Vulnerabilities / Threats

10:24 AM
Connect Directly

Should Insiders Really Be Your Biggest Concern?

Verizon's Data Breach Investigations Report shows that by volume of breach occurrences, external attackers cause problems the majority of the time

Yesterday's release by Verizon of its annual Data Breach Investigations Report (DBIR) will surely confirm many information security professionals' observations and fears. In addition, it will surely kick off another year of number-crunching and proposals to respective boards for new initiatives.

But amid the data included one subset of information likely to challenge both conventional wisdom and vendor sales pitches is the information Verizon collected about the impact of insider threats. While its experts would never discount the very real possibility of damage inflicted by insiders, Verizon illustrated with its breach data that external attackers made up the bulk of the action within cases involving breached information -- by a wide margin.

"When you look at the sheer volume of the attackers, it really shows that certainly an organization is going to have more outsiders than insiders, no matter what," says Suzanne Widup, senior analyst on Verizon's RISK Team and one of the report's authors. "Just with the sheer number of possible actors, that's going to be the case forever. But that doesn't negate the fact that insiders can do damage."

[Think insiders can't hurt your firm? Think again. See 8 Egregious Examples Of Insider Threats.]

The DBIR showed that by volume of breach occurrences at Verizon customers, 92 percent involved external parties while 14 involved internal. The two numbers total more than 100 because there are a number of situations where both external and internal partners work in concert, either on purpose or with insiders ignorant of their contributions.

"A lot of them are the organized crime groups that are recruiting the people to do credit card skimming, which happens quite a bit. But it can also be things like a banking institution having its tellers compromised by someone outside to be able to take the bank account data out," Widup says. "They'll go after people who don't necessarily have a lot of organizational power, but who've got access to the data that they want, and that's what matters."

Regardless of that overlap, the big disparity between the volume of breaches analyzed by the DBIR involving external threats compared to internal runs contrary to infosec pros' perceived risk. Recent straw polls among security professionals that show them spending spend quite a bit of time worrying about the damage insiders could inflict on their operations. In fact, last week a report out by firewall management firm AlgoSec showed that 64.5 percent of information security and information technology professionals rated insiders as their greatest security risk.

"We stand behind the fact that, at least from a perception standpoint, the security community is more concerned about insider threats," says Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, who says the appearance of contradiction could stem from a number of factors.

Tops on that list is the possible impact of an undetected insider incident, which could be much more disastrous, though less likely to happen, than an undetected external event. When malicious insiders get away with their crimes, they are much more likely to do a lot more damage than a flurry of external hackers could, he says.

"You've got hackers all over the world, scanning ports, trying to get in, but how successful are they, and how much damage do they really do?" he says. "That isolated, once-in-a-blue-moon internal threat can potentially be much more dangerous because it's not a blind or semiblind hacker trying to probe their way into your network. It's a person who knows the ins and outs of your organization trying to do the damage." Plus, the types of incidents insiders can trigger reach far beyond the typical theft of personally identifiable information tracked by DBIR statistics. Even Verizon tipped its hat to that by also analyzing relevant data from its partners CERT and G-C Partners later in its report. Within that data set of 47,000 overall security incidents, insiders made up a bigger chunk of the ratio of responsible parties, with 69 percent involving insiders and 31 percent involving external. However, among those, Verizon reported that most of them were insiders acting carelessly rather than maliciously.

According to Widup, security professionals shouldn't get too wrapped up in the debate of who's the bigger risk. Instead of who is doing it, the risky action and the ability to detect that action is really what matters, she says.

"It shouldn't matter who is doing it -- if you can detect it quickly enough, you have a better chance of containing the breach or at least mitigating it quickly," she says. "The bottom line is to make sure you can detect it and make sure that for however long it takes you to detect things on average, your logs go back at least that far."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/29/2013 | 1:52:25 PM
re: Should Insiders Really Be Your Biggest Concern?
Just stumbled on this write up, Ericka. When I read the report I thought the comments about people who worry more about insider threats were speaking directly to me. On the other hand, I understand the position they are in. One can only address what one can measure. There is hard data about the external threat. Insider threat is much harder to size up. You can look at damages for well known insider breaches that have hit the public eye (SocGen, San Fran, etc.) or even potential damages for near misses (Fannie/Freddie). But the sad truth is most don't report these breaches to avoid damages to reputation. So investments in preventative security measures like identity & access management or privileged account management are justified through compliance, efficiency, or connected to specific events never revealed to anyone. There is likely a huge insider threat risk to mitigate that isn't being well measured and would far outweigh all of those things, though.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.