Saturday, July 28, 2007

Insider Attacks, Trust but Verify

For those security ostriches out there who are convinced that internal networks are perfectly safe, and that firewalls keep the bad guys out, this ComputerWorld article is yet another example of an insider stealing sensitive data. Worst of all this is a very trusted individual (a database administrator). Time to turn to proper risk management.

The impact of this sort of attack can be huge but I suspect the likelihood of this risk is low, or we wouldn’t be hearing about it in the news (to shamelessly quote Bruce Schneier: I tell people that if it's in the news, don't worry about it. The very definition of 'news' is 'something that hardly ever happens.). Think too of the cost/benefit equation for the threat source. So the risk is probably low; there are almost certainly bigger fish to fry in corporate America than distrusting DBAs and System Admins.

Low risk doesn’t justify much security spending if you look at this risk alone. But considering a number of related risks, there's a business case for employing security controls in a layered fashion to reduce risk in aggregate across these related risks. Controls might include background checks on employees, centralized logging with separation of duties and good monitoring, and blocking peer 2 peer network communications. For really sensitive data maybe more intrusive controls make sense.

But information security professionals should consider the whole equation. An oppressive culture of distrust of high paid techies is intuitively going to be bad for productivity and personnel retention. Is that worth it (or even necessary) given the likelihood and risk?