How real is the insider threat? - Incidents by source
I am constantly amazed at how many norms or axioms there are in the information security field that are simply accepted and passed on to new recruits without real challenge or through falsification with data and/or logical argument. Examples include: internal IT is safer than outsourcing, physical servers are more secure than virtual, clear text transfers should be avoided at all costs and the threat from insiders is greater than external.

While there are nuggets of truth in each of these, and the answer is usually “it depends”, they are very rarely backed up by solid statistically significant, non survey based evidence and thinking has not been updated to keep up with industry trends and innovations in information security. They also seem be passed on from one CISSP (talk about a relic that belongs in the 1970’s) to another without really being challenged. I have discussed some of them such as cloud computing, virtualization and transport security in previous posts; in this let’s examine that last one: how real is the insider threat?

Quick plug: the methodology I am going to examine and contrast the insider vs. external threat is used in the Simple Security Risk Assessment application. The application will be in beta test in November 2010 (figures crossed), so if you like how it breaks down a risk assessment analysis to logical steps and would like to participate in the beta direct message me. The application will be turn-key, zero setup and easy to use. It will allow you via a web browser or mobile to plug in values for the elements I discuss below and to report on and export the overall inherent and residual risk.

The data problem

I have commented on previously the lack of high quality data is a major barrier to performing effective information security risk assessments. There is because

Quantity - Just not enough security incident and impact data that is publicly available. Mainly due to lack of regulation requiring it. Data breech reporting in many countries and most US states is making some headway but it is still not mandated globally in a uniform manner, Additionally even where it exists, being relatively new there is a small dataset so far, and compliance is an issue with get out of jail clauses for corporate lawyers to wriggle out of and thus enabling companies to not disclose their security incidents  e.g. do not have to report if laptop or removable media is encrypted. 

Quality – much of the data that is available is survey based. This has very little value in my opinion. Even the wisdom of crowd argument does not work here. Mainly because these supposed experts surveyed i.e. usually CISO’s/CIO’s do not have the systems, processes and people to accurately measure the number and impact of security incidents especially where the impact is over a medium to long term i.e. the accurate private information criteria in the wisdom of crowds. The other three criteria sufficient size (which depends on the study but rarely over 300), independence and diversity are also in question due to those surveyed usually being at the same conference or reading the same material, or subscribing to the same norms such as insiders are the greatest threat. Analyst opinions like Gartner or Forrester or “studies” conducted by consulting companies are worse as they have even less real world experience and data to go on.

Even studies like the Verizon data breech report – which is supposedly based on data from the incidents they assist with – I am suspicious of because:
  • It is limited to how many incidents they get called into (therefore hardly a random sample size). Those organizations calling in Verizon would be large companies that have typically suffered a major breech, have given up on keeping the clean-up completely in-house and put up the white flag for help
  • Limitations in measuring medium to long term impact on the company for i.e. so still can’t really measure 2, 3, 5 year impact, also still dependent of the organizations systems and processes to be able to accurately capture cost  directly and indirectly related to the incident and isolate it from other factors (e.g. how do you isolate the share price impact of the incident from everything else that can affect the share price?)
  • The raw data and measurement methodology is “confidential” therefore is not published be any peer review and challenge
  • This is why even with the limitation of only containing publicly available information I like sources such as datalossdb. The sooner that governments around the world mandate the reporting of all security incidents and standardize and normalize a methodology for impact assessment the better our industry will be. Only then will we be able to perform risk assessments and enable businesses to get better Return on Security Investment (RoSI) and enable more accurate measurement of Risk Reduction on Security Investment (RRSI). For example compare security risk assessment to an life insurer or a road safety planner evaluating an accident black spot - these is just so much more historical data available to them.
source: -see how large hacking and stolen laptops are?

