LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-23-2004, 01:11 PM   #1
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Attacks : 80% from the inside?


In
this thread
I questioned the idea that 80% of computer attacks are from internal sources and asked if there was a reliable source for this oft-repeated claim.

If you include accidental actions that result in a breach of security (e.g. user clicking on .exe attachment in email) then the 80% figure is easy to justify; but I always got the impression the claim was that 80% of attacks originated from inside the perimeter, rather than 80% were allowed to succeed by the carelessness/poor education of people inside the perimeter.

This is quite important because one of the questions when securing environments of any size is to what extent you trust your users and administrators. Most organisations end up giving a lot of trust to a lot of internal people, simply because it's easier.

If most attacks originate from inside the organisation then minimising that trust is a sensible policy. Sure, you need to educate people too, but educating criminals won't do much to stop them committing crimes : if they know more about your security setup it might even help them.

If insiders are merely unwitting dupes who permit external attacks, or accidentally break things, then education and training might be more appropriate. You'll want to use compartmentalisation as well, but you'd probably put more emphasis on education; especially as compartmentalisation of administrators is complex, expensive and can increase downtime (e.g. the right person isn't around to fix a problem).

So, which is it and what does the 80% figure really mean?

I have come across one firm bit of evidence which, whilst only indirect, does support the 80% figure as attacks originating inside. It applies to banks (i.e. large organisations where there is something worth stealing) and it relates to financial crime in general rather than computer crime.

The source is Ross Anderson's book "Security Engineering" (section 9.2.3).
Quote:
A recent [survey] by accountants Ernst and Young reports that 82% of the worst frauds in 1999-2000 were committed by employees; nearly half of the perpetrators had been there over five years, and a third of them were managers.
(Original source : D. Sherwin, "Fraud - the Unmanaged Risk", in Financial Crime Review v1 no. 1 (Fall 2000), pp67-69).

Can anyone else point me in the direction of hard information on this subject?
 
Old 04-25-2004, 08:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
I scanned a few from http://www.google.com/search?q=stati...insider+attack . Look at http://www.dciseries.com/documentati...ttacks_wp.pdf, http://www.systemdynamics.org/conf20...APERS/294.pdf, http://www.computercops.biz/article1507.html, http://www.chi-publishing.com/portal...Editorial.pdf, http://www.certconf.org/presentations/2003/Wed/WM3.pdf , they include some leads too. The two main problems are insider attacks going undetected and companies not exactly willing to submit 'em anyway.
 
Old 04-25-2004, 04:02 PM   #3
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Original Poster
Rep: Reputation: 30
Thanks for the links. I've had a look at all of them and there's some very interesting stuff there - the last link is especially good.

On the issue of the proportion of insider attacks, I couldn't find any first-hand figures, but did find a number of figures quoted, including :

- InterGov : Insiders commit 80% of computer and inernet related crime, average loss of $110,000 per incident.
- Gartner : Insiders commit 70% of cyber attacks, cost $20,000 or more per incident.
- E. Eugene Schultz : Proportion of insider attacks is probably overrated (original 80% figure comes from 17 year-old FBI report, somewhat out of date now). However, still high.
- Pricewaterhouse Coopers and Computer Security Institute : 70-80% of attacks from insiders.
- Meta Group/IDC - 51% of attacks from insiders.

The message seems to be that whilst there is little agreement (probably due to differing methods of asking - e.g. do you include confirmed attacks or guess at the total of all attacks), insider "attacks" either accidental or on purpose, make up a high proportion of total attacks and any large organisation should not ignore it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables inside client to inside host with outside DNS or IP - Help! linuxhelp2 Linux - Networking 1 10-15-2005 06:19 AM
htpd attacks plisken Linux - Security 3 04-18-2004 04:12 PM
Hack attacks? satwar Linux - General 2 07-03-2003 02:44 PM
IP attacks sundarrnathan Linux - Security 1 06-04-2003 05:33 AM
IP address attacks Smooth Linux - Security 7 06-01-2003 02:36 PM


All times are GMT -5. The time now is 02:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration