Monday, March 19, 2007

Insider Threats

It seems to me that over the past year or two there's been a refocus on the "insider threat" against your network within infosec trade press as well as the general infosec product space. I recall reading in the CSI/FBI Survey that in 2000 the Internet overtook internal systems as the most frequent source of attacks against networks. I can't fathom that that statistic has reversed, what with the number of SQL Slammer, SSH & VNC scans, etc. that constantly fill up my firewall logs. It begs the question, then, why refocus on insider threats? There could be a number of explanations, including the fact that everybody that is going to buy a firewall has bought one. But I think it's a mixed bag of good news and bad news.

The good news is that we've gotten better at border security. The number of remote-root exploits found drops each year. Mass-infection worms like CodeRed and Sasser are fast becoming a memory for most corporate network admins. Microsoft operating systems and most Linux distros automatically patch themselves now. But none of this addresses the problems you have by giving people passwords, so the "insider threat" still applies to you. Dang. Now you need to search everybody's e-mail and web traffic for corporate secrets being leaked. Or something. Anyway, that is the good news - we don't totally suck at security anymore.

Here's the bad news - your internal users are still not your biggest threat. It's still the Internet. It's spyware and adware and spam and bots and all of that crap that you can't block with firewall rules. Your users are still bombarded with this stuff constantly via e-mail and web sites, services that you can't turn off. And the malware authors have turned AV into an arms race - changing their software daily if need be to stay ahead of signature updates.

My point is that insider threats, while real, are a distraction. Addressing attacks from the inside of your network is now easier than addressing the new external threats effectively. And that's why people are focusing on it. It's not the biggest battle you face right now, but it is the one you have the best chance of winning.

No comments: