It is common to have the insider threat dismissed as a scare tactic or
worst-case-scenario and I believe this is a mistake.
We are all about the business value of risk.
Most enterprise companies have to protect themselves from malicious
insiders at all times and this affects the design of their software,
specifically the need for least privilege and generally all
requirements surrounding logging and internal controls. My thinking
is that if you want to have a seat at the table during the beginning
phases of the software development life cycle, it is best to master
the concerns and business needs imposed by this type of risk.
Granted, our industry seems to generate snake oil by the barrel, which
is all the more reason for us to take these threats seriously and
calmly seek publicly documented data on real cases.
Indeed, one would hope the information security professional is
someone who helps to establish the boundaries of trust in systems
being built, not someone who vacuums up the pieces of broken projects,
however well such housekeeping pays.
Some references not yet mentioned in this thread:
Report from 1999 by NSTISSAM:
http://www.cnss.gov/Assets/pdf/nstissam_infosec_1-99.pdf
Focus is on mechanisms more than specific incidents though a few are mentioned.
U^S3 report with Carnegie Mellon on insider threat, focus on
infrastructure and financial services industries, dated 2004/05/08:
http://www.secretservice.gov/ntac/its_report_050516.pdf
http://www.secretservice.gov/ntac/its_report_040820.pdf
http://www.treasury.gov/usss/ntac/gov%20ExecSummary%202008_ 0108.pdf
Each sampling set is around 50 incidents or less.
Department of Energy is grappling with this as the disruptions from
insiders could be high impact:
http://www.cio.energy.gov/documents/Tues_1400_SalonII_ Randall.pdf
Belani / Wilson web application incident response and forensics
considers insider threats with two great examples:
www.blackhat.com/presentations/bh-usa-06/BH-US- 06-Willis.pdf
Also presented in Seattle at an OWASP chapter meeting.
None of these reports, however, can compare in detail to the data set
of the Privacy Rights Clearinghouse' chronological list of data
breaches.
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Until about 2006, the PRC list identified inside threat incidents as
"Dishonest insider." After that, the number of employee instigated
events is described with greater detail but is therefore harder to
search. A quick look here should be enough to convince most on this
webappsec list that the impact from insider threats is not
insignificant.
As software security professionals, we can help to mitigate insider
threat problems and our value in doing so should not be
underestimated.
The commonplace nature of OWASP-top-ten type flaws should not prevent
us from acknowledging their utility in the hands of a malicious
employee, developer, manager, etc.
Mat Caughron CISSP
(408) 910-1266
worst-case-scenario and I believe this is a mistake.
We are all about the business value of risk.
Most enterprise companies have to protect themselves from malicious
insiders at all times and this affects the design of their software,
specifically the need for least privilege and generally all
requirements surrounding logging and internal controls. My thinking
is that if you want to have a seat at the table during the beginning
phases of the software development life cycle, it is best to master
the concerns and business needs imposed by this type of risk.
Granted, our industry seems to generate snake oil by the barrel, which
is all the more reason for us to take these threats seriously and
calmly seek publicly documented data on real cases.
Indeed, one would hope the information security professional is
someone who helps to establish the boundaries of trust in systems
being built, not someone who vacuums up the pieces of broken projects,
however well such housekeeping pays.
Some references not yet mentioned in this thread:
Report from 1999 by NSTISSAM:
http://www.cnss.gov/Assets/
Focus is on mechanisms more than specific incidents though a few are mentioned.
U^S3 report with Carnegie Mellon on insider threat, focus on
infrastructure and financial services industries, dated 2004/05/08:
http://www.secretservice.gov/
http://www.secretservice.gov/
http://www.treasury.gov/usss/
Each sampling set is around 50 incidents or less.
Department of Energy is grappling with this as the disruptions from
insiders could be high impact:
http://www.cio.energy.gov/
Belani / Wilson web application incident response and forensics
considers insider threats with two great examples:
www.blackhat.com/
Also presented in Seattle at an OWASP chapter meeting.
None of these reports, however, can compare in detail to the data set
of the Privacy Rights Clearinghouse' chronological list of data
breaches.
http://www.privacyrights.org/
Until about 2006, the PRC list identified inside threat incidents as
"Dishonest insider." After that, the number of employee instigated
events is described with greater detail but is therefore harder to
search. A quick look here should be enough to convince most on this
webappsec list that the impact from insider threats is not
insignificant.
As software security professionals, we can help to mitigate insider
threat problems and our value in doing so should not be
underestimated.
The commonplace nature of OWASP-top-ten type flaws should not prevent
us from acknowledging their utility in the hands of a malicious
employee, developer, manager, etc.
Mat Caughron CISSP
(408) 910-1266
mat@phpconsulting.com
