Mobility

Myth or not: Most security breaches originate internally

Are insider threats more prevalent than externally-initiated attacks? Michael Kassner doubts that it's true any more and explains why.

While researching a different project, I came across some surveys, in which analysts were disagreeing with the commonly held idea that most security breaches are the work of insiders. That sure caught my attention especially since I just read a NetworkWorld article that mentioned:

"According to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network."

It became clear while doing research for this post that not everyone is in agreement with who would be considered an "insider". Or for that matter what a security breach amounts to. Before getting any deeper into the discussion, I'd like to submit some definitions for your approval.

Define insider

The National Threat Assessment Center (division of the U.S. Secret Service) and Carnegie Mellon University's Computer Emergency Response Team (CERT) are partners in an ongoing research project called Insider Threat Study. That's quite a team and I have no problem using their expertise to create the following definitions:

  • Insiders: Consists of current/former employees and contractors that have permission to access an organization's computer systems and network.
  • Security breach: Defined as a situation where an individual intentionally exceeds or misuses network, system, or data access in a manner that negatively affects the security of the organization's data, systems, or operations.
Started keeping track

If you remember, the NetworkWorld article used a Computer Security Institute (CSI) quote. This makes a lot of sense as the CSI group and the Federal Bureau of Investigation (FBI) have been sharing research about computer crime since 1996. Starting in 2001, they began publishing comprehensive annual reports that are packed full of information about security breaches.

Not what it seems

"Conventional wisdom says 80 percent of computer security problems are due to insiders."

I remember when I first read that sentence in the 2001 survey report; I figured I finally knew where the 80 percent everyone is talking about came from. It makes sense if you think about it; insider attacks just have to be easier to pull off.

In my second read through, I realized that's not what the researchers are saying. They're saying things have changed and "conventional wisdom" is wrong as Georgetown's Dr. Denning explained in the report:

"One interesting trend is the shift of perceived threats from insiders to outsiders. For the first time, more respondents said that independent hackers were more likely to be the source of an attack than disgruntled or dishonest insiders."

OK, now I'm confused. Hang on though, the infamous 80 percent shows up yet again when the 2001 survey report quotes Dr. Eugene Schultz:

"Unfortunately, a lot of this confusion comes from the fact that some people keep quoting a 17-year-old FBI statistic that indicated 80 percent of all attacks originated from the inside."

So that's where the 80 percent came from. Still, that percentage seems rather skewed when considering today's technology. Thankfully, Dr. Schultz confirms that by mentioning:

"When this statistic was first released, it was almost certainly valid, the computing world at that time consisted to a large degree of mainframes and stand-alone PCs. Today we have a proliferation of network services (most notably worldwide Web service) available to the entire Internet community, a truly target-rich environment for would-be attackers."

That certainly puts it into perspective. All pointing to why the CSI/FBI team's research is showing that the number of external attacks is on the rise as the following graph shows (courtesy of CSI/CMP):

What about today?

So why is the 80 percent insider rule still alive and well today as evidenced by the NetworkWorld article I mentioned earlier? Especially since CSI is being used as a reference source. Trying to understand, I read the most recent CSI/FBI Computer Crime and Security Survey (2008) to see if anything changed.

Fortunately, the CSI/FBI research team continued to use the same format, asking respondents to estimate the percentage of internal attacks they encountered. The following graph shows the results (courtesy of CSI/CMP):

The graph clearly shows that the survey respondents believe most security breaches were initiated from outside their organization. I'm not sure if that's the case with every organization, but I'm willing to bet that most network administrators have experienced a fairly dramatic uptick in external attacks this past year.

Not that simple

I also submit that determining the point of origin isn't that simple. For example, what about an external attack that successfully penetrates a network. At that point does it change to an insider attack? Not if you take my definition of insider literally, but the perimeter has been breached and the attacker obviously has elevated access privileges. Doesn't it then have all the appearances of an insider attack?

Different point of view

This past weekend, I had a chance to discuss this article with a friend, who happens to be a security analyst. I'm glad I did as he introduced a totally different viewpoint that I want to share with you.

