The “Insider Statistic”, Good Data, & Risk
OR, IT REALLY IS ALL ABOUT PII
One of the most hallowed statistics quoted by consultants and analysts alike is what I like to call the “Insider Statistic”. You know the one - a few years back somebody, somewhere, released a study that said 60% (I’ve seen quoted as high as 80%) of all attacks come from the inside. I’m not even going to bother going into the history here, as I don’t feel like spending the 20 min. Googling for the source.
Now every.freakin’.time I’m in some meeting room somewhere and somebody brings that one up, it’s used to justify controls to reduce the probability of a technically sophisticated attacker within the perimeter who intends to harm. I always wonder if it matches reality. There are so many variables to consider that I always wondered what the “catch” was. Now I think I know.
DATA BREACH DATA IS GOOD TO HAVE
In case you missed it, Chris and Adam from http://www.EmergentChaos.com gave a talk on data breach information. The .pdf of the Keynote is here. Have a look, they rock the mic.
What struck me is found on slide 27:
Slide 27 is a report of data breaches involving PII in 2006. Now this is a limited sample size, but I believe it’s big enough to help us understand our state of nature. Take a look at that middle row there, the one labeled “Insider Abuse or Theft”. Note the % of insider incidents that involved PII.
Now, Adam says in a follow up post, It’s Not All About Identity Theft:
Data breaches are not meaningful because of identity theft.
That is, there is more purpose to our ISMSes than prevention of Identity Theft alone. However, let me posit something here based on Tuesday’s post about the impact of compliance on risk:
Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.
At least for those of us understand risk, probability, and loss; and also happen to face these pressures. Because of the probable impact regulations have on the incident “market” - we are starting to see funny trends in our risk studies. At RMI, we’re no longer surprised when, in incidents we study using FAIR, the sum of probable loss due to Fines & Judgments far exceeds the sum of all other 5 forms of loss an organization can incur (productivity, response, replacement, competitive advantage, and reputation).
BACK TO THE INSIDER STATISTIC
So what does this have to do with that Insider Statistic? Well, clearly we’ve got somewhat conflicting data, or at least conflicting terminology. One study suggests that 60% of all “attacks” are insiders, but this new data suggests that somewhere around less than 5 out of 1000 breaches of identity are due to those insiders with criminal intentions, as losing a laptop isn’t really an “attack”. Add to that this information my priors - that fines & judgments due to compliance greatly increase the amount of probable loss an organization can expect in one of these events, and…
via crunchgear
FUZZY TERMS, PRAGMATISM, AND WHERE DOES MY RISK REALLY LIE?
Jack pointed out yesterday that there are issues we face as a profession when we try to really understand our risk. I’m guessing that our canonical insider % number plays fast and loose with our concepts (and definitions of) “incident” and “attack”, but the data from Adam & Chris helps us be more specific about what matters. And let’s be pragmatic about it. What matters is here is loss (remember our three categories for metrics: reduction of risk, reduction of loss, or operational efficiency).
If 60% of attacks come from the “inside” then I’m thinking that those really are not worth me focusing 60 % of my risk reduction efforts on, as Adam & Chris’ data supports the proposition that insiders are not causing loss due to malicious intent to misuse PII. Adam & Chris are suggesting that our policies about where PII goes are either weak or difficult to enforce, and that the overwhelming majority of incidents are due to simple stupidity. Add to this the fact that my priors are screaming at me that loss due to PII is now the significant form of loss facing IT risk professionals, and I think we can say that perhaps there is significant risk from insiders, but not the way we often (mis)use the “Insider Statistic”.
Of course, that’s not to say that there aren’t outliers. You can find yourself in a heap of trouble thanks to what we used to call the “Chad gone Bad” scenario (a homage to a small F.I. whose network was at the mercy of one particular admin who was kind of a single point of failure).
But the data is there for us to interpret.
YOUR DECISION MAKING
Put it this way: Let’s say you’ve been blessed with $100,000 to spend on reducing risk and/or loss. Based on Adam & Chris’ information there, are you going to spend that on internal IDS to catch that dastardly “Chad” or encryption for data at rest? Where does your risk lie?
INSIDERS ARE DANGEROUS, JUST NOT IN A CONVENTIONAL “ATTACK”
So the next time someone whips out the “Insider Statistic” on you, remember our discussion! You can either suggest that, really, some 98% of all PII incidents are caused by insiders, or suggest that less than 1% of all incidents happen when insiders “attack”.
