The Insidious Insider Threat

Dave G. | November 5th, 2007 | Filed Under: Industry Punditry

The Mogull writes about his pet peeves around the abuse of the insider threat, and lists some principles for talking about the insider threat. There is no doubt that it is a concept used to sell security technologies. No doubt it is an overloaded term (like the word “hacker” or “democracy”).

To me, the term “Insider Threat” conjures up images of employees and/or contractors that are given legitimate access to the internal resources of an organization. It is assumed by said organization that they either know or can find out the identities of this subset of the world’s population. This allows them to utilize a number of different mitigation techniques to reduce risk. This provides them with a comfort level that allows them to trust employess and contractors more than the rest of the people on the Internet.

Which, as far as an approach goes, is about as good as it is going to get for now. It is easier to make it really difficult for most external attackers to succeed. The attack surface is better defined, and your employees expect some levels of inconvenience due to the fear of hackers, viruses and worms. It’s also cheaper.

As a penetration tester, I can tell you with a fair amount of certainty that if you put us on your internal network, we are going to be able to compromise many things that you care deeply about. Internal networks are large, diverse, rapidly-changing ecosystems. And even though we find a lot of crazy new vulnerabilities on these engagements, we often end up simply taking advantage of the privilege we already have.

This is precisely why it is used to sell product. The Insider has so many avenues to attack internal resources. And for each avenue, there is someone willing to build a product to save you. On internal penetration tests, it is pretty common for a customer to learn about systems they didn’t even know were on their networks.

The difference between the external and internal threat can probably be ascertained by asking these questions:

  1. Motivation. Do they want to do bad things?

  2. Skillset. Do they know how to do bad things?

  3. Access. What can the do bad things to?

Most of the people on Earth are not going to be motivated to attack an organization. And of the ones that are, a pretty small subset are actually capable. For example, my mom is really not capable of launching an internet based attack against a F500 enterprise(1). However, when she was an office manager, I am reasonably sure she had the ability to do lots of bad things (2).

Not unlike relationships, the ones that can hurt you the most are the people that know you the best. Almost every external intrusion ends up with someone stealing a whole bunch of PII. And yes, that stinks, and can be totally devastating. But internal attacks tend to be about how some guy that knows how the business works uses that knowledge to directly damage the business, typically via theft. This actually holds true for your local convenient store as it does to your online brokerage.

I think one reason why we focus (maybe overfocus) in the external threat is that it can’t be controlled. When an employee does something bad, it doesn’t have to become a major media event. You can handle things civilly. And by that I mean civil law.

(1) She is however capable of launching an internet based attack against my conscience for not calling enough.

(2) She wouldn’t.

3 Comments so far

  • Marcin

    November 5th, 2007 12:44 pm

    I agree with your statement, “I think one reason why we focus (maybe overfocus) in the external threat is that it can’t be controlled. When an employee does something bad, it doesn’t have to become a major media event. You can handle things civilly. And by that I mean civil law.

    I believe the only companies that should take the insider threat issue more seriously and actively are those in the defense industry. This doesn’t mean only those companies should think about it, because economic espionage is a real thing and it does happen… but not to the extent and criticality to those attacks launched against defense companies. Their products are able to kill people, and the insider threat is not something I want to leave to be decided in civil courts.

  • sigsegv

    November 5th, 2007 7:22 pm

    You always have the unintentional insider threat. The type of user who knows a little bit more about technology than the next guy, but fails to see the ramifications of their actions in the larger scope of things. “Why shouldn’t I share out my My Documents folder over Limewire?”, “Why shouldn’t I install a wireless access point in my cubicle for convenience?”, “Why shouldn’t I bring the company’s laptop to Stackbucks or Paneras and put it on the WLAN there?”. We’ve all met the type before. Even though they may be good intentioned they can be still just as dangerous (if not more so) than an insider with malicious intent.

  • Jonathan Werrett

    November 7th, 2007 11:46 pm

    Agreed, ‘insider threat’ isn’t just about your employees launching attacks against you. Sigsegv points out insiders unintentionally putting organisations at risk.

    The ramification of focusing security dollars on the perimeter, aimed at those motivated external attackers, will just result in said attackers figuring out how to get in through your ‘gooey center’. Using your own employees and internal weaknesses against you.

    USB keys loaded with malware anyone? Does it still count as an ‘insider threat’? Or is it an ‘external’ or even a ‘cross vector’?

    • Leave a reply