External threats are more numerous, but it is the targeted, knowledgeable hits from the insider that cause most harm.
Insider threats, the biggest security risk? That's a truism in the information security world, where 80 per cent of breaches are said to be perpetrated by insiders.
However, recent research plays down the insider threat, indicating that the majority of attackers are on the outside. The large size of botnets, and the amount of spam mailed by them, are evidence of this.
Each IP in a botnet represents a compromised PC – one successfully attacked from the outside. Recently, the take-down of McColo, and, more importantly, the removal of botnet command and control servers hosted there, produced a dramatic reduction in spam. We saw a drop of 60 per cent to 70 per cent when the pipes were cut on systems we monitor.
And this is where the insider versus outsider picture starts to get more complicated. McColo has shown that a lot of the external threats are down to relatively few players. Take out one mastermind, and a lot of attacks disappear – it is a single attacker being successful against weakly defended targets. When we view this from the perspective of a single target, the threat suddenly seems a lot less.
Thinking about threats in terms of inside versus outside isn't that useful. It is generally considered that insider threats have more impact, and this provides a clue as to what the significant aspects are.
Most external threats are the result of random “drive-by” attacks – a worm or botnet scanning for open ports, then testing to see if they can be exploited – or simply the mass mailing of a trojan downloader, or a link to some malware hosted on the website. This may be to gain access to a box to use those resources, perhaps to incorporate it into a botnet, or to deface a website, so that visitors to that website can be made to download malicious code. An insider attack is more targeted – an insider knows what information assets are available and where weaknesses in security systems may lie.
Perhaps a more important distinction is how targeted an attack is: whether it is aimed at a specific data asset, perhaps credit card details, or at specific vulnerabilities. Targeted attacks are more likely to have a bigger impact. So, whether an ‘insider' is an employee, contractor, or even visitor, the more knowledge they have, the more likely they are to succeed.
Which brings us to another significant factor, that the less well targeted, outsider attacks, are far more easy to defend against. There is a whole slew of easy-to-deploy off-the-shelf technologies that will stop them: from firewalls, intrusion prevention systems, email anti-virus and anti-spam, through to packages that check your application code before deployment.
They all help to close well understood, often exploited vulnerabilities.
However, the well-targeted attacks, based on inside knowledge, whether of system architectures, authentication credentials, or combining elements of social engineering, are harder to guard against.
But still, with a far greater number of untargeted attacks, the threat landscape is pretty well understood. So we can all rest easy, can't we?
Unfortunately, the threat landscape is about to change – and dramatically. The credit crunch is transforming into a full-scale global recession. Economic activity is collapsing. Sales are falling, and budgets are being slashed as companies batten down the hatches.
It's been a while since we last had such a recession and the world is a different place: we have the internet, complex information systems and the huge centralisation of data.
Where is your data? How many people have access to it? How easily can it be copied onto a flash drive or a BlackBerry? How many ways are there into it – VPNs, Remote Access, Software as a Service? And what will happen when all those people with that inside knowledge start to get laid off? With the likes of Citigroup making 50,000+ redundancies, it is a significant issue.
So, the insider threat of a targeted attack is the one to focus on. Perhaps there is a case for holding on to that information security budget...
Ian Castle, CISSP, is a senior consultant at information security consultancy ECSC