First, he reminded me that reporting or even admitting to a security breach is a sensitive subject and not something most organizations are anxious to do. Second, he pointed out that everyone has their own agenda. For example:

  • Equipment, software, and service vendors will elevate the threat vector that helps them sell their products.
  • Companies may prefer to blame the security breach on outside threats rather than employees. It's a lot less incriminating.
  • Organizations that deal in IT security will try to invoke any sense of alarm as it justifies their existence.

Interesting to say the least and I agree that these considerations would play a part in how an organization responds.

Final thoughts

I have a few points that seem to stand out:

  • I agree with the CSI/FBI survey results that indicate external security breaches are more prevalent.
  • I feel that internal security breaches are much easier to accomplish.
  • Internal security breaches are more costly in terms of what is stolen and the resultant repercussions.

I'm not sure if my last point is true any longer. Recent news about external security breaches resulting in terabytes of Department of Defense data being stolen seems pretty significant.

Security breaches are a complicated and controversial subject to be sure. What I've presented is just one opinion and we all know that more is better when it comes to opinions. So, please let me know what you think.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

79 comments
greene.data.recovery
greene.data.recovery

I have to deal this everyday I just canceled a 30K plus contract because the head guy deleted the security software I had installed on 4 system and the server. I had installed server and was working bring all on line and they still need the VPN router and Firewall Appliance but I had secured the system and 4 of the main billing systems but because one program wasn't working right the head guy used the master list I had gave him and he had asked for as I saw no reason for him not to have it. I starting to think Terry Childs wasn't so crazy to lock the SF people out of the servers he took cares of as I was stabbed in the back after working weeks in fixing this office and setting up and finding that one system was getting hits in the thousands and the only thing keeping the attackers out was the software I had installed and it showed that user was not doing just their work but downloading music and other things and going to site that were unsafe and this is or was one of the main billing systems. I killed the contract as this was medical billing and personal data and anyone know that this is very heavily protected but the feds and this peace blew off everything i did to protected them from getting attacked or giving out data they will get hacked it just matter of time and the made it so easy this to happen as they did it to them self by uninstalling software and not instilling hardware they need to do business and now the will learn the hard way. I have worked for over 33 years in computers and 25 in networks and security and i have never see anyone in top Management uninstall one of the main programs that protects his systems. No I have had those worked that screw up their security by not letting updates happen of turning off or even deleted software so they can watch streaming movies or use the company internet to download tons of illegal files I have stop that from going on and I made sure all learn not to do that but this last contract was just beyond me and I will not work with people that fail to follow even basic security rules. GC

Kenogami
Kenogami

I got into my company files and recovered files the were lost by a Mac Techie that came in twice a week. I don't think he was that good but he could sell you on what was wrong. NOT. I got all the lost files back and he was gone the next day. He didn't even know that on Macs you have to do a screen clean up after awhile. Every Mac was so slow you could have coffee and lunch before the next screen would show up. After he was gone I had to contact my friends to get them to me more about Macs. Passwords and breaches, yes are within. Try Toyota, their password was an employees name and the date of hire. You could find anyone hijred by Toyota and their date of hire by their web site. Sorry, since have been changed. To worry about outsiders is silly, it's insiders or emploees that no longer work there.

eagle_90703
eagle_90703

That is why the IT department employees will always have a job.

JCitizen
JCitizen

the two or three major breaches we had were social engineering followed up by email attacks. Fortunately that organization was fully HIPAA compliant, and our perimeter and interior defenses were excellent. The victims of the attack became suspicious and reported the breaches in time to greatly mitigate any damage. In an organization that has great electronic and software defenses, the user factor does become the major focus for securiy. None of the employees affected by the breaches were immediately aware anything was wrong, but good training tipped the balance. We still caught a small amount of malware through email and web-surfing. The type of non-profit organization we had required heavy exposure to the pubic it served, and internet research was required. White and blacklisting at the server level helped lower the threat level; but we occasionally had minor infections. There again, this time the particular employees happened to have some personal knowledge about how to recognize malware behavior, and the infections were delt with rapidly(enterprise anti-virus solutions were not the best back then). We definitely could have done better training on this aspect, for our computer illiterate users, but at that time, the internet threat wasn't as bad as it is now. One major change I would have made - had the state not ran out of money and laid us off - would have been to improve this, and also application security. This has been the major threat to my office, and if I hadn't been working diligently to patch or remove insecure software, I would have had dozens of major breaches in the past six months. It is remarkable to watch the fight between a well patched XP, patched application, and anti-virus, with the latest dangerous malware - That is if your lucky enough to witness it first hand and see the positive outcome!!! I was always in awe that I didn't have a BSOD, as the action looked pretty violent (to me anyway)! I would say that is probably one the major threats right now, and yes, it is from the inside, but because it is the application you have sitting there in the server that could blow up your whole security model. Sitting there like a time bomb to the unwary IT worker, who may not be aware of vulnerabilities.

