Are insider threats more prevalent than externally-initiated attacks? Michael Kassner doubts that it's true any more and explains why.
While researching a different project, I came across some surveys, in which analysts were disagreeing with the commonly held idea that most security breaches are the work of insiders. That sure caught my attention especially since I just read a NetworkWorld article that mentioned:
"According to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network."
It became clear while doing research for this post that not everyone is in agreement with who would be considered an "insider". Or for that matter what a security breach amounts to. Before getting any deeper into the discussion, I'd like to submit some definitions for your approval.Define insider
The National Threat Assessment Center (division of the U.S. Secret Service) and Carnegie Mellon University's Computer Emergency Response Team (CERT) are partners in an ongoing research project called Insider Threat Study. That's quite a team and I have no problem using their expertise to create the following definitions:
- Insiders: Consists of current/former employees and contractors that have permission to access an organization's computer systems and network.
- Security breach: Defined as a situation where an individual intentionally exceeds or misuses network, system, or data access in a manner that negatively affects the security of the organization's data, systems, or operations.
If you remember, the NetworkWorld article used a Computer Security Institute (CSI) quote. This makes a lot of sense as the CSI group and the Federal Bureau of Investigation (FBI) have been sharing research about computer crime since 1996. Starting in 2001, they began publishing comprehensive annual reports that are packed full of information about security breaches.Not what it seems
"Conventional wisdom says 80 percent of computer security problems are due to insiders."
I remember when I first read that sentence in the 2001 survey report; I figured I finally knew where the 80 percent everyone is talking about came from. It makes sense if you think about it; insider attacks just have to be easier to pull off.
In my second read through, I realized that's not what the researchers are saying. They're saying things have changed and "conventional wisdom" is wrong as Georgetown's Dr. Denning explained in the report:
"One interesting trend is the shift of perceived threats from insiders to outsiders. For the first time, more respondents said that independent hackers were more likely to be the source of an attack than disgruntled or dishonest insiders."
OK, now I'm confused. Hang on though, the infamous 80 percent shows up yet again when the 2001 survey report quotes Dr. Eugene Schultz:
"Unfortunately, a lot of this confusion comes from the fact that some people keep quoting a 17-year-old FBI statistic that indicated 80 percent of all attacks originated from the inside."
So that's where the 80 percent came from. Still, that percentage seems rather skewed when considering today's technology. Thankfully, Dr. Schultz confirms that by mentioning:
"When this statistic was first released, it was almost certainly valid, the computing world at that time consisted to a large degree of mainframes and stand-alone PCs. Today we have a proliferation of network services (most notably worldwide Web service) available to the entire Internet community, a truly target-rich environment for would-be attackers."
That certainly puts it into perspective. All pointing to why the CSI/FBI team's research is showing that the number of external attacks is on the rise as the following graph shows (courtesy of CSI/CMP):
So why is the 80 percent insider rule still alive and well today as evidenced by the NetworkWorld article I mentioned earlier? Especially since CSI is being used as a reference source. Trying to understand, I read the most recent CSI/FBI Computer Crime and Security Survey (2008) to see if anything changed.
Fortunately, the CSI/FBI research team continued to use the same format, asking respondents to estimate the percentage of internal attacks they encountered. The following graph shows the results (courtesy of CSI/CMP):
The graph clearly shows that the survey respondents believe most security breaches were initiated from outside their organization. I'm not sure if that's the case with every organization, but I'm willing to bet that most network administrators have experienced a fairly dramatic uptick in external attacks this past year.Not that simple
I also submit that determining the point of origin isn't that simple. For example, what about an external attack that successfully penetrates a network. At that point does it change to an insider attack? Not if you take my definition of insider literally, but the perimeter has been breached and the attacker obviously has elevated access privileges. Doesn't it then have all the appearances of an insider attack?Different point of view
This past weekend, I had a chance to discuss this article with a friend, who happens to be a security analyst. I'm glad I did as he introduced a totally different viewpoint that I want to share with you.
First, he reminded me that reporting or even admitting to a security breach is a sensitive subject and not something most organizations are anxious to do. Second, he pointed out that everyone has their own agenda. For example:
- Equipment, software, and service vendors will elevate the threat vector that helps them sell their products.
- Companies may prefer to blame the security breach on outside threats rather than employees. It's a lot less incriminating.
- Organizations that deal in IT security will try to invoke any sense of alarm as it justifies their existence.
Interesting to say the least and I agree that these considerations would play a part in how an organization responds.Final thoughts
I have a few points that seem to stand out:
- I agree with the CSI/FBI survey results that indicate external security breaches are more prevalent.
- I feel that internal security breaches are much easier to accomplish.
- Internal security breaches are more costly in terms of what is stolen and the resultant repercussions.
I'm not sure if my last point is true any longer. Recent news about external security breaches resulting in terabytes of Department of Defense data being stolen seems pretty significant.
Security breaches are a complicated and controversial subject to be sure. What I've presented is just one opinion and we all know that more is better when it comes to opinions. So, please let me know what you think.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!