Insider Threats Pose the Biggest Security Risk (betanews.com) 46
An anonymous reader shares a report: According to a new study 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications like popular file storage and email solutions including Google Drive, Gmail and Dropbox. The report from SaaS operations management specialist BetterCloud also shows 62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user.
Among other findings are that 46 percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications makes them the most vulnerable. In addition 40 percent of respondents believe they are most vulnerable to exposure of confidential business information such as financial information and customer lists. Only 26 percent of C-level executives say they've invested enough to mitigate the risk of insider threats, compared to 44 percent of IT managers.
Among other findings are that 46 percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications makes them the most vulnerable. In addition 40 percent of respondents believe they are most vulnerable to exposure of confidential business information such as financial information and customer lists. Only 26 percent of C-level executives say they've invested enough to mitigate the risk of insider threats, compared to 44 percent of IT managers.
The next biggest threat (Score:1)
would be reposts of the same news sometimes on the same day.
Been known for a long time (Score:1)
Except now employees do it for political reasons. For example, the IRS employee who decided to give Michael Cohen's financial info to journalists.
Any private messages on Facebook, Google, or Twitter owned services are liable to be published at any moment by politically involved personnel.
And we just learned that Facebook was keeping millions of user passwords in plain text ;)
Re: (Score:2)
This is stupid (Score:4, Insightful)
Is it because Windows is worse? No. Windows is actually getting more secured.
So, are the Russians simply moving to America and cracking it here? No. If that was the case, then we would be arresting MORE, not fewer Russians.
So, how are the Russians getting into many of our Business computers?
What has businesses increasingly done? OUTSOURCED. Who to? India and China. We do not hear of India cracking our systems, but China has increased it.
BUT, how does one of these connected with Russians cracking American businesses? Simple. Who is India's best friend in the military? It is not the west. It is Russia. Many many Indians are employed by Russian defense companies and then go work on western, esp. American businesses. And those Indians are then paid around $10-20K, while we fat Americans are paid 100+K. So, if a Russian approaches an Indian friend of his and says, "look, we will pay you $150K just to leave a back door in code.", what do you think that he will say?
Yeah, getting paid 10x your yearly tends to make ppl jump esp when it does not harm their family, nation, etc..
As to the Chinese? Well, we employ them here and we outsource there as well. What do you expect.
The west deserves what it is getting because we refuse to acknowledge what is happening. We will allow political correctness to control us. Fools.
Re: (Score:3)
Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.
We have an entire industry where people just don't care or in many cases don't even know or get educated about security because they need to get the thing out of the door faster, so they set up things like memcached and S3 containers because they're easy without ever loc
Re: This is stupid (Score:3)
Re: (Score:2)
You are missing the point. In a secured situation, the last thing you would do, is pay somebody greatly less than others for doing the same job.
You aren't exactly wrong. But this doesn't jibe with your comment earlier that it is political correctness.
Paying as little as possible and utilizing any scheme to do it is capitalism, not PC.
Then add to that a situation where you hire a company that then hires local ppl without really checking their background, or perhaps, just does not care.
Real background checks cost a lot of money. Once again, gotta serve the stockholders - can''t have this sort of thing cutting into the bottom line.
Re: (Score:3)
Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.
Most purely technological challenges have been solved when it comes to IT security.
We haven't solved the management and usability challenges.
I can lock down a Linux system so much that I can give you remote root SSH access and you still can't damage it. In fact, I've done exactly that at hacker conferences. And the resulting system is still useable enough that I will give my presentation from it, after it's been on the conference wifi for the whole day and while it's still open to SSH during my talk with th
Re: (Score:2)
We know how to build secure development into software development. In fact, we've known it since the 1960s. It's not even expensive when you consider TCO. But speed to market is impacted and most software development today doesn't even have a clear understanding of the end product (no matter if you call that agile or not-having-a-clue), which makes it hard to make a proper architecture and define proper security requirements.
Because security is less important than the brand of jelly donuts at the board meeting, until it all falls down.
Then there is the cloud. Long touted as an incredibly secure, failsafe way to store and retrieve data. But in reality, just a way to terminate local IT workers and service the stockholders. Yeah just store it outside of the business and allow the bad guys easier access.
