Stop Thinking Hacker, Start Thinking Insider
By Adam Dodge
For this post, let’s ignore my thoughts (read: strong bias) that information security is about reducing the overall risk to information within an organization to acceptable levels (read: NOT about technology). Okay, perhaps that was a bit more like “announcing” my thoughts then “ignoring” them, but let’s just move along.
In The Daily Incite - November, 29 2006, Mike Rothamn mentions this question posted on Dr. Anton Chuvakin’s Personal Blog,”So, what do you think security is about: Fighting nefarious hackers or protecting information.” As you can tell from the opening paragraph, I personally lean toward Chuvakin’s option B.
However, many people that I talk to, both security professionals and non-security professionals, agree with Chuvakin’s option A. There are many valid reasons for holding this view. For example, unprotected computers tend to last mere minutes before compromise on the Internet and news reports are often filled with stories of nefarious hackers causing untold amounts of damage. Even the 2005 E-Crime Watch Survey seems to backup the choice of option A.
According to the survey findings, only 20% of attacks came from insiders while 80% came from external hackers. Normally, a discrepancy this large doesn’t require additional discussion. After all, a 4-to-1 ratio is simple enough to understand. However, looking at what attacks insiders launch versus what attacks hackers use against organizations, reveals a different picture altogether.
Here are a few of types of crimes that insiders were more likely to commit then external hackers:
- Rouge Wireless Access Point (72%)
- Theft of Intellectual Property (64%)
- Exposure of Private or Sensitive Data (56%)
- Theft of Other (proprietary) Information (55%)
In addition, insiders almost as likely as external hackers to commit Unauthorized Access to Information, Systems or Networks (54%).
Compare this with the crimes external hackers were most likely to commit:
- Phishing (92%)
- Web Site Defacement (92%)
- Spyware (89%)
- Illegal Generation of Spam E-mail (89%)
[This information can be found on page 19 of the 2005 E-Crime Watch Survey’s Summary of Findings]
While the sample size, around 550 organizations, for this survey is too small for specifics to be drawn, a few generalities become apparent when looking at the information above. Hacker attacks, according to these findings, seem to be aimed at computer users (with spam, phishing, spyware, etc.) and technical infrastructure (web site defacement). Insider attacks center almost exclusively on attacks to an organization’s information through theft, exposure and unauthorized access.
The problem with Dr. Chuvakin’s option A, then, is that it ignores the threats to organizational information posed by the very individuals that have authorized, unfettered access to the very information they are attacking. This authorized access to much of the organization’s information is exactly why malicious insiders are so dangerous to an organization. Unlike external hackers, insiders do not have to spend countless hours footprinting an organization to look for open ports that might lead to a way in; they simply need to enter their designated password. Insiders also do not need to delve through computer after computer hoping to find some valuable information; they already know where a good bit of critical or sensitive information is stored.
Insiders do not even need to be disgruntled or have ulterior motives. Valid access to vital information means that even simple mistakes by insiders can have serious impacts on an organization’s information assets. For example, here are just some of the accidental employee mistakes that can end up costing an organization: missing a decimal point in a spread sheet, storing critical files locally with no backup, or perhaps misplacing a laptop or PDA with critical and/or sensitive data.
None of this should be taken to mean that organizations should no longer worry about external hackers. Quite the contrary, external threats remain as valid as they ever have with computer systems. Instead, organizations need to understand that there are many threats to information coming from inside the organization. Insider threats can no longer be ignored simply because there is also an external threat.
Here are a few things organizations can begin to do to help protect against insider threats to information:
1. User training help organizations teach employees how to properly handle information assets. (See Joe Knape’s “What We Have Here… Is A Failure To Communicate” post on starting an effective user awareness training program)
2. Internal control programs help organizations create organizational policies and procedures dealing with approved ways to access, store, archive, and disseminate information.
3. Annual information audits help organizations identify where current employee behavior differs from established policy and procedures, exposing information to risk.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted in Information Protection |
Print this post
|
Permalink
Rob said,
December 18, 2006 @ 5:39 pm
So what would be the value and net effect of a security model that worked post-authentication inside the network to deliver user-centric security in a MLS/TOS, deny-by-default environment? You would have protection against inside attackers, and unauthorized external access attempts would just fall off the system as non-events, correct?
I liked that you included user error. Such solutions must also protect users “form themselves”.
AdamDodge said,
December 19, 2006 @ 8:20 pm
Rob,
You pose several questions here, so let me see if I can take them one at a time. I see that you have posted very similar comments on other blogs, so I will attempt to offer different answers as to not simply repeat what others have said to you.
One of the serious problems, in my opinion, with a whitelist, “deny-by-default”, environment is that while it does a good job of stopping unwanted activity before it starts, it does a bad job of identifying unwanted activity if it occurs. This is based on the fundamental concept that only authorized, or whitelisted, activity is allowed to occur. Therefore, any activity occurring must be authorized. Of course, this is not always the case. I am not saying that whitelists do not have their part in security, but there must be additional controls to identify unwanted activity.
You mention the implementation of a multilevel security on trusted operating systems (MLS/TOS) and ask the value of such an implementation. I have to respond that this value is most likely very poor for most organizations. Most organizations today do not require this level of security and therefore are not willing to pay for it. In addition, the severe restrictions such controls place on information can be contrary to an organization’s business environment. For example, I work in education and the ability to easily share information is at the foundation of what it is the organization does. (Side Note: This is also why security in education is often a very difficult sell.)
The idea of implementing technical controls to overcome human error will most likely bankrupt many businesses. Ever increasing complexity always requires an ever-increasing cost in terms of time, money and resources. There is also the chance that some key control will be over looked, thus rendering all of the other controls worthless. An example of this I like to use is this: A 20 million dollar computer/network/information security system can be defeted with a 35 cent phone call if you don’t train your users to not give out information or their passwords over the phone.
Adam
Security Catalyst » Blog Archive » Breach vs. Incident: Semantics or Something More? said,
July 11, 2007 @ 3:23 am
[...] are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that [...]