2005-05-26

How much do you trust your users?

In 2000, the Computer Security Institute and US FBI released an influential study [PDF] that showed 80% of attacks originate from inside an organization. This oft-cited and long-outdated report highlighted a real problem that had previously been ignored by many organizations. It gave security analysts the evidence they needed to convince IT managers that the "candy bar" security model - networks with a hard and crunchy exterior, but a soft & chewy interior - didn't work.

A few days ago, another study was released that could provide further impetus to improve information security policies across the board. This more relevant data is buried in a report by the US Secret Service and Carnegie Mellon's CERT which concluded that "insider revenge is often behind cyberattacks." The somewhat-alarmist conclusions and sound bites highlighted in the report belie some very interesting statistics, particularly that "57% of the attacks were carried out by systems administrators, while 33% were caused by privileged users."

This study was rather limited and still a little dated, involving 49 cases of insider attacks between 1996 and 2002. But its results still speak volumes: 90% of all attacks in the study were performed by users with higher-than-normal privileges. If this isn't enough to take wind out of the sails of those who still believe a firewall is adequate protection, then those people are beyond the realm of rational thought.

The lessons here are twofold:
  1. The people who get administrative or elevated privileges should be limited absolutely as much as possible, and
  2. Those who have elevated privileges should be the most carefully watched.
All of us have the necessity to place a certain amount of trust in users; it is imperative for the business line of any organization to function. Even in our personal lives, we take such risks. I let friends use my computer, and have an unprivileged account set up specifically for this purpose. Sometimes I get lazy, and let them do things like surf the web with my user account logged in. One time, I found that someone had gone through my personal email. No one is immuned to this. Given that the fallibility of us as humans is at the root of the problem, the only solution is what I mention above: restrict and monitor.

Hopefully, some inquisitive minds with the necessary time and funding will be able to perform a similar, broader study on attacks by users with elevated privileges. A study with this specific focus would grab the attention of a broader audience, including IT decision makers, and further raise the bar on internal, layered security.

No comments: