Insider Threats as “Fear du Jour”

28 Dec 2005
There is an irritating new trend starting to surface in security marketing. I feel a need to rail against it because I believe it to be not only immoral, but destructive to business. This new trend is viewing one's colleagues as literally the enemy. For example, several major industry publications have recently run articles about the growing threat of "the enemy within," sometimes citing a new IDC report (which thankfully does not itself use that wretched phrase) on what that analyst group calls the “outbound content compliance” market segment.

There is an actual problem here: the problem of insider threats. That threat is also changing in some ways that are concerning. There are a lot of good companies working on this problem, however, and we"re partnering with the market leaders. But as cynics like me have noted, the best lies are half-truths. There are three types of lies: lies, damned lies, and statistics, and let's face it: according to urban legend, 80% of all statistics are made up ad hoc.

What"s the real insider threat?
Let's examine what"s going on in this new trend and what the real threats are.

Insider threats are a genuine problem. In fact, the insider threat is probably the most difficult problem because of the privileged, trusted position insiders hold. The first time I wrote about insider threats was in the late '90s. Even then, there was a superficial understanding of the subtleties of the issue. At the time, a statistic tossed around claimed that 70% of all attacks were made by insiders. I also heard the same claim using numbers as low as 60% and as high as 80%. It sounds like that statement means something, but exactly what is hard to see at first. To understand why, let's conduct a thought experiment.

Let's imagine that we install something on our network I'll call God's Firewall. God's Firewall is the perfect perimeter device. It stops all the bad guys. It lets in all the good guys. It works with all VPN clients, and even with mental telepathy. It can also prevent mistakes. If a good person is going to do something stupid, it keeps that from happening.

After we install God's Firewall, what happens to that 70% statistic?

What's the rate of insider attacks? Why, it's 100%. This answer seems counterintuitive until you think about it: Once you've stopped all the attacks coming from the outside, the only ones remaining are the ones from the inside. By itself, the 70% figure is nearly useless. What it does tell us, however, is that we need better a better firewall.

Reasoning from meaningless statistics can produce even more meaninglessness. For example, the 2005 CSI/FBI Computer Crime and Security Survey tells us that 80% of respondents reported security incidents involving insider abuse in 2004 (up from 64% in 2003). Sounds bad, doesn't it? But if you think about it, this is precisely what you'd see if there were an improvement in perimeter defenses. There would a higher proportion of insider attacks. (I also note that the actual rate of estimated insider problems hasn't changed since the dot-com days.)

There are, however, other reasonable hypotheses for this change in reporting. Here are a few:

• More people were looking for internal threats in 2004 than 2003.
• More people were reporting internal problems in 2004 than 2003.
• There are actually more insider problems.

If we want to know which of these are occurring, we need more information. Fortunately, IDC gives us some: For example, gross income from outbound content compliance systems was up by 49% in 2004 (compound annual growth). We also know that breach disclosure laws in California and 21 other states (as of this writing) are forcing reporting of incidents that were previously not reported. This information tells us that the real explanation is most likely some combination of more introspection and enforced reporting. The facts on the ground actually support every hypothesis except a growth of "enemies within." You'd expect 49% growth in spending to lead to more detection, and the growth in reporting was only 25%, from 64% to 80%. So there is even evidence to argue that insider threats are actually decreasing. But in reality, we simply don't know because there isn't enough hard evidence.

That doesn't mean there aren't threats from within. It just means there's no evidence they are worse now than they were last year.

IDC's 2004 Security Survey said that 31% of all respondents had terminated an employee for violating security policies. Given the foregoing information, however, 31% doesn't sound so bad. That means 69% of respondents terminated zero employees despite 49% greater spending and mandated reporting. The bottom line is that you do need content compliance. With more compliance regulation, there are more ways for a company to run afoul of more regulations and your customers and partners have increased expectations.

Furthermore, a number of the insider attacks are actually outsider ones that outbound content compliance can catch. For example, most of this year's email viruses are not merely creating trouble, but are turning infected computers into spam-sending, fraud-enabling zombies. Outbound content compliance can confirm that you're infected and correct problems, but that's not an enemy insider, that's a suborned insider. The enemy is the outsider who is using your resources, not the person whose computer is infected.

Background Reading
Eazel, William, “Firms face growing IT security danger from the "enemy within"”, SC Magazine, December 1, 2005

“IT Security Turns Inside Out: Outbound Content Compliance Fuels Continued Market Growth, IDC Says,” IDC, November 30, 2005

Koprowski, Gene J., “Forecast: ID Theft by Insiders to Grow Dramatically in '06”, ECT News Network, November 26, 2005

Vijayan, Jaikumar, “Targeting the Enemy Within,” Computerworld, August 8, 2005