Insiders/Internal vs. Outsiders/External

Chris Walsh expressed exactly what I was feeling after reading Richard Bejtlich’s TaoSecurity gloat about being right regarding insider vs. outsider attacks. I echo Walsh’s "who cares" attitude particularly since nobody is very precise in how they assign the attributes that define "insiders" vs. "outsiders". There are three attributes that are most commonly implied when distinguishing between an insider/outsider attack:

  1. Location relative to a firewall or other perimeter device,
  2. Access to credentials for system/app access, and/or
  3. Relationship to the company.

So this gives us 8 different scenarios to work with rather than the two that are mixed and matched to meet the need (which is usually to sell products). It is more useful to work at this attribute level when assessing the security posture – at least at this level of granularity you can make decisions based on the information.

Incidentally, I think evaluating that DOJ data (www.cybercrime.gov) could be an interesting exercise, though certainly not complete wrt the types of threats and attacks enterprises are up against daily. I just wish it weren’t abstracted to the ambiguous level it was in the analysis.

1 comment for “Insiders/Internal vs. Outsiders/External

  1. August 30, 2006 at 8:41 am

    Theres Danger in that there Data!

    I was going to do a post about a new study released by Trusted Strategies and funded by Phoenix Technologies (the BIOS people).  You can get your very own copy of the report here:  https://forms.phoenix.com/cybercrime/  (In case you hadnt fi…

Comments are closed.