bernalillo
bernalillo

I am not a secrity expert. That having been said I'm the best my organization has. I am trying to get more security training into my organization along side thirty other skills. I do not have all the tools I would like and I truly doubt I could even detect many breaches at this time. I try to implement best practices and fight the inevitable loosing battle in employee awareness and habits but there is a limit to my crime fighting abilities. I do not consider myself unusual or below average in security and so I wonder how many successful attacks of all kinds are performed. I suspect that there are many successful attacks that are never even detected. I further suspect that the amature or sloppy hacker is less skilled and therefore less dangerous and more easily detected (while included most employees). That leaves the experienced pro as the most dangerous and least likely to be detected and he is usually outside. Despite the what I wrote above I still consider social engineering to be the most effective attack method. Fortunately I am not in a business that would be especially attractive to most hackers but of course that is no guarantee.

thecbob
thecbob

All the gee whiz technology and widgets won't protect us from ourselves. That being said. I've always held to the philosophy that most internal breaches are not intentional; most are carelessness - opening attachments from an unknown source, visting suspect web sites, downloading pictures/utilities, etc. Training the end-users on good security practices is often overlooked. I can't count the number of users I've educated and had them respond, "I never knew that!"

Jaqui
Jaqui

It's more that the breached system / network did not have an effective policy in place for security, coupled with ineffective training around it for those authorized to access the system / network. If the system / network has been secured with an effective policy, and those authorized have been trained on working within the constraints, then it is very unlikely that any breaches will occur. Those that do will leave a clear trail if it was an insider caused breach. The real question is: What is an effective security policy, and how do we train everyone to work with it? The problem with answering it is that an effective policy is very much site specific. There is no general answer that can be adapted easily for every site. There are some very general GUIDELINES that can be used to draft the security policy. little things like no-one but system admins have admin access. removable media and downloaded files must be scanned for malware before any user can access them. block access to sites that make heavy use of active clientside scripting technologies, since that is remotely hosted executable code that can be an attack vector.

bfpower
bfpower

I don't have a significant opinion on this, since my knowledge and experience in security is limited. But I appreciate the point of view. Honestly, from what I do know about security and the recent changes in tech culture (as well as in cracking culture), it makes sense to me.

pte39pte39
pte39pte39

I think the backbone of the products we use are flawed! Too much is left to the understanding of a very few people. Most would fail a network security test. First close the delinquent product gaps. Then go for the real perps. Anyone who can, probably will, defeat the security for personal reasons. Knowledge is power. Get the model right! Close the gaps.

jwingate
jwingate

I agree with your points. An aspect of the insider threat that no one wants to acknowledge is how easy it is for insiders to use digital steganography to exfiltrate (i.e. steal) information without fear of detection because there are currently no tools deployed capable of detecting insider use of steganography. Of course I am view as trading on the FUD factor because I'm a vendor that makes digital steganalysis tools. I've been pretty much a voice in the wilderness for the past 5 years and will likely continue in that mode because of a paradoxical situation ... no one wants to believe insiders are using steganography because there is no proof that they are ... but there is no proof because no wants to look for it because they don't believe insiders are using it! Jim Wingate

JCitizen
JCitizen

I've been lucky enough to work for organizations that will not only fire you for doing such shenanigans but, but court martial(UCMJ) or prosecute you under HIPAA laws! So I guess I'm spoiled in that way.

