Tuesday, November 06, 2007

Insider Mom Musings

This has some interesting musings on insider attacks and risks, for example: "... my mom is really not capable of launching an internet based attack against a F500 enterprise. However, when she was an office manager, I am reasonably sure she had the ability to do lots of bad things."

Things of that sort help keep the insider angle at the center of attention. It leads me to a scary thought sequence:

a. Is the percentage of unethical people at a major F500 company any different than the entire world? Probably not - or not by much...

b. Thus, for every million of script kiddiez, you have, say, 10 "bad apples" at your org

c. Also, your firewalls/IDS/IPS/NBA/whatever will stop 99%-100% of the above millions

d. Your defenses will probably stop NONE of the 10 "insiders" (and they know where everything is...)

So, who is the bigger risk? I bet on the "evil mom."


Anonymous said...

Hi Anton!

As you know I'm a big fan of your writing, but this is one of those rare cases where I'm really going to have to disagree with you.


"a. Is the percentage of unethical people at a major F500 company any different than the entire world? Probably not - or not by much..."

My thought would be that most Fortune 500 companies these days don't hire an even sample from the overall population distribution. So there is a large portion of economically depressed/underprivileged people not hired by the f500 because they don't have the qualifications to get hired. This portion of the overall population is over-represented in the criminal population, but underrepresented in the population of f500 employees.

Also, most f500s have controls (background checks come to mind) in place that further reduce the probability and impact of threat events from the internal population.

"So, who is the bigger risk? I bet on the "evil mom."

You might be simplifying risk a little too much. Risk, at it's core, is a probability statement about frequency of loss and impact of loss.

When you think about it - is there a greater probable frequency and magnitude of loss from the Mom turned evil, or accidental information exposure (loss of asset, theft of asset, exposure by p2p/malware, etc., esp. for those companies whose sensitive data carries compliance ramifications)?

When it comes down to pure risk, I bet not on the evil Mom, but on the accident and the idiot. The frequencies are greater, and these days, thanks to the artificial incident cost floor established by various compliance pressures, the impacts tend to be fairly significant.

Anton Chuvakin said...

Awesome - we got discussion :-)

OK, I agree with your point about F500 employees being better than an average of world population (due to background checks, etc)

Just as well, I agree about the internal controls (also, I'd say my early claim of network defenses stopping 99-100% of attacks is clearly not true today - it is worse...)

However, I still think that much larger damage potential (for insiders) is skewing the "risk equation" in their favor...

Finally, I totally left the "human error" (aka idiot) scenario out - but you are right: it is waaaay more likely than the insider mom or a super hacker. Idiot on its own or idiot + bad luck or idiot + lucky script kiddies top the charts indeed!

In any case, my post was definitely a gross oversimplification, that is for sure. We are not comparing metrics here, just "gut feelings."

Dr Anton Chuvakin