RE: [fw-wiz] Firewalls and 802.1q trunking

From: Sloane, David (
Date: 12/11/02

From: "Sloane, David" <>
To: "''" <>
Date: Wed Dec 11 11:56:17 2002

The 80% number seems to have originated (or received additional validation)
in this ComputerWorld article:

Security Experts: Users Are the Weakest Link
NOVEMBER 26, 2001,10801,66047,00.

This seems to be the most credible data in the study:

        In addition, the U.S. Treasury Department said insiders committed
        60% of the computer intrusions reported by banks and other financial
        institutions in the first four months of this year.

Of course, using only "reported" intrusions limits the sample quite a bit.

But how else can you get good data? It's embarrassing to IT managers/staff
to report security breaches to anyone, especially someone outside the
company, so accuracy in a statistic like the one above is limited.

If you can't rely on reported intrusions, then you have to go with surveys,
which are easily misused.

In a February, 1998 editorial at the Computer Security Institute site, the
80% figure seems to lose a little more relevance:

        According to a recent survey in the Current and Future Danger: A
        CSI Primer on Computer Crime & Information Warfare , over 80% of
        the respondents identified employees as a threat or potential threat

        to information security.

So this statistic has nothing to do with actual intrusions, but rather with
the perceptions of survey respondents.

So the figure isn't completely made up, but almost.

David Sloane

-----Original Message-----
From: Marcus J. Ranum []
Sent: Tuesday, December 10, 2002 11:01 PM
To: Steve Evans;
Subject: RE: [fw-wiz] Firewalls and 802.1q trunking

Steve Evans wrote:
>And can you say that the traffic coming from the internet is the most
>dangerous traffic on the network. I've always understood that the vast
>majority of the attacks come from the inside.

The "80% of attacks come from the inside" statistic that
has been broadly quoted by INFOSEC practitioners is, as far
as I can tell, completely made up. In fact, the shocking results of a recent
study revealed that 99.5% of statistics regarding Internet Security are made
up, or otherwise based on flawed assumptions.*

If it _were_ a real statistic it'd have had to take into account some
interesting questions:
        - What percentage of "attacks" did damage?
        - Were the "attacks" counted as "successful attacks" or did
                probes count as well?
        - Is a Nessus scan an "attack"?
        - Does an "attack" like a Nessus scan (if counted as an attack)
                count as one "attack" or as "N attacks" where N is the
                number of discrete tests attempted?
        - How many "attacks" does a Code Red worm launch? 1? 25?
                What about a mass-rooter? Does a "cluster attack"
                count as a single attack or a multiple attack.
        - Does a scan of a subnet count as 255 hosts attacked? Or
                255 * number of ports scanned? Or what?
        - Is a virus an "attack"?

        What I think the people who made that saying up were trying to do
was get people to keep a balanced perspective on the relative
insider/outsider threat. But making up bullsh@+ is not the way to do it. The
way to do it is to point out that, as an enterprise grows, the personnel
perimeter grows with it, and sooner or later you'll have a Bad Guy on the
inside. And, it's probably a safe bet, a Bad Guy on the inside will have a
higher level of access, a lower level of audit, and a greater knowledge of
where the goodies are - and will be accordingly more dangerous. Will they be
80% dangerous to the Internet script-kiddy's 20%? It's silly to put a number
on it.

        If you're out in the jungle someplace, do you worry more about a
tiger, or a bacterium? The wise man worries about both! :)

(* Poll source: I asked my horse. He appeared dubious.)

Marcus J. Ranum
Computer and Communications Security
firewall-wizards mailing list