greene.data.recovery
greene.data.recovery

I work on computers I don't try to work something out side what I know i do know both PC and older Macs as i work from 99 to near 2001 for Apple as Rework tech meaning I was on the line working on systems that failed or just didn't work when the were being made. I left they due to well Apple being apple and cutting out people when they wanted their bottom line to look good. My wife was working for very good Santa Clara company so i thought i look for work there and some how the Job fair people got my card and called me to look at their Mac farm that did all the Ad art and all . the had current G4 system with Mac clones a X server wire wrong as I saw it(all the Mac connected to the main network then to the X server) the main problem they had was system were that the Ethernet on the G4 systems were dropping to apple talk on one system that was brand new. I look at the build and made a call to support and then check where it was made(yep it was the same place I had worked and it was from Swing shift) I worked Grave yard and we look the MB and yet this was board that should not even got out as those build had bad Ethernet on them that burnt out and would default to apple talk and then just drop. I got them to give me RMA and took it over to a dealer that could replace the MB free not the hard part was the board had to order it would take like 5 min or less to fix it I gave them info told the system would work for now but the MB was need ..the paid me and I waited to get a call back to get the system over to replace the MB..the call came a week later (why i have no clue) I called the Job fair people and they said oh it fixed .. I said what > no it a hard ware problem it not fixed the board will die guy it not fixed how did some fix it? they guy in the other end said oh we just deleted the network program and re-stated so it would rebuild the connection ..Er A no the MB tested bad guys its not a software issue you are work with apple talk that MB is not safe it has to be replace ..the guy said well it working now so we just let it go.. I said guy it a free fix it will take like 5 mins to change out the board .. they said it ok... the head IT guy said sorry they say it working so i guess they don't wan the MB changed .. two week later this system burnt up. I told them this would happen but some guy who was not Mac tech said oh just deleted the setting and let it re-configure ..this one MB that tested for a KNOW factory Defect just kill the software and let fix it self..NO A few week later it burnt up and I got a call fom them. the IT guy ask me why did it burn up I sent him the info as to why and some else called me and asked why I did not change the MB I said see your email I just sent you back .. he said I didn't sent them but said sorry we didn't fallow you advice.. the killed 4 clones a 2 more top of the line at the time G4s with that fire. They tried not to pay me I pushed them they paid .. I think the company folded after a few more years and the lost of the whole Ad dept due to system burning up.. I gave them the info they need and the didn't fallow it they listen to guy who had never used a mac before and had never seen the insides of one over a guy who WORK ON THE LINE for near two years AT APPLE! clueless just clueless at how some can BS people just right to screw good advice over. Oh I found out later the system that the G4 had replace had also burnt up I mean on fire with smoke and all. I think it was due to how the had the network wire but could never check it for sure the had the place setup in a very hacked way at that time as it was during the Dot com Boom. GC

Michael Kassner
Michael Kassner

I'd hate to work myself out of a job. I guess I could write fiction then.

Michael Kassner
Michael Kassner

I do everything that you do as well and the bad guys are circumventing all of that. Take a look at the Gumblar attack. It's gaining a great deal of traction right now.

JCitizen
JCitizen

and you have excellent AD group policies, enterprise anti-virus/malware. And the hardware to match, then I agree with you about social engineering. However I know of few organizations that are at this level. A good way to start your awarness is to use certain tools at home, like Comodo Firewall Pro with Defense + - this effective software firewall will show you how file modifications can become threats - especially during installations. Using a syslog reader from your perimeter firewall at work is another good educating factor. When you see what is being accepted and rejected by the IDS system(assuming you have a good one) this can be a good thing to observe to bone you up on packet traffic and the attendant protocols that do business inside and outside the LAN. For my clients, who are security clueless, I usually start them out on a good gateway with a service that does all this and reports back to the CIO with emails detailing all threat traffic. If they can't afford that, I do the next best thing and recommend the latest hardware that uses good open source firmware that can basically replace that. I deal mostly with SMBs, though; your requirements could be significantly higher.

Michael Kassner
Michael Kassner

You are doing all the right things. You are aware of the situation, you care, and you are reading/learning at one of the best resources I know of and that's TechRepublic. If you have a specific question, just ask. There are many knowledgeable members here that are more than willing to help. You are absolutely right about social engineering being the most popular way to breach a network.

JCitizen
JCitizen

We had the suspect web-sites threat fairly taken care of, and AD group policy and an excellent spam blocker took care of certain attachments. Training was taken seriously at that organization above all else.

gejones2
gejones2

To be enforceable, the security policy must be communicated to employees with verification that the policy was read. The policy should communicate the requirement on the employee to protect the assets and resources of the organization. Using any risk analysis method to evaluate the threats and vulnerabilities is the first step to create the security policy. In my experience, senior level managers and corporate board member participation in policy creation and revision activity is very low. This can be seen by the increase in breaches which I believe is due to policy not being enforced from the top down. In addition, the culture of a company also impacts policy creation and enforcement. George E. Jones Jr., CISM, CISSP

C. Swanevelder
C. Swanevelder

Insider or Outsider, Does It Really Matter?The fact of the matter is that your network will always be vulnerable. You could have a invulnerable system today (wich will never happen), tomorrow it will be vulnerable again. With the amount of attacks happening today, you can't afford to be slack with your security by concentrating mostly on either insider or outsider attacks. You must guard equally for both types of attacks. During my Security + training (and come to think about it, during my CCNA training as well), I was also informed about the 80% of attacks which comes from inside the company. I had a problem with that statistic (actually any statistic, I always wonder who did the research). Once again, does it matter? Even if there is a 1% chance of an attack coming from outside you network, you must guard against it. I'm quite new in IT and have just finished my CompTIA Security + certification. I still need the most important part of the training (experience). But in my opinion, the only way you could safeguard your network is by ripping out your network, smashing your computer hardware, doing everything by hand, and shredding and burning every document as soon as it leaves your hand. Since no one is going to go this far, you can only try to keep the damage which WILL happen at some stage as small as possible.

Michael Kassner
Michael Kassner

I guess my intent was to inform the members that there's a shift in thinking by the security experts. Yet, that shift isn't getting presented to the rest of us. The number of breaches appear to be equally spread between internal versus external attacks and that's a far cry from 80/20

Michael Kassner
Michael Kassner

It's important is that it gives system admins a better idea of where to focus their limited resources. Protecting the perimeter or internal network.

Michael Kassner
Michael Kassner

But, I'm not understanding. Could you explain "get the model right", please.

Photogenic Memory
Photogenic Memory

I looked up steganography. It's very interesting. Thanks for posting. I found this site that does it for free: http://mozaiq.org/encrypt/ It's an interesting technology. Thanks bro! ALLAH ACKBAR!!( I'm just kidding man, hehe )

ali.iqbalamzt
ali.iqbalamzt

Very well said. but my point is the same as i have mentioned it in my post earlier. When we say that Security Threats are from outsiders it does not means that outsiders are supposed to be on the outside of a Firewall. an outsider may also be connected to inside of a firewall like on your Private LAN and mostly threats from such users are analysed and being blocked so it is in normal paractice in all secure organizations. Mostly MAC Filtering, Port Security, Authentication Mechanizum for clients, SSL Certificates for Application security, seprate Private VLAN for outsiders in DMZ with IPS connected are used. but still no one is 100% secure their is always a chance of possible attacks.

Michael Kassner
Michael Kassner

Please give us a high-level view of what you are doing.

JCitizen
JCitizen

I must admit - I would have a hard time selling this idea too; my CIO would have a hard time believing any of our employees were sophisticated enough to even know what it was let alone implement it. At my last contract, we had a difficult enough time just training employees how to use a computer in the first place. However, since many of our emails contained many graphic images and video; I wouldn't doubt the employee could be hoodwinked into sending out a package that gathered information automatically, without the user's knowledge.

greene.data.recovery
greene.data.recovery

and from one of the employee they have not changed a things and may still be running with out protection. I never seen some just make a move that could just kill their company so fast. I pity any one that walk in there and thing it will be easy to fix things fast . they will be just a few day ahead of the law if they get hacked and to be the IT guy holding the bag when they walk in ..OUCH. I was doing a review of at Hotels computer set up the Hotel is old and what call the internet is wire and network gear that is patched together I have picture it was scary they had Ethernet cable that was cut and taped together and no maps or clue as to what box did what. The guy who got the job install more home gear that replaced some of the bad gear but the network is open and just ready to hack and take over .. It like you tell people they have bad set up and it cost them a bit to fix it and the go out and find a way to spend less and make it worse. I mean if you go in find the hard ware is bad or not working you tell them they give free wifi to everyone in a2 mile area and that their Credit card system is open for anyone to see and they say How much you tell them a good low price and a good way to secure it and they just get guy to had more wires and cables and called it fixed... Being Cheap isn't smart when it come to securing you business it just stupid. GC