Many people will argue that despite data from sources such as datalossdb there are many more insider caused incidents that companies that just do not know about. Let’s consider the logic of this: I do not doubt that there are incidents such as TK Maxx where the attack was occurring over a two year period without the company’s knowledge. However this would have to be in the significant minority, otherwise every day we would here about incidents that started two years ago when the came to light. If there are incidents that are a lot smaller that they do not cause significant financial and/or reputation damage caused by incidents, do we really care? Should these really factor into our question on whether the insider threat is actually greater than the external threat? Remember high probability x low impact is not the same as low (and even medium) probability x high impact, i.e. in numbers: 80% x $1000 = $800, 2% x 1,000,000 = $20,000.  Consider also that two of the largest incidents to date TK Maxx and Heartland systems were caused by external attackers not insiders

The risk assessment


For the purposes of this paper I will use the following definitions:

Insider – basically the organizations staff, key characteristics are:
  • Physical access to organizations buildings and/or a full remote access to the corporate / office network
  • Employment contracts 
  • Hired via a recruitment process e.g. including interviews, background and reference checks, qualification checks
  • Have a staff manager in the organization
  • Have legitimate logical access to the organizations systems to be able to perform their role

External attacker – basically the negation of the points above, external attackers include: organized crime, hackers/crackers, competitors, activists, foreign or domestic governments (yes it is not just China or Russia that wants your info and you can bet that the US government can already see your Blackberry messages that India and UAE are asking for) and the press. Malware is not in this list as it is seen as tool used by mainly organized crime and hackers/crackers.

Fluctuating users – users that fluctuate between these two other types: e.g. contractors, outsourced partners including staff of cloud vendors, cleaners, receptionists, repair company staff, auditors, consultants, staff of partner organizations, staff of joint venture companies, even staff belonging to group centre or a vastly different business unit. In this case I would suggest you take the higher risk of either the insider or external.

Threat agent factors:

Motive and ability to rationalize:

Arguments for high motivation:
  • Crime of opportunity – insiders are more likely to see opportunities to exploit a weakness for fun and profit
  • Too good to miss – there maybe companies or situations where the payoff for the security incident vs. the loss of the annuity that is your career income e.g. get that few million pounds and kick back in a beach in Jamaica
  • Drugs, sex and gambling – the usual suspects of why people do bad things
  • Pressure from organized crime – usually due to one of the above
  • Curiosity – killed the cat?
Ability to rationalize:
  • No one gets hurt – being typically white collar it is a victimless crime
  • They will never even realize – related to the first
  • Pay back for greedy corporates that only care about profit
  • The disgruntled postman - they deserved it, spite etc
Arguments for low motivation:
  • The payoff for the security incident vs. the loss of the annuity that is your career income 
  • Long term, repeat interactions relationships reduce agency risk
  • Reputation in a small world – the world is surprisingly small, especially if you are not prepared to move from your community, family, and friends. If you are responsible for a security incident and even if you avoid the criminal and civil penalties it maybe a serious career limiting move. That’s a major dampener on motivation stick
  • Related to this above point – do you want to be that guy in the local newspaper that lost his job for opening your bosses email, or emailing that client list to your Gmail? What are your friends, neighbours, grandma going to think about that?
  • Criminal penalties – society’s minimum level
Also consider who most organizations hire as staff, consider their profile e.g.:
  • Educated
  • Trained
  • Come from relatively better homes (first two point) – I don’t like it, it is just probability
  • Have at least a base of values, morals and ethics (first three points)
  • No prior criminal history – if the organization has performed a background check
  • Have good references
  • Pass the “smell test” and the “creep test” in a face to face interview

The attackers we care about: organized crime, hackers/crackers, competitors, activists, foreign or domestic governments, press - all arguably have high motivation levels and ability to rationalize attacking an organizations systems and committing security breeches. Organized crime obviously motivated by money, hackers/crackers money and fame, competitors money by gaining competitive advantage, foreign and domestic governments to protect national security, activities and press to get a good story. 

