News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

July 19, 2006 - 3:16 P.M.

Insider threats happen less often, but with more impact

5 comments

Richard Bejtlich had a couple of good blog entries last week about the insider threat (first, second ).  He correctly points out that the number of threats is much higher from external sources.  He also argues that the controls we have in place and the options we have for dealing with insiders are much greater than we'll ever have for dealing with outsiders.  But what he's missing is that so many of the controls we have are circumvented by the fact that we have to trust insiders, just so they can get their job done on a daily basis.

It's hard to differentiate between someone doing their job in a conscientious manner and someone who's maliciously attacking the system.  It's easy to tell when an engineer is getting into the accounting database.  But how well can most programs differentiate between the accountant paying a valid account and the same accountant paying a bogus invoice to their cousin Vinnie?  How is a computer going to tell if the sales person is taking a copy of his contact list so he can make calls on the road and the same sales person taking the list to a competitor?  The real answer is, it probably can't in either case. 

A large part of the problem is that the insider threat isn't a purely technical threat.  It involves making sure your HR department properly screened new employees when they were hired.  It means the physical security of your site has to be considered.  It requires the cooperation of multiple departments in the organization, something IT is not historically the best at.

What People Are Saying

Add new comment

I agree with you that the

Submitted by Faizel Lakhani on July 21, 2006 - 6:26 P.M.

I agree with you that the insider threat cannot be solved by IT security alone – several departments need to come together to develop best practices and security guidelines for employees.

Once best practices are in place, IT can better monitor for insider activity and use security violations as an opportunity to educate and reeducate employees. Access control is also an important part of the equation.

In my experience, most insider threat activity is merely employees lack of awareness on polices and making simple mistakes on improper disclosure.

Faizel Lakhani, Reconnex

Report this comment

Richard, I guess we're just

Submitted by Martin McKeay on July 20, 2006 - 12:47 P.M.

Richard,

I guess we're just focusing on different aspects of the same thing.

Martin McKeay
martin_cw@mckeay.net
http://www.mckeay.net/secure/
Voicemail: 916.231.9479

Report this comment

Good programmers always need

Submitted by Rooty on July 20, 2006 - 6:05 A.M.

Good programmers always need developing and already developed site and weblogs. Hackers think up all new and new facilities of the breaking in :(

Report this comment

Martin, I'm not missing

Submitted by Richard Bejtlich on July 19, 2006 - 6:43 P.M.

Martin,

I'm not missing anything. The first post you link to includes this:

"However, as I've said elsewhere [link to older post], insiders will always be better informed and positioned to cause the most damage to their victims. They know where to hurt, how to hurt, and may already have all the access they need to hurt, their victim."

That earlier link includes this comment:

"My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think. Outsiders, on the other hand, are frequently attacking and exploiting enterprises, but they are not often causing the sort of damage a rogue insider could."

Report this comment

I'm not sure you are right

Submitted by Anonymous on July 20, 2006 - 10:49 A.M.

I'm not sure you are right on the frequency. The ones that are effective at doing so won't brag about it, the company has both a legal and a publicity value in keeping it quiet when folks aren't effective, so the only ones you hear about are going to be those that feel a need to brag about what they've done after they got caught or where the company was so affected that they decided to bring in the legal system and make it public. That will be a pretty small percentage of total incidents.

Report this comment

Related Posts

Need to discover some open source enterprise apps for your business? You should have been at LinuxWorld
Learn the VA lesson NOW
Continuing the myth that backups and archiving = records management
Federal encryption standardization

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Android smartphone pioneer hits turbulence in Q3
Yahoo follows Google onto China's porn offense list
Intel readies 2.3GHz, 3.5GHz WiMax support with Kilmer Peak
First iPhone worm spreads Rick Astley wallpaper
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.