According to Verizon's 'Data Breach Investigations Report,' the insider threat is exaggerated. I'm not really sure I understand what they're trying to say, but I'm with Schneier on this; there are a lot more outsider attacks, so naturally the number of incidents directly attributed to outside attacks is higher, but really you can't quantify this type of thing. The insider threat is a serious one, and even though the article states, "When internal hacks occur, they tend to be nastier..." that hardly does the issue justice.
I get the sense that this report diminishes the severity of the insider threat, something I really don't understand. The biggest difference is that an insider already knows something about what he/she is attacking, and presumably already has access to the network. Those are two _huge_ advantages right there. I remember looking at the main SAN for a former employer and finding all sorts of very sensitive financial information out there for the taking. The only things I needed were access to the network and very general knowledge of where this info might be.
Companies still follow the 'crunchy on the outside...' idea right? For me, it boils down to defense in depth again and again. If an organization prepares awesome boundary defenses, great! But if/when someone does get in, the internal environment should be locked down as well. There's a problem with this though: having high confidentiality, integrity, and availability is tough. Tradeoffs must be made, so I guess Verizon's report is advocating trading the insider threat for a more secure boundary. The more I think about this, the more I think this is more complex than I initially thought. In any event, I question the usefulness of this report since it doesn't really say anything useful or even interesting.
24 June, 2008
Insider threat exaggerated??
2 comments:
Jens - Have you read the report? If you are putting it in the "not useful" bucket due to the insider vs outsider thing, I'm thinking you have not. It covers a great deal beyond that. Besides, the words "insider threat exaggerated" never appear in the report. That is a media interpretation of our results that has been spreading. I'll post my comments to Schneier's blog:
"I'm one of the authors of the report and I'd like to comment on a few questions and statements I've seen so far. As to why a telecom is issuing this type of report, it comes from the security solutions group within Verizon Business which was formerly Cybertrust. We are the principle investigators on a large proportion of publicly disclosed data breaches. Secondly, the insider vs outsider topic which has grabbed everyone's attention. We looked at three sources of data breaches - external, internal, and partner. Sure, some people consider trusted partners as insiders but we thought distinguishing between the two might be helpful for many reasons. Since risk is the product of likelihood and impact, we sought to measure each separately (keep in mind we're talking data breaches, not attacks or general security incidents). Outsiders were the most likely, followed by partners then insiders. Investigators don't typically measure the total financial impact of a breach but they do measure the size (in terms of # of records compromised) so we used that as our pseudo measure of impact. Insider breaches were typically much larger (median # of records) than outsiders, with partners somewhere in the middle. When you multiply likelihood and impact, partners represented the greatest risk within our caseload. Finally, we do think such analysis is helpful in prioritizing efforts to reduce risk. For instance, we often found partner-facing controls to be non-existent. Perhaps organizations that have been neglecting such risks will divert some resources to controlling them after reading these results. Thanks for the comments - I'm glad the report is being discussed."
whbaker - Thanks for the response! Yes I did read the report, and I re-read it after reading your comment. I will concede that 'insider threat exaggerated' is a media interpretation and an oversimplification, but a more appropriate title might be 'Insider threat understated.' To be clear, I'm not placing this in the 'not useful' bucket, but am questioning the utility of this report. My main complaint is that there isn't enough detail! This seems to be an executive overview and statistical analysis, and while it does contain some interesting information (I removed a small part of the post, I was in a bad mood), I don't believe it reveals anything new. If this is designed to be an overview then the report is very successful. Am I missing something?
As I stated, I'm not sure I fully 'get it.' Part of my confusion is due to the categorization of business partners, as you addressed in your comment on Schneier's blog. They are semi-trusted, but also a separate OU not necessarily under the control of the affected organization. While the report tries to define why a distinction is made, for me it only makes it harder to understand where the statistics are coming from and what they actually indicate. Especially since the pseudo-risk associated with business partners is the highest of the three categories, and the most common compromise of business partners leading to data breach is external.
If I could trace my feeling of minimization of the insider threat to one place in the report, it would be page 11 at the pseudo-risk calculation. Only one page earlier does the report state, "This finding... should be considered in light of the fact that insiders are adept at keeping their activities secret." I was happy to see this, but dismayed that it isn't mentioned or accounted for again in the report, especially since the pseudo-risk calculated for insiders is fairly close to that of business partners.
To summarize, the results/statistics seem obfuscated to some degree due to the strange nature of business partners, which makes it difficult for me to understand the statistics; this ultimately makes me feel as though the insider threat is understated in the report. Further, there is not enough information in the report to analyze the statistics or to otherwise more successfully grasp their origins. However, I will admit that I was a bit unfair in my evaluation of the report at first read and for that I apologize.
Post a Comment