JCitizen
JCitizen

the Mac lovers would jump all over you like you violated their religion of something! :)

JCitizen
JCitizen

that do mitigate some of the hidden web-page threats. This isn't enterprise class of course, but when I've gone to test pages, I have passed hands down so far. Below is a list and what they do: [b]Secunia PSI[/b] - helps me keep applications patched that hidden malware try to use to take control of the PC. This has saved my bacon at least once. [b]Spyware Blaster[/b] - blocks active X and uses hostfiles. [b]AdAware[/b] - I'm not entirely sure how this one works, I've disabled part of AdWatch to study the effects. [b]Comodo Firewall Pro[/b] - The Defense + feature can prevent file modifications upon malware introduction. This doesn't usually conflict with good AV. None of these do usually. [b]SnoopFree Privacy Shield[/b] - Keeps malware from reading your screen and keyboard in the first place.(XP only) [b]Site Advisor[/b] - helps at least at the minimum, mark sites that have been infected. This one is better than nothing - Symantec's is slightly better in my experience. [b]Ablock Plus[/b] - a good killer of bad webservers for FireFox; other good host files for IE are available. I realize these are getting chinchey fast in the expanding threat now, but so far so good for me. AdWatch and SpywareBlaster usually block even the hidden files on infected pages; they usually appear as red "X"s on the page, unless they are hidden well, but suddenly change to an X when rolled over or clicked on. I've passed iFrame vector test pages too. NOD32 has pretty good IM, and email control too. A good password vault for all controlled information can go even further. Windows has a free drive lock program very similar to [b]Faronics Deep Freeze[/b]. Have you ever tried it? I don't think anyone can make a permanent change to anything that writes to the hard drive with that technology. Honorable mention goes to the hueristic engine on MalewareBytes anti-malware. I have only used it minimaly but I understand it works famously with ESET and Awil's AV solutions. I haven't had time to get to that on XP yet. On my Vista x64, I need to get rid of NIS 2009, however the good password vault and site advisor are delaying my migration. Believe it or not, it has kept me relatively virus free; with many kudos to the UAC. Many good utilities are now complementary to x64 systems!

Michael Kassner
Michael Kassner

Keeping all software up to date. I feel that's actually more important with the exploits that are actively being used right now.

Michael Kassner
Michael Kassner

My question is then if training is so important, then why are we doing such a poor job of it? What can we do to improve the odds?

RU_Trustified
RU_Trustified

There is NO security without enforcement. @M Kassner, There are far more potential external hackers using automated scanning of networks, so in terms of probability, there will probably be more external source attacks that are successful. That said, when an IT person peeks at C-level salaries in personnel files or a hospital clerk peeks at a celebrity health file out of curiosity, that is a breach. When an authorized person with passwords abuses privileges to access or use data in an unauthorized way, that is a breach, but who is going to catch it, or even know about it? How many of these incidents are part of these studies? @Jim Wingate, Your points can be extended to the internal attacker in general. No one wants to believe that a trusted insider would betray them, so they bury their head in the sand. @Jaqui, "you can design a security policy to lock down the system entirely, but you wouldn't be able to do anything with the system, so the policy wouldn't be effective. It would be ignored." You are right of course, but the security impacts usability because the model is broken. We provide mandatory access rules that enforce behaviors and the security policies are the business rules, making them intuitive. @Kassner, re: scarce IT resources It is neither the perimeter or internal network, but both. As the poster said, the model is broken and there are too many gaps to fill. A preferred model might be to start at the core where the crown jewels are kept and govern where they may be released TO.

Michael Kassner
Michael Kassner

You said it all, George. If upper management isn't on board 120%, it will not work. I've seen that time and time again.

