In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
writes:
>A commonly-held conception in the commercial world (in my experience) is that
>most threats to "corporate security" come from the Internet-at-large, and
>therefore being behind a firewall is a Good Thing and generally Sufficient.
>
>Of course there are many references in the literature which dispute that
>one-sided posture, and it is a reasonably commonly-held (again in my
>experience) amongst security weanies that just as many if not more threats may
>
>emanate from within one's organization (a university being an canonical
>example), but I haven't uncovered any references that directly cite evidence
>quantifying this perception.
>
>Do any folks out there have any pointers to docs, study reports, whathaveyou
>that provide quanifiable evidence about either or both external or internal
>threats?
There are lots of numbers out there; most are based on dubious methodology,
since the studies (a) assume that attacks are detected (demonstrably false for
~~95% of attacks), and (b) assume that they're reported.
Some people claim that, say, 95% of attacks are inside jobs. But that number
goes back ~25 years, to a time when very few computers were networked. (I
seem to recall seeing that figure in Donn Parker's "Crime by Computer", but a
quick skim didn't turn it up.)
My assumption is that a majority of attacks do come from the inside; often,
these are the most serious, since insiders know what rocks to look under for
the goodies. Outside jobs have traditionally been vandalism of one sort or
another, though there are notable exceptions, such as what happened to
Citibank. Firewalls are, if used properly, reasonably effective; however,
they are by no means a panacea, and they're often used improperly.
--Steve Bellovin
