Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    The “Insider Statistic”, Good Data, & Risk

    OR, IT REALLY IS ALL ABOUT PII

    One of the most hallowed statistics quoted by consultants and analysts alike is what I like to call the “Insider Statistic”. You know the one - a few years back somebody, somewhere, released a study that said 60% (I’ve seen quoted as high as 80%) of all attacks come from the inside. I’m not even going to bother going into the history here, as I don’t feel like spending the 20 min. Googling for the source.

    Now every.freakin’.time I’m in some meeting room somewhere and somebody brings that one up, it’s used to justify controls to reduce the probability of a technically sophisticated attacker within the perimeter who intends to harm. I always wonder if it matches reality. There are so many variables to consider that I always wondered what the “catch” was. Now I think I know.

    DATA BREACH DATA IS GOOD TO HAVE

    In case you missed it, Chris and Adam from http://www.EmergentChaos.com gave a talk on data breach information. The .pdf of the Keynote is here. Have a look, they rock the mic.

    What struck me is found on slide 27:

    Slide 27 is a report of data breaches involving PII in 2006. Now this is a limited sample size, but I believe it’s big enough to help us understand our state of nature. Take a look at that middle row there, the one labeled “Insider Abuse or Theft”. Note the % of insider incidents that involved PII.

    Now, Adam says in a follow up post, It’s Not All About Identity Theft:

    Data breaches are not meaningful because of identity theft.

    That is, there is more purpose to our ISMSes than prevention of Identity Theft alone. However, let me posit something here based on Tuesday’s post about the impact of compliance on risk:

    Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.

    At least for those of us understand risk, probability, and loss; and also happen to face these pressures. Because of the probable impact regulations have on the incident “market” - we are starting to see funny trends in our risk studies. At RMI, we’re no longer surprised when, in incidents we study using FAIR, the sum of probable loss due to Fines & Judgments far exceeds the sum of all other 5 forms of loss an organization can incur (productivity, response, replacement, competitive advantage, and reputation).

    BACK TO THE INSIDER STATISTIC

    So what does this have to do with that Insider Statistic? Well, clearly we’ve got somewhat conflicting data, or at least conflicting terminology. One study suggests that 60% of all “attacks” are insiders, but this new data suggests that somewhere around less than 5 out of 1000 breaches of identity are due to those insiders with criminal intentions. Add to that this information my priors - that fines & judgments due to compliance greatly increase the amount of probable loss an organization can expect in one of these events, and…

    via crunchgear

    FUZZY TERMS, PRAGMATISM, AND WHERE DOES MY RISK REALLY LIE?

    Jack pointed out yesterday that there are issues we face as a profession when we try to really understand our risk. I’m guessing that our canonical insider % number plays fast and loose with “incident” and “attack” definitions, but the data from Adam & Chris helps us be more specific about what matters. And let’s be pragmatic about it. What matters is here is loss (remember our three categories for metrics: reduction of risk, reduction of loss, or operational efficiency).

    If 60% of attacks come from the “inside” then I’m thinking that those really are not worth me focusing 60 % of my risk reduction efforts on, as Adam & Chris’ data supports the proposition that insiders are not causing loss due to malicious intent to misuse PII. Adam & Chris are suggesting that our policies about where PII goes are either weak or difficult to inforce, and that the overwhelming majority of incidents are due to simple stupidity. Add to this the fact that my priors are screaming at me that loss due to PII is now the significant form of loss facing IT risk professionals, and I think we can say that perhaps there is significant risk from insiders, but not the way we often (mis)use the “Insider Statistic”.

    Of course, that’s not to say that there aren’t outliers. You can find yourself in a heap of trouble thanks to what we used to call the “Chad gone Bad” scenario (a homage to a small F.I. whose network was at the mercy of one particular admin who was kind of a single point of failure).

    But the data is there for us to interpret.

    YOUR DECISION MAKING

    Put it this way: Let’s say you’ve been blessed with $100,000 to spend on reducing risk and/or loss. Based on Adam & Chris’ information there, are you going to spend that on internal IDS to catch that dastardly “Chad” or encryption for data at rest? Where does your risk lie?

    INSIDERS ARE DANGEROUS, JUST NOT IN A CONVENTIONAL “ATTACK”

    So the next time someone whips out the “Insider Statistic” on you, remember our discussion! You can either suggest that, really, some 98% of all PII incidents are caused by insiders, or suggest that less than 1% of all incidents happen when insiders “attack”.

    Tags: , , , , , , , , , , , , ,

    (via RiskAnalys.is)



    July 05, 2007, 6:40am   Comments