Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:24 AM
Connect Directly

Should Insiders Really Be Your Biggest Concern?

Verizon's Data Breach Investigations Report shows that by volume of breach occurrences, external attackers cause problems the majority of the time

Yesterday's release by Verizon of its annual Data Breach Investigations Report (DBIR) will surely confirm many information security professionals' observations and fears. In addition, it will surely kick off another year of number-crunching and proposals to respective boards for new initiatives.

But amid the data included one subset of information likely to challenge both conventional wisdom and vendor sales pitches is the information Verizon collected about the impact of insider threats. While its experts would never discount the very real possibility of damage inflicted by insiders, Verizon illustrated with its breach data that external attackers made up the bulk of the action within cases involving breached information -- by a wide margin.

"When you look at the sheer volume of the attackers, it really shows that certainly an organization is going to have more outsiders than insiders, no matter what," says Suzanne Widup, senior analyst on Verizon's RISK Team and one of the report's authors. "Just with the sheer number of possible actors, that's going to be the case forever. But that doesn't negate the fact that insiders can do damage."

[Think insiders can't hurt your firm? Think again. See 8 Egregious Examples Of Insider Threats.]

The DBIR showed that by volume of breach occurrences at Verizon customers, 92 percent involved external parties while 14 involved internal. The two numbers total more than 100 because there are a number of situations where both external and internal partners work in concert, either on purpose or with insiders ignorant of their contributions.

"A lot of them are the organized crime groups that are recruiting the people to do credit card skimming, which happens quite a bit. But it can also be things like a banking institution having its tellers compromised by someone outside to be able to take the bank account data out," Widup says. "They'll go after people who don't necessarily have a lot of organizational power, but who've got access to the data that they want, and that's what matters."

Regardless of that overlap, the big disparity between the volume of breaches analyzed by the DBIR involving external threats compared to internal runs contrary to infosec pros' perceived risk. Recent straw polls among security professionals that show them spending spend quite a bit of time worrying about the damage insiders could inflict on their operations. In fact, last week a report out by firewall management firm AlgoSec showed that 64.5 percent of information security and information technology professionals rated insiders as their greatest security risk.

"We stand behind the fact that, at least from a perception standpoint, the security community is more concerned about insider threats," says Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, who says the appearance of contradiction could stem from a number of factors.

Tops on that list is the possible impact of an undetected insider incident, which could be much more disastrous, though less likely to happen, than an undetected external event. When malicious insiders get away with their crimes, they are much more likely to do a lot more damage than a flurry of external hackers could, he says.

"You've got hackers all over the world, scanning ports, trying to get in, but how successful are they, and how much damage do they really do?" he says. "That isolated, once-in-a-blue-moon internal threat can potentially be much more dangerous because it's not a blind or semiblind hacker trying to probe their way into your network. It's a person who knows the ins and outs of your organization trying to do the damage." Plus, the types of incidents insiders can trigger reach far beyond the typical theft of personally identifiable information tracked by DBIR statistics. Even Verizon tipped its hat to that by also analyzing relevant data from its partners CERT and G-C Partners later in its report. Within that data set of 47,000 overall security incidents, insiders made up a bigger chunk of the ratio of responsible parties, with 69 percent involving insiders and 31 percent involving external. However, among those, Verizon reported that most of them were insiders acting carelessly rather than maliciously.

According to Widup, security professionals shouldn't get too wrapped up in the debate of who's the bigger risk. Instead of who is doing it, the risky action and the ability to detect that action is really what matters, she says.

"It shouldn't matter who is doing it -- if you can detect it quickly enough, you have a better chance of containing the breach or at least mitigating it quickly," she says. "The bottom line is to make sure you can detect it and make sure that for however long it takes you to detect things on average, your logs go back at least that far."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/29/2013 | 1:52:25 PM
re: Should Insiders Really Be Your Biggest Concern?
Just stumbled on this write up, Ericka. When I read the report I thought the comments about people who worry more about insider threats were speaking directly to me. On the other hand, I understand the position they are in. One can only address what one can measure. There is hard data about the external threat. Insider threat is much harder to size up. You can look at damages for well known insider breaches that have hit the public eye (SocGen, San Fran, etc.) or even potential damages for near misses (Fannie/Freddie). But the sad truth is most don't report these breaches to avoid damages to reputation. So investments in preventative security measures like identity & access management or privileged account management are justified through compliance, efficiency, or connected to specific events never revealed to anyone. There is likely a huge insider threat risk to mitigate that isn't being well measured and would far outweigh all of those things, though.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).