Shostack + Friends Blog Archive


Referencing Insiders is a Best Practice

You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security loves to point to insiders as the ultimate threat.

I’m tempted to claim this as a nail in the coffin for the insider as the most important threat vector, but of late, I’ve decided that the insider is an near-unkillable boogeyman, and so ‘nails in the coffin’ is the wrong metaphor. Really, this just indicates that references to insiders are a best practice, and we can’t kill them. We can, however, treat those references as an indicator that the person speaking is probably not an empiricist, and discount appropriately.

2 comments on "Referencing Insiders is a Best Practice"

  • Hexsaw says:

    I hate to argue this point with you, because I actually agree that insiders are probably not the most important threat vector – but I don’t think that the HHS dataset proves what the most important threat vector is.

    One interpretation is that a small percentage of incidents documented in the HHS report were possibly caused by insiders. Another, equally valid, interpretation is that incidents caused by insiders were much harder to detect than other incidents.

    Until we have enough data to make statistically valid analyses of security breaches that were detected by methods independent of attacker methodology (e.g., discovered by an informant in a criminal organization), it’s hard to know whether few reports of insider breaches means that it’s really hard to detect insider breaches, or whether there are simply fewer insider breaches.

    I’m further concerned by the fact that the type of intruder is very dependent on the value of target data. I’m not convinced that HIPAA data is subject to the same attacker profile as GLB-protected customer financial data, for example.

    But I’m still glad to have this data-point. Thanks for writing about it.

  • We have consistently found from monitoring the server and PC endpoints of our customers across the globe that anywhere between 15-30% of all their agent based endpoints leveraged by their security tools are misconfigured or disabled. This is an “internal” rather than “external” exposure. If every endpoint in an organization was visible and compliant with corporate IT policy, the internal threat would be greatly diminished and these stats would go down.

Comments are closed.