat”. I’ll admit I used to use the term frequently when I was a little naive, but I finally realized it became code for “scary stuff you’ll never be able to protect yourself from without spending a lot of money on our products.”
Yes, there is an insider threat, but we abuse the heck out of the term.
There are a few principles I like to keep in mind when discussing the insider threat. Some are a little redundant to make a point from a slightly different perspective:
- Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
- Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some aren’t.
- The best defenses against malicious employees are often business process controls, not security technologies.
- The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
- The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
- If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
- Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
- Preventative controls built into the business process are more efficient than external technological preventative controls.
Thus, the best strategy includes a mix of technology and business controls, a focus on preventing and detecting external attacks, and reliance on a mix of preventative controls and detective controls with efficient response for the insider threat. I really don’t care if an attacker is internal or external once they get onto a single trusted system or portion of my network.
The “insider threat” isn’t a threat. It’s become a blanket term for FUD. Understand the differences between malicious employees, careless employees, external attackers with access inside the perimeter, and trusted partners without effective controls on their systems and activities.
Reader interactions
10 Replies to “The Insider Threat Will Eat Your Babies”
[…] was planning to talk about one of my favorite resources in my blogroll, Securosis. This post about the insider threat reminded me about it. Look at these remarks from Mr. Mogull and […]
[…] Uma ótima sugestão de inclusão em seu blogroll: o blog Securosis.com que, como o próprio autor descreve, trata-se de uma desordem mental caracterizada pelo cinismo, paranóia e a estranha compulsão de proteger objetos aleatórios. Aproveite para ler este post sobre “ameaças internas”. […]
I think we’‘re all in agreement- what I was trying to address is the marketing FUD around some nebulous “Insider Threat”, as opposed to good security practices to effectively apply controls on insiders without interfering with business.
“Insider Threat” is probably one of the most abused terms in infosec today, and I didn’‘t mean to imply that there isn’‘t any risk from insiders- just take a look at the recommendations. I think we need to focus on business process, not new security tools, to reduce insider risk.
OK. I thought the original piece argued that the Insider Threat is over-rated which I don’‘t agree with at all. There’s more to it than FUD. You’‘re dead right about it being unreported and often undetected. Internal fraudsters and hackers, for example, typically exploit control weaknesses and loopholes to conceal or disguise their activities. If insider abuse is discovered, it’s often brushed under the carpet. Managers hate to admit that their staff may have been abusing privileges because this implies inadequate supervision and misplaced trust. Wayward managers are a particular problem because they mostly self-supervise apart from fleeting audits, and they often have the widest access to systems, data and information in general.
Sorry, I’‘ll stop preaching to the choir now! I wrote a security awareness module on this topic a few months ago and found it fascinating to research. We followed-up with another module on outsider threats such as industrial espionage and competitive intelligence – another interesting area.
G.
Gary,
If you read my entire comment, then you know we’‘re in agreement. What I meant to point out is that most of what’s going on in terms of insider threat is unreported, often undetected. It’s easy to focus on the big, publicized breaches (a la Fidelity) but this is not representative of the nature of what we’‘re dealing with here.
@Rani,
“One last point, which is often missed – most of the intentional, malicious insider stuff is small potatoes.”
Unfortunately those small potatoes add up to more than $300+ billion a year according to the Attorney General of the US. Small businesses are also less likely to be able to survive a major hit, as opposed to a larger enterprise.
@ Gary,
Your overall post is sound, but I agree with you that the overall degree of internal controls for insider abuse generally remain lacking, or absent altogether. New organizations routinely hand over the keys to the kingdom to new hires that they barely know. Depending on the sensitivity of the data to be protected, systems should be able to protect data even if VERY TRUSTED personnel have been compromised.
Fine-grain access control at the datafile level on a per user basis can prevent both insider and outsider breaches.
I beg to differ.
The “Insiders” of insider threats are materially different from “Outsiders” such as hackers, competitors and the NSA. They are employees with privileged internal access to information (not just IT systems), numerous opportunities to probe controls without much fear of retribution, and all sorts of motivations to defraud or steal their employer’s information assets. Generally speaking, Insiders are “trusted” which means the organization settles for weak or missing controls that they would not tolerate for Outsiders.
Many technical and non-tech controls apply to Insiders but not all of them apply to Ousiders – some controls (e.g. employee anti-fraud controls, security awareness and ‘‘divisions of responsibility’‘) are intended and designed specifically to prevent or detect insider abuse.
Outsiders who breach the network or physical perimeters are still at a disadvantage relative to Insiders with legitimate access to the network, application systems, data and a raft of corporate information. If the infosec people are focused on Outsiders, they leave the door open to abuse from Insiders. A balanced approach is entirely appropriate, reflecting the risks from Insiders AND Outsiders.
Kind regards,
Gary
[…] [5] Menção do YSTS pelo Augusto Paes de Barros […]
[…] [14] The Insider Threat Will Eat Your Babies […]
There is a lot of FUD around the insider threat, and abuse rampant. You did not even have to go into the blatantly misleading uses of CSI data theft statistics. But I tend to think of the FUD as a reaction to market that has seen increased spending on facilities that are blind to the problem, and the vendor community as one of the major sources of FUD as a frustrated outcry. The meaningless blanket term has raised awareness and invited a dialog about what should be done and where best to spend resources. I am not ready to throw the term onto the scrap pile of misleading slogans (like ‘‘war on terror’‘) as consumer awareness of helpful products like Data Leakage Prevention is just now reaching the main stream.