Jaqui
Jaqui

security and usability are usually at odds. you can design a security policy to lock down the system entirely, but you wouldn't be able to do anything with the system, so the policy wouldn't be effective. It would be ignored. An effective security policy relaxes security for usability, to the level required for the work tasks needed at the site. But no security policy is any good if the staff aren't taught how to work within it's constraints. A great tool to teaching the importance of following the policy, let them work with a system completely infested with malware as a part of the training. Let them see what they will have to deal with by NOT following the policy. ( assuming a microsoft shop )

Michael Kassner
Michael Kassner

I agree that when it comes to matters of defense internal versus external is not exclusively important. What does bother me is something you have seen as well. That the experts aren't telling us the right information. For example, your CEO hears from a friend that 80% of all breaches are internal just before you go and ask for a very expensive firewall. Now do see a possible problem? I'm trying to fix that.

Jaqui
Jaqui

"trust everyone to screw you over." ;) then any surprises are pleasant ones. :D All that can be done with security is to mitigate risks to an acceptable level. The security policy is least effective from insider breaches, no matter what the policy is. The only truly effective security against them is completely under the control of the Upper management. If the staff / contractors feel good about the workplace, they will have less cause to cause harm.

Michael Kassner
Michael Kassner

You and I are so totally Q types. I'm interested, so I know you are.

JCitizen
JCitizen

I've never been to the POS technology, but I've always be sceptical that most SMBs(and some big ones) were really secure!

RU_Trustified
RU_Trustified

I am not offended as I don't try and sell product on the boards. I try and sell an alternative security model that works. Some might view it as spamming/selling because we developed a proprietary technology around it; its a fine line. I try and contribute to the topic of discussion. We have a good technology. I figure a few people might be interested in the thinking behind it, as it relates to solving current problems. Contact me through this site and I can point you to the best links etc..

JCitizen
JCitizen

I can always go to the website to read whitepapers on it. Your the only "spammer" I welcome on TR! Hope that doesn't offend you! :) Your posts are always interesting, I will find the time to check that site someday soon. ASAP to coin the old phrase. I always find the time to read your posts also!

RU_Trustified
RU_Trustified

It is a bit hard to explain in a limited space, but it does not work the same as traditional approaches. Endpoint device authentication no longer acts as a proxy for authorization. Trustifier's rules specification is owner-centric, user, group, roles rather than object-centric. Thus, every action should be initiated by someone that has been authenticated on to a trusted node, and the system will govern and track all system and file access requests, and actions from that point on. Mind you, you can remove the ability for users to load rogue programs if security needs to be tight. You can check the activity of a user in minutes just by calling up the audit traces for "John Smith", or "admin". All actions in a Trustified enclave will be audited by forensically defensible immutable audit logs that can record every single system call if that is what is required. Ultimately, the system will only allow sensitive data to be released to authorized users on trusted nodes, because the receiving system must also enforce the access to those sensitive files. This is the only way that one knows for sure that his sensitive data will remain secure.

JCitizen
JCitizen

Snoopfree Privacy Shield, which is, of course, much simpler; as a I/O firewall for keyboard and video hooks. Am I understanding that you are claiming a process that can actually verify who is initiating an action at the keyboard, or that the keyboard or mouse is even the initiating source?(in the first place)

RU_Trustified
RU_Trustified

I think you missed the main point. We are talking about trusted operating systems, multilevel security and mandatory access controls. The injected system becomes a TCSEC (Orange Book) B3 reference monitor that meets the requirements of manually verifiable. The system can not be owned. This is absolutely required for a counter-espionage technology. All system calls and network I/O protocols are governed on a per user basis as well. This level of security also protects users from themselves from themselves, protects against configuration errors and vengeful insiders.