LonerVamp Jul 6
I don’t really buy that slide with 0% insider abuse/theft and 97+% missing/stolen hardware (causing, I believe, actual loss). There are far more pieces of equipment going missing due to someone snarking it who is part of the company than that slide gives credit for. At the risk of implicating myself or colleagues I’ve worked with in the past, I’ll just say, “It happens regularly, especially when inventory control is weak or nonexistent.” (Ahh, the days of youth…)
I think the idea that insider attacks need to be proved helps drive their actual number down. The default catch-alls are mistakes, internet hackers, and theft by unknowns. This pumps their number a bit.
Then again, maybe I’m not following this post very well and you’re saying the same stuff.
Chris Jul 7
The data upon which the slide was based are drawn from data breach reports from 2006 required to be filed with the state of New York, and affecting NY-based firms. The restriction of firm location was done for reasons orthogonal to understanding the distribution of breach mechanisms. I strongly suspect (but haven’t specifically checked for this comment) that in reports to NY without this restriction insider theft accounts for a very small minority of the records reported as exposed.
Does this mean that it accounts for a small proportion of the records actually exposed? I don’t know and neither does anyone else. Is that a problem? Yes. Are we coming closer to dealing with it adequately? Yes. Do I sound like Don Rumsfeld? Heavens to Betsy, it seems that way. :^)
In reading a few hundred breach reports from NY, the impression I have is that the incidents reported as involving insiders tend to involve small (less than 100, say) records, and are frequently situations where a person who has the ability to access PII does so to, say, check up on a person with whom they have/had a personal relationship. See http://www.cwalsh.org/BreachInfo/primary_sources//pdfs/O+R-20060227.pdf
as an example. That’s just an impression. I admit that I do not care about this inside/outside business that much since the ways to control against insider theft are well-known.
OTOH, when the categories are “loss/theft”, “exposed online”, and “insider”, a sensible criticism is that those categories are not mutually exclusive (or exhaustive, but that is another issue). I will simply say that I coded things as involving an insider when the reports said an insider was involved. I can see why a reporting entity might not want to admit this, and I can also see why — when pressure exists to report early — something might be reported as “a theft”, and when all the facts come in it is a theft perpetrated by an employee.
So, say that insiders steal 5% of records, not .5%. So what? You get more protection by (properly) encrypting laptops and by having a sensible policy about what is allowed to go on them in the first place AND ENFORCING THAT POLICY than you do with the kinds of physical security controls you’d need to prevent insider theft. I am ASSuming that you do the smart stuff like background checks, maintaining (and actually looking at) audit trails, etc. (I think I just longwindedly rephrased what Alex said above. You should read him and not my comments if your time is valuable :^)).
Anyway, we all know that people (other than us, naturally) steal from their employers. Don’t forget that these numbers are for personal information that is revealed. If all you do is steal 100 laptops with sales totals or new product schematics, it wouldn’t have been among the reports to NY. Maybe a large proportion of the stuff that “walks away” doesn’t have PII on it, so there’s no need to talk about it outside company walls. That’s an empirical question which I’d love to know more about, actually. I wonder how much real research has been done into the “ecology of personal information”?
By the way, of you want to do your own examination of similar data, New Hampshire has similar reports online at http://doj.nh.gov/consumer/breaches.html, and I have the NY stuff (a bunch of PDFs) in three ZIP files:
http://www.cwalsh.org/NYRound1.zip
http://www.cwalsh.org/NYRound2.zip
http://www.cwalsh.org/NYRound3.zip
Sorry for the somewhat rambling comment. In looking at this stuff, I was struck by how many records get exposed via stolen equipment. Even if you do not count the backup tapes that get lost by shipping companies and such, there is still alot of data that is revealed because somebody lost/stole a laptop.
One thing that I want to focus on in the future is the role of particularly promiscuous dataholders. These are outfits that have relationships with many partners and don’t use as much protection as they might. An example would be a professional services firm that has dozens or hundreds of firms as clients, and each client has to supply PII to the prof services outfit because it is intrinsic to the service performed. Well, when that prof services firm doesn’t protect its gear, one lost laptop or stolen server can expose the data of scores of companies. It would be interesting to know just how many fewer incidents we’d have reported if these particularly promiscuous professionals had used more protection.