Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:24 AM
Connect Directly

Should Insiders Really Be Your Biggest Concern?

Verizon's Data Breach Investigations Report shows that by volume of breach occurrences, external attackers cause problems the majority of the time

Yesterday's release by Verizon of its annual Data Breach Investigations Report (DBIR) will surely confirm many information security professionals' observations and fears. In addition, it will surely kick off another year of number-crunching and proposals to respective boards for new initiatives.

But amid the data included one subset of information likely to challenge both conventional wisdom and vendor sales pitches is the information Verizon collected about the impact of insider threats. While its experts would never discount the very real possibility of damage inflicted by insiders, Verizon illustrated with its breach data that external attackers made up the bulk of the action within cases involving breached information -- by a wide margin.

"When you look at the sheer volume of the attackers, it really shows that certainly an organization is going to have more outsiders than insiders, no matter what," says Suzanne Widup, senior analyst on Verizon's RISK Team and one of the report's authors. "Just with the sheer number of possible actors, that's going to be the case forever. But that doesn't negate the fact that insiders can do damage."

[Think insiders can't hurt your firm? Think again. See 8 Egregious Examples Of Insider Threats.]

The DBIR showed that by volume of breach occurrences at Verizon customers, 92 percent involved external parties while 14 involved internal. The two numbers total more than 100 because there are a number of situations where both external and internal partners work in concert, either on purpose or with insiders ignorant of their contributions.

"A lot of them are the organized crime groups that are recruiting the people to do credit card skimming, which happens quite a bit. But it can also be things like a banking institution having its tellers compromised by someone outside to be able to take the bank account data out," Widup says. "They'll go after people who don't necessarily have a lot of organizational power, but who've got access to the data that they want, and that's what matters."

Regardless of that overlap, the big disparity between the volume of breaches analyzed by the DBIR involving external threats compared to internal runs contrary to infosec pros' perceived risk. Recent straw polls among security professionals that show them spending spend quite a bit of time worrying about the damage insiders could inflict on their operations. In fact, last week a report out by firewall management firm AlgoSec showed that 64.5 percent of information security and information technology professionals rated insiders as their greatest security risk.

"We stand behind the fact that, at least from a perception standpoint, the security community is more concerned about insider threats," says Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, who says the appearance of contradiction could stem from a number of factors.

Tops on that list is the possible impact of an undetected insider incident, which could be much more disastrous, though less likely to happen, than an undetected external event. When malicious insiders get away with their crimes, they are much more likely to do a lot more damage than a flurry of external hackers could, he says.

"You've got hackers all over the world, scanning ports, trying to get in, but how successful are they, and how much damage do they really do?" he says. "That isolated, once-in-a-blue-moon internal threat can potentially be much more dangerous because it's not a blind or semiblind hacker trying to probe their way into your network. It's a person who knows the ins and outs of your organization trying to do the damage." Plus, the types of incidents insiders can trigger reach far beyond the typical theft of personally identifiable information tracked by DBIR statistics. Even Verizon tipped its hat to that by also analyzing relevant data from its partners CERT and G-C Partners later in its report. Within that data set of 47,000 overall security incidents, insiders made up a bigger chunk of the ratio of responsible parties, with 69 percent involving insiders and 31 percent involving external. However, among those, Verizon reported that most of them were insiders acting carelessly rather than maliciously.

According to Widup, security professionals shouldn't get too wrapped up in the debate of who's the bigger risk. Instead of who is doing it, the risky action and the ability to detect that action is really what matters, she says.

"It shouldn't matter who is doing it -- if you can detect it quickly enough, you have a better chance of containing the breach or at least mitigating it quickly," she says. "The bottom line is to make sure you can detect it and make sure that for however long it takes you to detect things on average, your logs go back at least that far."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/29/2013 | 1:52:25 PM
re: Should Insiders Really Be Your Biggest Concern?
Just stumbled on this write up, Ericka. When I read the report I thought the comments about people who worry more about insider threats were speaking directly to me. On the other hand, I understand the position they are in. One can only address what one can measure. There is hard data about the external threat. Insider threat is much harder to size up. You can look at damages for well known insider breaches that have hit the public eye (SocGen, San Fran, etc.) or even potential damages for near misses (Fannie/Freddie). But the sad truth is most don't report these breaches to avoid damages to reputation. So investments in preventative security measures like identity & access management or privileged account management are justified through compliance, efficiency, or connected to specific events never revealed to anyone. There is likely a huge insider threat risk to mitigate that isn't being well measured and would far outweigh all of those things, though.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd