Schneier on Security
A blog covering security and security technology.
« Liquid Ban Gone Weird |
| Confused Security Reasoning »
June 24, 2008
IT Attacks: Insiders vs. Outsiders
A new study claims that insiders aren't the main threat to network security:
Verizon's 2008 Data Breach Investigations Report, which looked at 500 breach incidents over the last four years, contradicts the growing orthodoxy that insiders, rather than external agents, represent the most serious threat to network security at most organizations.
Seventy-three percent of the breaches involved outsiders, 18 percent resulted from the actions of insiders, with business partners blamed for 39 percent -- the percentages exceed 100 percent due to the fact that some involve multiple breaches, with varying degrees of internal or external involvement.
"The relative infrequency of data breaches attributed to insiders may be surprising to some. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources," the report states.
The whole insiders vs. outsiders debate has always been one of semantics more than anything else. If you count by attacks, there are a lot more outsider attacks, simply because there are orders of magnitude more outsider attackers. If you count incidents, the numbers tend to get closer: 75% vs. 18% in this case. And if you count damages, insiders generally come out on top -- mostly because they have a lot more detailed information and can target their attacks better.
Both insiders and outsiders are security risks, and you have to defend against them both. Trying to rank them isn't all that useful.
Posted on June 24, 2008 at 6:55 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Actually report and analitics in it are very interesting expecially part about "data breach discovery methods"
It all looks we have more organisational problem than technical
Exactly - if you count damages, insider attacks are far worse. They are more extensive and go undetected longer.
A recent poll revealed a third of IT personnel admit to reading things they had no business reading. Probably just because they can, and because they're bored. Or because they are interested in a person, or angry, or otherwise motivated to snoop. The result is one thing leads to another.
My experience is that most IT personnel somehow think because they CAN snoop, that they have been given the privilege to snoop. One thing leads to another.
There's also the issue of exactly who is an "insider" and who is an "outsider". Where would a contractor fit in here? What about a former contractor who has left some kind of "backdoor"?
I suspect money might be the cause of the change.
A few years ago insiders where mainly motivated by theaft or revenge against their employers. Outsiders where after ego food either as owning a machine, vandalising it or using it as a steping stone to attack other machines outside of the organisational domain the machine is in.
These days "ego food" attacks are almost as a waste of time and financial theft activity pays good money with apparently relativly low risk. Therefore those with the real ability are after the cold hard cash these days...
I dont agree that "rank[ing] them isn't all that useful." That is the whole purpose of risk analysis. If you cant prioritize which risks are most severe, then you are more likely to suboptimize your security investments.
@mark a contractor is an insider. You can subclassify them as a thirdparty insider if you like. I've also heard the term trusted outsider, but it amounts to the same thing. At some point your organization gave them trust.
Even if they targeted you and worked hard and manouvered their way into your trust it's still insider. (By this I mean active spying/espionage well beyond social engineering).
When you've reached a level of understanding of security and risk, a statement like Bruce's "you have to defend against them both" is obvious. But when you're not there, studies like this help. There are still a lot of senior managers that want to downplay insider risks. This study highlights that the risk is there and the bar is being raised.
Yes risk analysis includes ranking - but shouldn't it focus on damages rather than # of incidents or (even worse) # attacks?
Ranking them really isn't all that useful, primarily, and perhaps quite simply put, it doesn't really matter where the attacks come from, but what they are attacking, how and why.
Liken it to a suit of armor, if you have a limited suit, use it to iron-clad your vital areas. No one would simply suit up the front of them and leave the back entirely exposed simply because they are going to be *facing the brunt of the attacks... what if you turn around? or one of your comrades shoots a poorly aimed arrow...?
Risk analysis is essential, but ranking insider vs. outsider attacks is really pointless, esp. if they are attacking the same thing. This is really only useful for pointing out that when designing secure systems, you really shouldn't trust much of anyone, insider or otherwise.
The threat should be measured against the data. Considering that this study shows 30,000 records lost to outsiders versus 375,000 lost to insiders, I'd submit that the insider threat is larger.
Authorized users typically have bad data security habits, too much access, and nowhere near enough common sense when it comes to handling important corporate data. Well intentioned users will often go out of their way to bend security protocols in the name of "getting things done". Malicious users have no compulsion to obey the security procedures. This leads to unauthorized remote control (gotomypc), sensitive data traveling/stored via the internet using unauthorized platforms (ftp, Hotmail, Google desktop), or loaded on USB sticks, iPods, or laptops (unencrypted) and then lost when those items go missing or are given to outsiders.
Studies like this help myopic people like me focus on insider threats. - But interestingly, Bruce didn't mention the 3rd group that the report says is the most damaging. - those business partners that while they may know a lot about our practices, are not under our control.
Actually, you can further break down insiders into intentional (malicious intent) and unintentional (accidental); and I'd bet in terms of total volume of information compromised the accidental disclosures win hands-down with the seemingly weekly instances of people losing whole terabytes of information in user databases on laptops that they took home for no particular reason.
"....losing whole terabytes of information in user databases on laptops that they took home for no particular reason."
Oh theres a reason all right. Its so the kids can play Sim city. Or so they can watch DVD's in the bedroom.......
the list of reasons is endless..... ;)
Not to mention that Business partners, at lest to me, are considered ``indiders''. They aren't quite LAN users but they probably have better access, to an extent, then someone on the Internet....
The number of Insider attacks that were not detected or reported should also be taken in to account. Currently the technology for detecting Outsider attacks are well developed than for Insider. In some cases companies/people are reluctant to report Insider attacks because it affects their outlook more than a outsider attack.
One of the pieces of "counter" logic that I encounter a lot, is that an "if someone inside the company wants to do damage, you can't do anything about that anyway."
In fact I run into that "logic" a lot in various contexts but especially a lot when considering insider threats. To me, it's more an example of "it's hard to think about this, so I'd rather not."
"That is the whole purpose of risk analysis"
How do you propose to do that?
Lets be blunt here we the industry don't have security metrics that mean a whole load of didily squat.
You can only perform risk analysis when you have some kind of evidence based metric for which the deductive reasoning is sound.
Is anyone prepered to go out on a limb and say we do have metrics that can be reliably used for actuarial purposes?
Without them proper risk analysis (as carried out by banks and insurance companies) is just not possible.
Towards a theory of insider threat assessment
Chinchani, R. Iyer, A. Ngo, H.Q. Upadhyaya, S.
Buffalo Univ., NY, USA;
This paper appears in: Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on
Publication Date: 28 June-1 July 2005
On page(s): 108- 117
And why is a communciations provider issuing this type of report? To protect themselves against being held accountable for their own failings.
It's also plausible to think that certain kinds of attack blur the distinction between insider and outsider. Once you own a few machines within a company's nominal security perimeter and can snoop on all their transaction messages (yes, I'm thinking about one of the local grocery store chains) for months on end, you're in essentially the same position as most of the insiders.
I'm one of the authors of the report and I'd like to comment on a few questions and statements I've seen so far. As to why a telecom is issuing this type of report, it comes from the security solutions group within Verizon Business which was formerly Cybertrust. We are the principle investigators on a large proportion of publicly disclosed data breaches. Secondly, the insider vs outsider topic which has grabbed everyone's attention. We looked at three sources of data breaches - external, internal, and partner. Sure, some people consider trusted partners as insiders but we thought distinguishing between the two might be helpful for many reasons. Since risk is the product of likelihood and impact, we sought to measure each separately (keep in mind we're talking data breaches, not attacks or general security incidents). Outsiders were the most likely, followed by partners then insiders. Investigators don't typically measure the total financial impact of a breach but they do measure the size (in terms of # of records compromised) so we used that as our pseudo measure of impact. Insider breaches were typically much larger (median # of records) than outsiders, with partners somewhere in the middle. When you multiply likelihood and impact, partners represented the greatest risk within our caseload. Finally, we do think such analysis is helpful in prioritizing efforts to reduce risk. For instance, we often found partner-facing controls to be non-existent. Perhaps organizations that have been neglecting such risks will divert some resources to controlling them after reading these results. Thanks for the comments - I'm glad the report is being discussed.
Please excuse as I did not read the whole report....but did they cover the 'forgetten edge'? (The public voice connectivity that is) mainly inbound and outbound modem, fax, ISP calls from the inside, the spoken word, modem energy etc....call types if you will. I see data loss refered to mainly in the data to data venacular. Rarely can we get a true 360 degree view of the real vectors.Systems have moved to IP obviously but they still have(and will for many years to come) a public voice edge. That is a constant vector to leakage/breach, whether from inside out or outside in.
It's amazing what you can "prove" with statistics. How does the study differentiate between a "breach" and "unauthorized access?" Or a "breach" and a "security lapse?"
Yes, hackers are more likely to breach the controls designed to protect the "inside" from the "outside," but organizations frequently rely on policies and a trust factor of their employees and don't put as many controls, thus facilitating "unauthorized access" without a security "breach."
The goes back to the candy bar school of security -- "crunchy on the outside with a soft chewy center."
@NebraskaAve, @ OhioBlvd, @WHBaker,
I think one should remember that the nature of insider attacks may also bias the sample towards finding more external attacks.
First, insider attackers are very good at covering their tracks, because besides having authorized access, they know the weaknesses of the system. Unless they are vengeful, they usually wish to remain unnoticed so they can continue to be employed. One could speculate that possibly a greater percentage of undiscovered breaches are due to inside attackers.
Secondly, if a breach was discovered to be by one of an organization's "trusted own", they may prefer to deal with it internally rather than air dirty laundry in public. Hence, the possibility that there could be less involvement by external third parties for the cases that ARE discovered and those cases are excluded from such samples.
Good points all. For what it's worth, the media has added the "insider threat exaggerated" conclusion to our report. The point about insiders being adept at covering their tracks is spot on and one we raised in the report - we make no claim of an unbiased sample. The dataset on which the report was based was gathered during ~500 forensic cases involving data compromise (not security breaches/unauth access) for which Verizon Business was hired to do the investigation. If another IR team released their findings, it's entirely possible you'd see significantly different results.
"My experience is that most IT personnel somehow think because they CAN snoop, that they have been given the privilege to snoop. One thing leads to another."
My experience leans the other way. Decades ago, I was given the "root" (well, "System", for VMS) password at my workplace, ostensibly because I was an "early guy" and could do first-line support, possibly phoning the actual IT folks and being talked through things. It was also pretty clear that "trusting me" with the password was their way of making sure I would not be tempted to gain elevated permissions through less orthodox means. And it worked.
It may be that that was another age, and I am of a different generation than today's information workers, but I wonder.
I would like to pass on an insight by one of my co-workers.
These numbers are taken from the set of "Data Breach investigated by Verizon" not "all known data breaches" thus I would like to know what percentage of internal vs. external data breaches Verizon investigates. I would speculate that Verizon is called to investigate a greater percentage of external breaches.
@MDS: I'm not sure if you were asking me directly but I'll make an attempt to answer. The "percentage of internal vs external data breaches Verizon investigates" is the percentage given in the report (of the cases we investigated, 73% vs 18% vs 39% partners). I think what you and your co-worker are intending to ask is how does our caseload compare (in terms of that ratio) to the totality of data breaches. I don't have a definitive answer. Although we track publicly disclosed data breaches and statistics, I don't have a ratio on hand - does anyone else? I can tell you we've investigated roughly 1/4 of the breaches disclosed over the past few years and we do tend to "specialize" in certain types. For instance, we tend to do larger breaches (i.e., ones that warrant paying for outside investigation) and ones that actually involve data compromise rather than 'data at risk' (i.e., data on a lost laptop that is never actually compromised but must be reported nonetheless). As I stated previously, we cannot and do not claim that our findings reflect all data
@MDS: I'm not sure if you were asking me directly but I'll make an attempt to answer. The "percentage of internal vs external data breaches Verizon investigates" is the percentage given in the report (of the cases we investigated, 73% vs 18% vs 39% partners). I think what you and your co-worker are intending to ask is how does our caseload compare (in terms of that ratio) to the totality of data breaches. I don't have a definitive answer. Although we track publicly disclosed data breaches and statistics, I don't have a ratio on hand - does anyone else? I can tell you we've investigated roughly 1/4 of the breaches disclosed over the past few years and we do tend to "specialize" in certain types. For instance, we tend to do larger breaches (i.e., ones that warrant paying for outside investigation) and ones that actually involve data compromise rather than 'data at risk' (i.e., data on a lost laptop that is never actually compromised but must be reported nonetheless). As I stated previously, we cannot and do not claim that our findings reflect all data breaches. To know that, we'd need to analyze all undiscovered, all discovered but unreported and all reported data breaches everywhere. The first two are unavailable for comparison. The final set (reported breaches) would make for an interesting comparison. If anyone wants to tackle this, I'd suggest removing 'data at risk' cases from the mix and focusing on breaches involving actual compromise to achieve an "apples to apples" comparison.
Looking at the related issue of web application security, more organizations need to be thinking about getting regular web security audits, which should ideally be able to protect against both internal and external attacks here (eg. Devfense (http://www.boonbox.net/devfense.htm),Watchfire or a similar kind of product. I was astounded to read recently that something like just 20 per cent of companies (in Canada, at least) are doing ANYTHING in regard to data security, whether on their laptop or their network.
"Lets be blunt here we the industry don't have security metrics that mean a whole load of didily squat."