JCitizen
JCitizen

I think I would have increased user malware behaviour awareness. At that organization many of our most talented social workers were not particularly adept at computer science. Many of our breaches were mitigated quickly because, luckily those particular clients were very aware, and of course HIPAA training didn't hurt. All it would have taken would be to inject a little blurb on the typical "signs you've been had by maleware", and we would have been in even better shape. However, like I said also(somewhere in this thread). The external threat is increasing too, and that is our bailiwick. To me only the best gateway service, and enterprise server settings and AV hueristics can put a dent in the new threats. It is either that or migrate to the newest server and operating system kernels, (maybe 64 bit). I realize it is a bit much to expect organizations to investigate FOSS or prorietary open source solutions. But in this economy, with a company that has no application limitations. This may be the most frugal move. Of course my old organization needed flash, Java, and scripts held intact to do their mission. In other companies, this may not be the case. So a little extra internal training wouldn't hurt. I guess, just to quit dancing around the subject it seems to me it depends on the organization whether the internal threat or external threat is the focus. In my office it is the external threat, because I always have used full open browsing, and I can only cotton the best security measures to prevent disaster. Everyone else's experience may be different. In my area here, business has been looking primarily at external threats; but we do state internal investigation service checks on the folks most people hire around here; and a credit check at minimum for them to be hired. Former military clearence gets first pick on the job.Definitely calls will be placed on former employers. With that kind of criteria on employees; you don't have near as much to worry about on internal affairs.

Michael Kassner
Michael Kassner

To file access though. I'm concerned about a vulnerability being exploited, a keylogger being installed, and phoning home with encrypted traffic on port 80.

RU_Trustified
RU_Trustified

The result of the injection of internal controls is the addition of a previously missing authorization component, post-authentication, that provides kernel level behavior enforcement that acts pro-actively to effectively neutralize attacks by insiders and unauthorized malware/programs. The lack of authorization is the reason why malware continues to breach systems; without enforcement, there is no security. Trustifier acts as a universal application firewall between the system call gate and the entire user space to neutralize software vulnerabilities, not by AV filtering, but by combined deterministic (hard) and stochastic (soft/fuzzy) behavior enforcement in the kernel to govern and stop previously unseen executables, with context for allow or deny decisions provided by the rules of the business operations. In short, the system becomes least privilege and default deny. If a business rule states that a certain 3 people are allowed specific file access, only those 3 will have file access. If one of the 3 tries to pass on that file, in whatever state, to someone not one of the 3, the behavior will be disallowed.

Michael Kassner
Michael Kassner

As far as I can see, your model handles most exploits better than other methods. My concern is the new type of exploits that focus on zero-day vulnerabilities. There is no defense for those and the typical results is the installation of a keylogger and capability to send encrypted packages to the C$C server. Unless I'm mistaken, even your approach will not effectively handle that style of exploit.

RU_Trustified
RU_Trustified

We create the path of the user to the data, based on user roles and trust relationships within and between user groups(the business rules). There is a subtle difference. We can create caveated access privileges, but it keys on the users, not the data. So how does would it help with botnets? If you have an injectable technology that makes systems resistent to unauthorized privilege escalation, well what botnets? Likewise, when you have an mls technology that governs access at the data file level, it would depend on the level of the work station user. You can social engineer the password of a level one clerk, but the most you might gain would be clerk one data. Once you have said data, you would not be able to do anything with it if it violated a business rule, like release it to someone who did not have access privileges to it, like anyone outside of the user/work group. It changes the model, and it is an amazing turn around.

Michael Kassner
Michael Kassner

Securing the data is the path being taken now in an attempt reduce security breaches. Still, I don't see how that will help with botnets and exploiting workstations. I view this problem as similar to the others throughout history that still haven't been solved. It's the good versus bad thing and unless there's some sort of amazing turn around, I don't see anything changing in the near future.

Michael Kassner
Michael Kassner

I learned real quick to CMA ten different ways to avoid what you mentioned.

C. Swanevelder
C. Swanevelder

True. Like you say, it is scary that a lot of people makes their decisions by listening what other people (mostly idiots or with no relevant experience) have to say. A friends' opinion is valued higher than an experts' opinion. And if you are proved right, the CEO will probably says it is still your mistake!

Michael Kassner
Michael Kassner

I especially like your point about security policies being least effective from insider attacks. That's a crucial distinction.

JCitizen
JCitizen

so I know they can imbed malware into pics and videos. One of the worst attacks that happened to me was in one of my old Dells and it took several years to find the bug. I keep malware under lock and key to research later; I just don't wipe and reinstall like lots of techs. I'm not sure how much I wan't to know beyond that, as I'm not really a cracker. But curious? Heck yes!?!

Editor's Picks