Treating Internal Threats as a Monolithic Category Is a Big Mistake


If the claim in this release that Promisec's encyclopedia of internal threats is the first to be released is accurate -- and there is no reason to think it isn't -- it is a surprise. It has become generally accepted during the past couple of years that internal threats are a massive danger to corporate security, and the fact that a compendium of these threats doesn't exist is odd.


In any case, it does now. The company has done a nice job of amassing a good deal of data, which is available for free and without registration at the site. A spot check of several entries reveals that unlike highly technical security sites, The Internal Threat Encyclopedia doesn't go into geeky detail about particular bugs and their fixes. Instead, it focuses on applications and rates the risks of using each on a scale of one to five. Relevant links, date added and other information are offered in each entry.


There are two worlds of insider threats. A ZDNet UK post, which refers to this Verizon Business study, makes the important point that it is possible to misunderstand the nature of the dangers because many very real threats are posed by innocent people. The differences between malicious and accidental internal threats are not shades of gray. They are black and white.


The natures of these two types of danger are diametrically opposite and, as such, the methods to combat them will differ. Some hardware and software will be useful in identifying threats whether they are malicious or innocent. But in large part, combating the two types of internal threats calls for different approaches. Education, for instance, is a great way to reduce problems from well-meaning employees, but useless in stopping malicious folks. Indeed, education can be counterproductive, because it may tell the bad eggs something they didn't know about corporate security procedures.


A listing of five steps offered by Phil Neray, Guardium's vice president of database security, to combat insider threats is interesting in that they essentially are the same as best practices for virtually any security endeavor. The suggestions, posted at Wall Street & Technology, are to establish policies, provide training on those policies, use technology to back the policies, institute appropriate oversight and secure high-level corporate support. Nothing startling there.


Neray and others would do well to subdivide a discussion of inside threats into malicious and unintentional categories. ID Analytics recently released research related to the use of data stolen by malicious insiders. In an interview with IT Business Edge, product analyst Cooper Bachman related some very specific things about malicious insiders: They use the pilfered data near where it was stolen, for short periods of time and are increasingly focused on the wireless industry.


The point is that people trying to steal and use corporate data exist in a highly sophisticated and unique world. Stopping that activity is far different from stopping an employee whose only crime is downloading a file-sharing program at work. Internal threats are not a monolithic category, and to treat them as such is a mistake.