Means and opportunity: additional access and resources required (to cause damage):


Argument for low – insiders do not have to gain much more access and do not have to expend a large amount of resources (money and time) as they already have physical access and logical access (which is at best what is required to do their jobs, at worse carte blanche)

Argument for high – purely anecdotal but I have experience the following three things which I believe challenges the above norm:
  • People tend to be interested in and know only their small little silo. Even if the user had domain admin access they are probably unlikely to be aware of it. I know this sounds like security through obscurity but it does factor into probability. The people that have admin access legitimately are typically a very small number in the organization (e.g. in a 5000 person org, 10-20, which is 0.4%. This is important when calculating the overall likelihood of a insider committing a security breech
  • Authorization – especially in application access does tend to be least privilege. Especially in areas such as finance, payroll and payments/settlements where arguably the greatest opportunity exists for fraudulent security incidents there tends to be strong segregation of duties and four eyes principle applied. Therefore arguably for most users to cause a security incident that benefits them especially financially requires them to gain more access than they currently have
  • Information search difficultly – having run Data Loss Prevention (DLP) programs involving scanning of terabytes of share drives in an attempt to find unsecured sensitive information I can attest that finding the most sensitive information is not as easy as it seems. Again generally insiders would need to gain more access than they have as standard to do any real damage

Overall: high additional access required - both physical barriers, logical network barriers including authentication and authorization needs to be breeched. Resources in terms of time and money need to be expended to overcome these.

Size and skills of threat agent group


For most organizations this has to be low, especially as I was saying above if you consider the subset of potential internal attackers with a high motive and the access required. If you are a larger organization this maybe medium but relative to the potential number of external attackers it cannot be high. Another factor in this is that typically an insider is only working for one or two organizations at a time, therefore the scale of attack and the probability of a successful return is severely limited.


Overall high, especially as we are discounting the additional access required as high, virtually anyone who want to make some money and has access to the internet is in consideration. Additionally, like cold calling external attackers can fail a large number of times but succeed only a few and still profit, examples of this in action is phishing emails, malware that simply looks for unpatched machines on the internet to convert to bot nets. Even though recently there is what I think is over-rated emphasis on targeted attackers I would still wager that the vast population of external attackers who attempt to compromise security for profit take a trawler like approach and cast a wide net, rather than the spear phishing tactic. This is simply for the reason of effort for return. A simple bit of self replicating malware that asks a infected user to enter pay for removal or calls a number of premium numbers (mobile malware), or a billion spam emails selling penis extensions or a million computer botnet that can be rented out simply still has a lot higher probability for even a small return than a specific targeted attack that takes a high cost to engineer and has only a limited chance of success, i.e.:

1,000,000,000 (targets) x 0.1% (probability of success) x $10 (return per success) -  60 hours x $100p/h = $9,994,000 (potential return)
1,000 (targets) x 75% (probability of success) x $10,000 (return per success) - 2000 hours x $100p/h = $7,300,000 (potential return)

I realize this is the opposite of my scale of incident argument but it is the pure scale of targets that makes this different.

Vulnerability factors

I am going to consider the ease of discovery, ease of exploit and perceived fear of detection for social, process and technical vulnerabilities for internal and external attackers



Internal users know the people and they are trusted. Therefore social vulnerabilities should be easier for them to discover and exploit. The argument against this is it is still limited by your network and immediate silo; many attackers will not be trained conmen or pathological liars nor have the confidence e.g. the Blackhat attackers had recently to perform a social engineering attack. Internal attackers also have potentially more fear of discovery i.e. they can be more easily looked up on the org chart, you can check their title and see if they are really from IT and you can always just drop a note to their manager or ask their colleagues. 


External attackers on the other hand are usually shooting blind therefore it is a lot harder for them to discover social engineering opportunities (although the usual suspects of secretaries to the CEO/CIO are not a bad way to go, similarly emailing is not a bad guess for email targeting. Arguably though as show in the success of the Blackhat attackers they have more skills and training in social engineering making the more likely to succeed. Also they will not have any fear of detection again because they are targeting a large number of potential victims

Internal attackers are far more likely to know of process weaknesses and failures. If you perform part of the process, especially if you do more than one critical control task and breech SoD and if you work in a higher opportunity area e.g. Finance this is the case. This is why the profile of most people that commit fraud are: employee of 7 years working in the finance department. However again there is limitation of silos and fear of the unknown checks and balances. E.g. where fraudulent trading has been successful (e.g. the NAB FX $400k losses, or the SocGen fraud) there has been a perfect storm of failures: typically the trader had more access than they needed due to shared passwords or a poor movers process (SocGen) or exploited a technical weakness and got lucky that the middle office and back office due to some confusion had stopped doing their usual checks and balances (NAB). You can always get lucky but the notion that internal attackers know the whole process is a myth. How companies wish their employees knew more of the end to end process including the checks and balances!

