Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:24 AM
Connect Directly

Should Insiders Really Be Your Biggest Concern?

Verizon's Data Breach Investigations Report shows that by volume of breach occurrences, external attackers cause problems the majority of the time

Yesterday's release by Verizon of its annual Data Breach Investigations Report (DBIR) will surely confirm many information security professionals' observations and fears. In addition, it will surely kick off another year of number-crunching and proposals to respective boards for new initiatives.

But amid the data included one subset of information likely to challenge both conventional wisdom and vendor sales pitches is the information Verizon collected about the impact of insider threats. While its experts would never discount the very real possibility of damage inflicted by insiders, Verizon illustrated with its breach data that external attackers made up the bulk of the action within cases involving breached information -- by a wide margin.

"When you look at the sheer volume of the attackers, it really shows that certainly an organization is going to have more outsiders than insiders, no matter what," says Suzanne Widup, senior analyst on Verizon's RISK Team and one of the report's authors. "Just with the sheer number of possible actors, that's going to be the case forever. But that doesn't negate the fact that insiders can do damage."

[Think insiders can't hurt your firm? Think again. See 8 Egregious Examples Of Insider Threats.]

The DBIR showed that by volume of breach occurrences at Verizon customers, 92 percent involved external parties while 14 involved internal. The two numbers total more than 100 because there are a number of situations where both external and internal partners work in concert, either on purpose or with insiders ignorant of their contributions.

"A lot of them are the organized crime groups that are recruiting the people to do credit card skimming, which happens quite a bit. But it can also be things like a banking institution having its tellers compromised by someone outside to be able to take the bank account data out," Widup says. "They'll go after people who don't necessarily have a lot of organizational power, but who've got access to the data that they want, and that's what matters."

Regardless of that overlap, the big disparity between the volume of breaches analyzed by the DBIR involving external threats compared to internal runs contrary to infosec pros' perceived risk. Recent straw polls among security professionals that show them spending spend quite a bit of time worrying about the damage insiders could inflict on their operations. In fact, last week a report out by firewall management firm AlgoSec showed that 64.5 percent of information security and information technology professionals rated insiders as their greatest security risk.

"We stand behind the fact that, at least from a perception standpoint, the security community is more concerned about insider threats," says Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, who says the appearance of contradiction could stem from a number of factors.

Tops on that list is the possible impact of an undetected insider incident, which could be much more disastrous, though less likely to happen, than an undetected external event. When malicious insiders get away with their crimes, they are much more likely to do a lot more damage than a flurry of external hackers could, he says.

"You've got hackers all over the world, scanning ports, trying to get in, but how successful are they, and how much damage do they really do?" he says. "That isolated, once-in-a-blue-moon internal threat can potentially be much more dangerous because it's not a blind or semiblind hacker trying to probe their way into your network. It's a person who knows the ins and outs of your organization trying to do the damage." Plus, the types of incidents insiders can trigger reach far beyond the typical theft of personally identifiable information tracked by DBIR statistics. Even Verizon tipped its hat to that by also analyzing relevant data from its partners CERT and G-C Partners later in its report. Within that data set of 47,000 overall security incidents, insiders made up a bigger chunk of the ratio of responsible parties, with 69 percent involving insiders and 31 percent involving external. However, among those, Verizon reported that most of them were insiders acting carelessly rather than maliciously.

According to Widup, security professionals shouldn't get too wrapped up in the debate of who's the bigger risk. Instead of who is doing it, the risky action and the ability to detect that action is really what matters, she says.

"It shouldn't matter who is doing it -- if you can detect it quickly enough, you have a better chance of containing the breach or at least mitigating it quickly," she says. "The bottom line is to make sure you can detect it and make sure that for however long it takes you to detect things on average, your logs go back at least that far."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/29/2013 | 1:52:25 PM
re: Should Insiders Really Be Your Biggest Concern?
Just stumbled on this write up, Ericka. When I read the report I thought the comments about people who worry more about insider threats were speaking directly to me. On the other hand, I understand the position they are in. One can only address what one can measure. There is hard data about the external threat. Insider threat is much harder to size up. You can look at damages for well known insider breaches that have hit the public eye (SocGen, San Fran, etc.) or even potential damages for near misses (Fannie/Freddie). But the sad truth is most don't report these breaches to avoid damages to reputation. So investments in preventative security measures like identity & access management or privileged account management are justified through compliance, efficiency, or connected to specific events never revealed to anyone. There is likely a huge insider threat risk to mitigate that isn't being well measured and would far outweigh all of those things, though.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.