You've heard the psuedo-axiomatic bull-puckey that 80% of attacks are internal. As if this were universally true everywhere on Earth and everyone just "knows" this fact, like they know the hue of the sky.
Somewhere along the way (I was hearing this when I first got into infosec in the mid 90's) some government study came to this conclusion. Quite possibly the CSI/FBI computer crime surveys were at the root, I really don't know and it really doesn't matter.
I'm not saying there isn't insider threat. Or that insider access increases impact of successful attacks thus increasing risk. I'm not even particularly disagreeing with 80% because I'm sure there are cases where that figure is accurate.
But we as infosec professionals have to understand our own unique threats rather than blindly quoting some nearly urban-legendary statistics as if it applies everywhere.
Verizon's insider threat data, according to this article, lends some credence to the notion of insider threat being a big deal. Where bigness of deal varies from company to company. It also suggests that the problem--at Verizon, specifically--isn't as bad as the oft-quoted 80%.
Less interesting than the actual numbers, to me, is the fact that they collect these metrics in the first place. Do you? Should you? I think so. How do/would you go about it?
And at the same time remain mindful of the fact that we don't know what we don't know? I hate it when infosec professionals tell me, for example, "we've had xxx incidents this year" and forget to add on the phrase "that we know of".
Friday, August 27, 2010
Verizon's Insider Threat
Thursday, August 19, 2010
Facebook Clickjacking Scam
More bad things on Facebook: This Network World article speaks of a Facebook clickjacking scam that entices users to view some photos or some such. It hides a functional Share button underneath a Next button with some social engineering that entices users to click, unknowningly spreading the worm/thingy, then they are taken to a survey that generates money for the scammers.
No Script detects the attack. Cool. I've just started using this add on myself. It seems to add a pretty solid layer of defense to Firefox.
Wednesday, August 18, 2010
Facebook Dislike Button Scam
All you overly paranoid Infosec people who scoff at the slightest hint of risk taking can just take a chill pill right now. It'll take you a few years to learn--and I hope you do learn for the sake of the companies you're supposed to be protecting--that there's no place for ultra paranoia in the business world. Maybe I'll explain that in another post.
I bring up this point because I can just hear some infosec folks sniffing arrogantly when I admit that I use Facebook. Well, guess what, I am balancing risk versus benefit, something those sniffly infosec people should try sometime.
Guess what, social engineering works beautifully, even occasionally on an infosec pro. There's no way to reliably patch wetware against it.
The best we can do is achieve a reasonable, helpful level of paranoia that prevents us from doing overly stupid things.
Then hope the rest of our technology defenses protect us from our slightly stupid mistakes.