For the past couple of years, there has been an increasing awareness that insider threats are at least as big a problem as crackers seeking to evade or defeat security from the outside. Cyber-Ark this week offers a study that hits even closer to home for IT: It says that one in three senior IT pros admit to having looked at restricted information via their administrative passwords. The study said that the type of information being accessed includes salaries, meeting notes and personal e-mail accounts, Geek.com reports.
Not all is gloom on the insider threat front, however. According to this PC World report on Verizon's 2008 Data Breach Investigations Report, insiders tend not to be as big a problem as is generally thought. The report -- which looked at data culled from 500 breach incidents -- said that only 18 percent were attributed to insiders, while folks unassociated with the organizations accounted for 39 percent. Some breaches involved both sets of culprits.
The study, which was released earlier this month, offers interesting numbers. It said that 59 percent of breaches were hacks, 31 percent were the result of malicious code, 22 percent exploited known vulnerabilities and 15 percent were coercive. When insiders were responsible, the loss of data tended to be far greater than in other cases.
The story notes that it is dangerous to assume the statistics are comprehensive because insiders may be better able to hide their tracks. It also is fair to add that many actions by insiders may not rise to the level of criminality necessary to be called a breach, but may nonetheless be something with which the organization is not comfortable.
This Information Age story, which is based on the same Verizon report, focuses on an interesting issue. It reports that business partners were responsible for 39 percent of data breaches. In some cases, the outsider may not know that his or her connection has been compromised. In others, the outsider may be the main culprit or may be working on his or her behalf.
Modern business demands that companies open their gates to vendors, consultants and other outsiders. If not handled properly -- and sometimes even when it is -- this can lead to hybrid internal and external breaches. This, of course, makes security a more complex undertaking.
As with many things, perception is as important as reality. Apparently -- at least according to this Secure Computing Corp. survey reported at CNNMoney.com -- the insider threat is the biggest. The firm found that 80 percent of 103 IT directors think that insider threats are more serious than those from outside. Email, at 34 percent, is considered the biggest problem. VoIP is second at 25 percent and Web surfing third at 21 percent.
There are many ways in which proprietary information can be accessed by the wrong person. This Realtime Community piece was stimulated by an incident (to which a link is provided) earlier this year in Philadelphia in which an anchor at CBS affiliate KYW-TV was accused of providing gossip columnists with personal emails of his fired co-anchor.
The writer speculates on how somebody could get access to another person's email at work. The person may tap into the print queue and pick up images of unprotected messages containing the email address. He or she can get the password from a third person with whom the victim shared it. The password may be carelessly posted at the victim's computer. He or she may use a poor password that is guessed by the hacker. The thief may sneak into the victim's computer and program it to secretly forward copies of messages.
Nobody argues that the inside and hybrid inside/outside threats are great and growing more complex as the perimeter fades and more complex business relationships grow. The keys to increasing security include good security technology, solid policies (such as somehow not letting admin have access to the content of databases) and, if necessary, a willingness to shine a light on the person in the next cubicle.