External attackers would find it difficult to discover and take advantage of process weaknesses. They would however not be fearful of detection.



External first this time just to check you are still awake. Argument for: external attackers have more skills, more time and more tools to exploit technical vulnerabilities. External attackers are however limited in their discovery by physical and logical access controls. Although the physical is especially a question of mine: e.g. how hard is it to come into an organization dressed as photocopy repair man and plug in a laptop (of course they don’t have NAC). Alternatively call in a bomb alert and go in via the open fire escape door. So many computers left unlocked, a few hardware key loggers in anyone on the top floor than has an office with title Cxxx, and you are set. 


While there is no doubt there is a proportion of potential internal attackers who have the skills, time and tools they would be again be vastly disproportionate to the ones that do not have one or more of these. Internal attackers while they hare more opportunity to discover vulnerabilities (i.e. due to their physical and logical access, general lack of segmentation in most organizations beyond an Internet DMZ). That said there are plenty of tools free and easy to use tools that make both the discovery and exploit easier when you have some access e.g. Metasploit. You can also use Google and IRC to even have a custom exploit coded for you for a cost i.e. the malware freelancer developer economy.

Controls and mitigating factors

I am going to consider the control design, effectiveness and coverage for people, process and technical controls for internal and external attackers



There are some relatively good people controls against internal attackers; these primarily include the HR hiring checks described under motivation, supervision, physical proximity to other colleagues etc. Potential internal attackers have a far greater fear of detection and even if they succeed colleagues who know them well could question their lifestyle or personality change increasing the risk of getting caught. There is also benefit from soft controls such as security awareness delivered to managers (i.e. what to look out for), as well as ethics built into the corporate culture.

Almost no people controls apply.



Process controls such as reconciliations, approvals, checks and balances and segregation of duties is highly effective when applied to internal attackers. Most companies also tend to put more value on these and have these relative to technical controls simply because they tend to be built into the processes as they develop and often checked by auditors / regulators e.g. a manual journal entries are approved, HR staff segregated from payroll staff.

Virtually all process controls except segregation of duties also apply to external attackers.


Authentication, network access and physical controls are not effective as nearly all internal attackers bypass these. However authorization, encryption and logging, vulnerability management and anti-malware controls all are still effective

External attackers also suffer from authentication, network access and physical controls


Obviously I have made some generalizations in the above analysis and specific “except for” and “it depends” examples can be provided but the purpose of this paper was to compare at a high level the real risk of insiders vs. external attackers. I hope that I have illustrated that while insiders have more access they are arguably less motivated, skilled at intrusion and have more fear of detection as they have a lot more to loose if they do get caught. They also do not have that much greater opportunity to take advantage of vulnerabilities. People and process controls are also more applicable and effective as mitigations against insiders.

Interestingly I plugged my above thinking into the Simple Security Risk Assessment model (which is a simple weighted average model based on the OWASP risk assessment methodology), the conclusions were not completely as I hoped by they are probably accurate. External attackers have a higher inherent risk as they are more highly motivated, and have greater skills, resources and are larger in number. However controls also have a greater impact on them (assuming you have many of the process and technical controls in place) therefore insiders have a slightly higher residual risk. I still believe that the security norm/axiom that the far greater threat is from insiders is false, both types of threat are about equal risk for different reasons with insiders having a slight edge.

Hopefully this paper has given you some food for thought and made you want to challenge some of the assumptions in our industry.

No comments:

Post a Comment


Written by