I questioned the idea that 80% of computer attacks are from internal sources and asked if there was a reliable source for this oft-repeated claim.
If you include accidental actions that result in a breach of security (e.g. user clicking on .exe attachment in email) then the 80% figure is easy to justify; but I always got the impression the claim was that 80% of attacks originated from inside the perimeter, rather than 80% were allowed to succeed by the carelessness/poor education of people inside the perimeter.
This is quite important because one of the questions when securing environments of any size is to what extent you trust your users and administrators. Most organisations end up giving a lot of trust to a lot of internal people, simply because it's easier.
If most attacks originate from inside the organisation
then minimising that trust is a sensible policy. Sure, you need to educate people too, but educating criminals won't do much to stop them committing crimes : if they know more about your security setup it might even help them.
If insiders are merely unwitting dupes who permit external attacks, or accidentally break things
, then education and training might be more appropriate. You'll want to use compartmentalisation as well, but you'd probably put more emphasis on education; especially as compartmentalisation of administrators is complex, expensive and can increase downtime (e.g. the right person isn't around to fix a problem).
So, which is it and what does the 80% figure really mean?
I have come across one firm bit of evidence which, whilst only indirect, does support the 80% figure as attacks originating inside. It applies to banks (i.e. large organisations where there is something worth stealing) and it relates to financial crime in general rather than computer crime.
The source is Ross Anderson's book "Security Engineering" (section 9.2.3).
A recent [survey] by accountants Ernst and Young reports that 82% of the worst frauds in 1999-2000 were committed by employees; nearly half of the perpetrators had been there over five years, and a third of them were managers.
(Original source : D. Sherwin, "Fraud - the Unmanaged Risk", in Financial Crime Review v1 no. 1 (Fall 2000), pp67-69).
Can anyone else point me in the direction of hard information on this subject?