RE: [fw-wiz] Firewalls and 802.1q trunking

From: Sloane, David (DSloane@vfa.com)
Date: 12/11/02


From: "Sloane, David" <DSloane@vfa.com>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Wed Dec 11 11:56:17 2002

The 80% number seems to have originated (or received additional validation)
in this ComputerWorld article:

Security Experts: Users Are the Weakest Link
By DAN VERTON
NOVEMBER 26, 2001
http://www.computerworld.com/securitytopics/security/story/0,10801,66047,00.
html

This seems to be the most credible data in the study:

        In addition, the U.S. Treasury Department said insiders committed
        60% of the computer intrusions reported by banks and other financial
        institutions in the first four months of this year.

Of course, using only "reported" intrusions limits the sample quite a bit.

But how else can you get good data? It's embarrassing to IT managers/staff
to report security breaches to anyone, especially someone outside the
company, so accuracy in a statistic like the one above is limited.

If you can't rely on reported intrusions, then you have to go with surveys,
which are easily misused.

In a February, 1998 editorial at the Computer Security Institute site, the
80% figure seems to lose a little more relevance:

(from http://www.gocsi.com/ip.htm)
        According to a recent survey in the Current and Future Danger: A
        CSI Primer on Computer Crime & Information Warfare , over 80% of
        the respondents identified employees as a threat or potential threat

        to information security.

So this statistic has nothing to do with actual intrusions, but rather with
the perceptions of survey respondents.

So the figure isn't completely made up, but almost.

David Sloane

-----Original Message-----
From: Marcus J. Ranum [mailto:mjr@ranum.com]
Sent: Tuesday, December 10, 2002 11:01 PM
To: Steve Evans; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Firewalls and 802.1q trunking

Steve Evans wrote:
>And can you say that the traffic coming from the internet is the most
>dangerous traffic on the network. I've always understood that the vast
>majority of the attacks come from the inside.

The "80% of attacks come from the inside" statistic that
has been broadly quoted by INFOSEC practitioners is, as far
as I can tell, completely made up. In fact, the shocking results of a recent
study revealed that 99.5% of statistics regarding Internet Security are made
up, or otherwise based on flawed assumptions.*

If it _were_ a real statistic it'd have had to take into account some
interesting questions:
        - What percentage of "attacks" did damage?
        - Were the "attacks" counted as "successful attacks" or did
                probes count as well?
        - Is a Nessus scan an "attack"?
        - Does an "attack" like a Nessus scan (if counted as an attack)
                count as one "attack" or as "N attacks" where N is the
                number of discrete tests attempted?
        - How many "attacks" does a Code Red worm launch? 1? 25?
                What about a mass-rooter? Does a "cluster attack"
                count as a single attack or a multiple attack.
        - Does a scan of a subnet count as 255 hosts attacked? Or
                255 * number of ports scanned? Or what?
        - Is a virus an "attack"?

        What I think the people who made that saying up were trying to do
was get people to keep a balanced perspective on the relative
insider/outsider threat. But making up bullsh@+ is not the way to do it. The
way to do it is to point out that, as an enterprise grows, the personnel
perimeter grows with it, and sooner or later you'll have a Bad Guy on the
inside. And, it's probably a safe bet, a Bad Guy on the inside will have a
higher level of access, a lower level of audit, and a greater knowledge of
where the goodies are - and will be accordingly more dangerous. Will they be
80% dangerous to the Internet script-kiddy's 20%? It's silly to put a number
on it.

        If you're out in the jungle someplace, do you worry more about a
tiger, or a bacterium? The wise man worries about both! :)

mjr.
(* Poll source: I asked my horse. He appeared dubious.)

---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjr@ranum.com
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Root exploit for FreeBSD
    ... This was rejected in favor of me doing security research for ... students followed suit with the dean and tried arguing with me that my code ... mentioned grad students) if it's not "mainstream thinking"...I feel sorry ... I'd skip the statistics in favor of putting together a resume. ...
    (freebsd-questions)
  • Re: Root exploit for FreeBSD
    ... This was rejected in favor of me doing security research for ... students followed suit with the dean and tried arguing with me that my code ... mentioned grad students) if it's not "mainstream thinking"...I feel sorry ... I'd skip the statistics in favor of putting together a resume. ...
    (freebsd-current)
  • RE: How to create security awareness in top management
    ... Some pretty good statistics throughout. ... on specific incidents, but when talking to top management, this has some ... pretty good points that focus on the business aspects of security. ... How to create security awareness in top management ...
    (Security-Basics)
  • Web Application Security Consortium Project Announcements
    ... The Web Application Security Consortium (WASC) is pleased to present ... The WASC Statistics Project is the first attempt at an industry wide ... Using the Web Security Threat Classification ...
    (Pen-Test)
  • Risks Digest 27.65
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Harvard student tried to dodge exam with bomb hoax ... Someone's Been Siphoning Data Through a Huge Security Hole in the Internet ...
    (comp.risks)