Practical Security Solutions

By Ron Collette, CISSP, Mike Gentile, CISSP, Dr. Don Saracco

ron@cisohandbook.com, mike@cisohandbook.com

Once upon a time, there were two kings.  One king believed that the best means of defending his castle was through the use of his secret police and bomb sniffing dogs; he feared the populace. The other king believed that it was far more important to protect his castle and his subjects by fortifying the perimeter.  Therefore, he instructed his subjects to surround the castle with a 200 foot wall and moat; by the way, he had the moat filled with sharks that had “fricken lasers attached to their heads”¹.

That fateful day arrived when The Evil Horde from the north came racing down across the realm and attacked both kingdoms. What do you think happened?

This may be a silly analogy, but it is meant to illustrate the value of protecting the perimeter prior to turning your attention inward. Our hope is to discuss the ongoing debate regarding the relative importance between perimeter and internal security. At the heart of the debate is one of the most famous security quotes of our time; “That 70% of all attacks originate from internal sources” Anyone involved in the security industry over the past five years has heard it in one form or another.  Sometimes a different percentage is used, but the message is always the same: internal security risks pose a larger threat than their external counterparts. What provides this one statistic with so much credibility when it seems to be flawed? The first contributing factors are the security product vendors.

A quick Google search on the keywords “security attacks originate from internal locations in a company” renders a page where 5 out of 10 results are all product vendors. They have latched onto this quote for use as their battle cry for marketing their security products.  But what they fail to disclose when addressing internal security is that the majority of these “attacks” are the result of social engineering. In order to make the point regarding social engineering, we need to provide a slightly more detailed discussion on the subject in order to draw reasonable conclusions.

Social Engineering within an organization is generally the result of the inherent conflict of enforcing controls and full-filling group membership norms. It’s the idea that people who are members of a group or team tend to bond with other individuals of that team, rather than the organization, placing themselves in conflict between enforcing the rules and maintaining mutually supportive relationships.

As an example, we can hypothesize that social engineering could be a result of pent-up resentment causing the individual to exercise their group relationships to exploit weaknesses within the system as a form of “Payback.” Of course there are many other examples, but the essence of the message is that most of these attacks are not the result of classic “hacking.” Further, how is the 70% constituted?

As we stated above, most internal attacks are the result of social engineering which is far easier to detect and record due to proximity. The scene of the crime is local, the perpetrator is local, the witnesses are local; and no one can keep a secret.  Further, we challenge that the majority of external cyber attacks go un-noticed by most organizations; it is far more likely to identify an internal attack.

Most organizations simply do not have adequate controls in place at the perimeter to determine if they have been compromised.  For instance, how many companies have a robust logging and monitoring infrastructure at the perimeter, along with the processes and staff to perform an adequate review?  In contrast internal attacks, perimeter attacks can be launched from anywhere in the world, the perpetrator can also located be anywhere in the world, there are rarely any witnesses to the crime, and technology has simplified and obfuscated the art of hacking; providing anonymity and increasing the pool of potential attackers.  Given these attributes, how valid is the 70% now? The answer is that we don’t know and neither does anyone else.

In closing do not let us dissuade you from building a robust internal security mechanism. The reality is that both internal and external security is important to managing the risk profile for any organization. However, we see too many organizations that fail to have adequate controls for either and choose to focus on the internal threats while providing token external defenses. Add the aforementioned discussion above and the emphasis for these organizations shifts to a very dangerous strategy; much like the first king, their chances of surviving an invasion by the evil horde is minimal.  A Word of warning, before turning your attention inward, assure that the perimeter defenses of your organization are substantial. 

¹ Austin Powers