Here, here! We are running around trying to protect ourselves from all these "risks" but we don't have a clue as to how to quantify them. Are we dealing with a 10% chance of an insider attack via a specific vector and a 1% threat from an outsider using that same vector or is it the reverse? Maybe it's really 1% out & .1% insider?
I guess the best we can do is install as much defense in depth protection as possible an then keep our collective fingers crossed. :-(
I like the article though not sure how valid I think the findings are. I would have to agree with several of the other comments that there are likely many more attacks involving insiders than what is represented in this study. Either they weren't reported or the source of the attack wasn't documented correctly. I've posted some thoughts and suggestions on my blog this morning at http://itatsmallbiz.wordpress.com/2008/06/27/...
> Well intentioned users will often go out of their way to bend security protocols in the name of "getting things done".
The problem is, this is very often a perfectly valid and reasonable thing for them to do, and indicates that IT systems are severely broken and serving the business poorly. Too many admins seem to forget that "getting things done" is why the IT systems exist; if other employees have to evade your policies in order to "get things done", you'd better have a darn good reason why there was no better way to set it up, or I'd fire you.
People often bandy about the terms "high security", "medium security" or "low security", but outside of prisons they have no formal definition. I like to use the definition that in a "high security" system security is so critical that the security policy comes first, and all work must adapt to its restrictions; in "medium security" systems there should be a careful balance between security policy and other work processes; while in a "low security" system there is no excuse for the security policy interfering with anyone's work in any substantial way. That is, in a low security system if we say "do X, or stuff might get stolen", but X will slow down work by 5%, the correct answer is "we won't do X, we will just accept the risk."
Under this definition, there are many businesses that people think of as high security, which in fact aren't. For example, I have worked in a business that ran a high tech R&D lab developing advanced technologies with military applications, which our competitors would have loved to get their hands on. Before getting involved with that lab, I would have assumed it would be high security. Actually, some projects should be ranked low, some medium, and NONE high. Quite simply, both our commercial competitors and foreign powers were quite capable of catching up with our lead if we inhibited the rate of progress of our scientists; the exciting but quite theoretical threat of espionage was nothing like as great a danger as just falling behind.
The fact is, after centuries of developing business protocols that inherently embody reasonable security compromises, most businesses are low security. They will take more losses from restrictive security policies than from inadequate ones.
It's just that Outsiders are easier to oddentify and slight, even demonize.
See the new TV series: The Outsiders!
While insiders often just hunker down and try to not get noticed.
Faceless them are us.
POGO said it best:
We have met the enemy, and they are us.
But if we begin to blame ourselves, corporately,
we might just finally discover what we've been up to.
This reports focuses mostly on the retail sector, and I wonder how these numbers would change if they were to survey financial services companies or health care companies.
Arent there too many credit cards floating around anyway that are being sold for $1 or so per card. There are far more interesting things to steal from non-retail sector including trade secrets, customer list, salaries, etc. I hence feel that there are far more insider attacks in non-retail sector.
One of the problems behind the insider vs. outsider debate seems to be the fact that trustworthy insiders don't want to feel mistrusted. From the point of view that an awareness raising specialist takes, this isn't neglectable. Employees who feel mistrustet won't engage themselves in defence againts threats. It's a question of side effects - as soon as you start measures against insiders without taking psychology into account, you risk to loose your potential to build a "human firewall".
By the way: I once talked to a forensic specialist who said that from his point of view there would be no useful tools to measure internal attacks. A succesful external attack would always be counted as an internal one, that's why he never believed in the numbers that told us that there were more internal than external attacks.
But at the end it's right: Counting "x vs. y" does not help. But sometime ethics get in - when vendors for example stoke mistrust againts employees to sell more internal surveillance tools. That's what they did deliberately when firewall sales started to decline.
To understand issues I recommend: "Principles and Practice of Information Security" by Linda Volonino and Stephen Robinson. Developing an attitude, an awareness, a policy is key as is communication to secure your organization; if done properly employees understand risks and actions, not taking them personally. Anyone working in enforcement has to learn not to take things personally, if you can't your in the wrong job. If you put your feelings in front of security you will fail. It is not about you. It is about security.
I wanna know if this information (more attacks from Internet than internal but more damage internal than those from Internet) is valid nowadays.
What do you mean with internal attacks: those attacks made intentionally by people inside? or those attacks made not-intentionally by employees or 3rd-party? or even those made not by people but by bots/malware installed on the internal endpoint?
For example, the last big known attack to RSA, was internal (the attacker use an internal devices to compromise important information assest)? or was external (the "attack commander" was outside)?
Thank you so much!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.