Re: (Score:2)
Then there is the cloud.
I don't know who invented the phrase (maybe xkcd?) but as we all know "the cloud is just other peoples computers". Anyone who expects magic from it also believes in Santa Claus and $deity.
People who copy documents (Score:2)
to a USB stick and walk out with data for political reasons.
The well-meaning worker who hands your documents/data to a waiting journalist?
Who collected data on the crimes of the company, a side of politics, brand, gov, NGO, movie studio, bank, mil they work for and tells the world.
Want security?
Is the person who they say their are. Fake ID? Sharing an ID? Not a citizen? No security clearance found but they present as having a gov/mil past and a security
bullshit (Score:3)
I call massive bullshit on the conclusion.
I do risk analysis for a living, among other things. I'm the Senior Information Security Architect at my company and I train risk managers and CISOs. Most importantly, I do quantitative risk analysis using actual numbers and statistics, not the "green, yellow, red" nonsense that most IT consultants sell you because it's the only thing they (barely) understand.
One of the most consistent findings I have almost every time is that expert intuition is wrong about risk. That's not exactly news, almost every book ever written about the topic confirms it. But the conclusion is just as obvious: What IT security experts feel is the biggest threat has a low correlation coefficient with what is actually real.
That doesn't mean insider threats aren't real, they definitely are and they typically do rank high in a properly conducted risk assessment. But there are almost always two types of risks that outrank them. First, the low-probability but high impact risks that more often than expected turn out to be existence-threatening and that fact makes them more important than their statistical value indicates. And secondly the bothersome low-impact but high-frequency (yes, probability becomes meaningless if the number of events can be higher than one) ones. They add up, and much more than you'd think.
Insider attacks are just the high-impact with sufficiently high probability events that come to the top of our intuitive understanding. Which has been empirically proven to be wrong in so many ways that books have been written about that alone.
62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user.
Have the same respondents checked their incident management report to validate their feeling against recent events? How much damage have those end users actually caused and is that value within the confidence interval of your expectation? Do they know that you can take historic data and actually calculate the probability that your assessment of the risk is true given that data? Have they done it?
Re: (Score:2)
But there are almost always two types of risks that outrank them. First, the low-probability but high impact risks that more often than expected turn out to be existence-threatening and that fact makes them more important than their statistical value indicates.
The funny thing is that when these actually happen they usually tend to be a whole chain of mistakes, but the sub-events that don't actually lead to an incident are often grossly under-reported. Like the rules say you are to wear belt and suspenders, but nobody wants to report a broken belt or missing suspenders. Even if you actually lost your pants and nobody saw let's just quickly pull them up and pretend you didn't almost get caught with your pants down. There's a lot of "no harm no foul" going around a
Re: (Score:2)
but the sub-events that don't actually lead to an incident are often grossly under-reported.
Oh I couldn't agree more on that. I too rarely see "near misses" as part of the risk management or incident management process and most of the time the part where I talk about them in my workshops it's a cheap "revelation" to sell because it makes so much sense but is rarely done.
But it's also because raising a security bug can rain fire and brimstone down on that team and be abused politically.
That is slowly changing, though. I've seen the same change in culture 25 year ago on the business side with TQM. I was still in university when that happened, but it was basically the same thing. One day soon someone will invent TS
Re: (Score:2)
Great, you have read Norman and learned about threat modeling.
I've read a lot more and threat modeling is a small element in one step (risk identification) of a risk management process. But you've just demonstrated your ignorance.
I'm at the bottom and teach people with fancy titles the likes you have and listed,
...and that twice in one posting, congratulations!
I used to be a sysadmin. I've run many of the systems I talk about at one point or another in my career. That's why I've insisted to not have "consultant" as my job title ever in my career. Because what you say is right when you're talking about them. I've seen so many consultants who make exc
Well, what a surprise! (Score:2)
Who could have guessed it?
Companies which ... ... treat their employees as disposable "resources" bound by highly restrictive overreaching contracts, ... regard their customers with barely disguised contempt, ... treat regulations and laws as optional, ... laugh at taxation as being "for the little people", ... and generally act as douchebags ...
have problems with security due to the lack of loyalty!
How can this be happening?
Why are the (unpaid) natives lazy, the slaves sullen,
the oppressed and exploited un