Shostack + Friends Blog Archive


Outsiders! Insiders! Let's call the whole thing off.

I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction.
I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments where they probably were not. In no case would I have been able to conclude this from criminal prosecution data, which is what one report relies on to support it’s conclusions.
My point is that regardless of what the aggregate “threat landscape” looks like, there is no substitute for knowing your own environment, and for proper threat modeling and countermeasures.
[The image is part of a screenshot from, circa February 22, 2005]

8 comments on "Outsiders! Insiders! Let's call the whole thing off."

  • Adam says:

    It’s obvious: people are the biggest problem.

  • David Brodbeck says:

    Use of prosecution data would seem inherently skewed; insiders are more likely to be caught, since they’re known ahead of time, while outsiders are generally not.

  • wpn says:

    Not only are insiders more likely to be identified, but they’re also more likely to be prosecuted. I agree: let’s call the whole thing off. A successful attack will often look *just* like an insider one, at least at the beginning. And whether you’re more vulnerable to external attacks depends a lot on how well you’re managing the standard system vulnerabilities. Insider attacks tend to be more creative and varied, in my experience.

  • Rob says:

    Have you read the Insider by Dan Verton? He cites the figure of $250 BILLION a year (2004 figures) by the US attorney general as the cost of insider attacks in the US alone. With that much loss you would think that prosecutions would be in the news every day.
    Maybe the perpetrators of MAJOR insider attacks are prosecuted, by I would guess that the dearth of internal controls inside the network means that the enterprise has very little real knowledge of actual losses as they are probably hidden losses.

  • Adam says:

    WPN: Citations for your claims? I dont buy that insiders are more likely to be prosecuted, the brand damage is too great.

  • Stiennon says:

    Rather than attempt to quantify the “threat” I like to think/talk/write about the “risk”. Given that there are both inside and outside threats, it is harder to defend the inside than the perimeter so therefore the risk is usually higher on the inside. The primary reason for this is that defending against insiders involves changes to business procesess and those are hard to accomplish.

  • Rob says:

    Thinking about the second half of the screen shot above, it is interesting to think about the converse of the statement.
    IT designed to keep confidential data inside the network, using deny-by-default, user-centric information-focused security, would actually prevent intrusion from the outside.

  • Iang says:

    In fiance, insiders are by far and away the biggest threat to finance; to a much lesser extent in other industries. The amount of money stolen by outsiders is trivial, that by insiders is massive. Prosecutions are rare, and there are some areas where prosecutors seem to bend over backwards to avoid prosections.
    One fraud I monitored peripherally I estimated at around $700bn over its lifetime, I might be out by an order of magnitude, but not two. Fines stalled somewhere before $2bn, and within a year of the prosecutions starting up, the word on the street said that “business was back to normal”; leading perps who were caught every way you can possibly imagine paid fines, and walked. Generally, in profit. Only secondary parties went to jail, IIRC, being those who facilitated, not instigated.

Comments are closed.