September 6, 2010

Posts Comments

You are here: Home / Blog / Insider Threat or Risk?

Insider Threat or Risk?

August 11, 2009 By Dennis Kuntz

riskthreatby Dennis Kuntz

Most folks who work in information security are well-aware of the concept of the “insider threat”. There has been quite a bit of press about the fact that while hackers get so much of the notoriety from the popular press (especially when they fit the stereotype), insiders actually pose a greater threat to important data.

As well, many information security practitioners are at least conceptually aware of the idea of “Threat Risk Modeling”, i.e. focusing resources toward those risks that are actually more likely to happen, with the emphasis being on those that are most likely to happen and pose the greatest potential for loss/damage.

Putting those two together, one would reasonably assume that many responsible for information security are putting a good amount of their resources and efforts into countering that inside threat, right? But even if that’s the case, is stopping a malicious insider really the best and most effective place to put countermeasures?

In an interesting post by Nicki Wallace on RSA’s “Speaking of Security” blog, she discusses the differentiation between the insider threat, and insider risk:

“Deliberate insider threats are caused by employees who actively set out to exploit an organization’s security vulnerabilities, to cause harm or for personal gain….[However,] organizations cannot afford to turn a blind eye to the wider insider risk from employees who accidentally or negligently cause vulnerabilities to data or system security. [Emphasis mine]”

She links to a survey by CompTIA that finds that human error and negligence are actually – or should be – bigger concerns to companies. These situations are generally where the intentions of the insider can actually be noble: bringing the work with them so that they can get more done. In doing so, the laptop, USB key, or some other media containing sensitive data is lost, misplaced, etc.

Michael Santarcangelo addresses this specific concept in “Into the Breach” and follows through with methods for increasing security awareness with the individuals who “own” the data, which is very often not the IT security guy/gal. He talks about how companies can make those data owners more aware and responsible for their actions, which ultimately will minimize those same individuals putting themselves into situations where these oversights can occur.

That all being said, where are you focusing your efforts and resources? Are you and/or your company still focusing on using the traditional technology-centric means of dealing with threats – internal and external – while possibly missing out on where the real risks may actually be?

No related posts.

Filed Under: Blog

About Dennis Kuntz
Dennis Kuntz, CEH, has been in technology for 15 years in various roles. While starting life a programmer, more recently he has spent his time in managerial and technical roles dealing with architecture and security. These includes such responsibilities as web application penetration testing, making and assisting with strategic security decisions, and providing technological guidance, education, and prototyping/PoC projects for IT and business units. Currently he holds the title of Senior Director of Architecture and Security for Market America, in Greensboro, NC.

Comments

  1. Gary says:
    August 12, 2009 at 4:42 AM

    True! But security management includes also data security .Many organizations keep loosing their data in risky ways. A reel security revolution would include that as well.