Firewall Wizards mailing list archives

RE: Firewalls and 802.1q trunking

From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 11 Dec 2002 10:39:06 -0500

The 80% number seems to have originated (or received additional validation)
in this ComputerWorld article:


Security Experts: Users Are the Weakest Link
By DAN VERTON
NOVEMBER 26, 2001
http://www.computerworld.com/securitytopics/security/story/0,10801,66047,00.
html

This seems to be the most credible data in the study:

        In addition, the U.S. Treasury Department said insiders committed 
        60% of the computer intrusions reported by banks and other financial
        institutions in the first four months of this year.

Of course, using only "reported" intrusions limits the sample quite a bit.

But how else can you get good data?  It's embarrassing to IT managers/staff
to report security breaches to anyone, especially someone outside the
company, so accuracy in a statistic like the one above is limited.

If you can't rely on reported intrusions, then you have to go with surveys,
which are easily misused.

In a February, 1998 editorial at the Computer Security Institute site, the
80% figure seems to lose a little more relevance:

(from http://www.gocsi.com/ip.htm)
        According to a recent survey in the  Current and Future Danger: A 
        CSI Primer on Computer Crime & Information Warfare , over 80% of 
        the respondents identified employees as a threat or potential threat

        to information security.

So this statistic has nothing to do with actual intrusions, but rather with
the perceptions of survey respondents.


So the figure isn't completely made up, but almost.


David Sloane


-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () ranum com] 
Sent: Tuesday, December 10, 2002 11:01 PM
To: Steve Evans; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Firewalls and 802.1q trunking 


Steve Evans wrote:

And can you say that the traffic coming from the internet is the most 
dangerous traffic on the network.  I've always understood that the vast 
majority of the attacks come from the inside.


The "80% of attacks come from the inside" statistic that
has been broadly quoted by INFOSEC practitioners is, as far
as I can tell, completely made up. In fact, the shocking results of a recent
study revealed that 99.5% of statistics regarding Internet Security are made
up, or otherwise based on flawed assumptions.*

If it _were_ a real statistic it'd have had to take into account some
interesting questions:
        - What percentage of "attacks" did damage?
        - Were the "attacks" counted as "successful attacks" or did
                probes count as well?
        - Is a Nessus scan an "attack"?
        - Does an "attack" like a Nessus scan (if counted as an attack)
                count as one "attack" or as "N attacks" where N is the
                number of discrete tests attempted?
        - How many "attacks" does a Code Red worm launch? 1? 25?
                What about a mass-rooter? Does a "cluster attack"
                count as a single attack or a multiple attack.
        - Does a scan of a subnet count as 255 hosts attacked? Or
                255 * number of ports scanned? Or what?
        - Is a virus an "attack"?

        What I think the people who made that saying up were trying to do
was get people to keep a balanced perspective on the relative
insider/outsider threat. But making up bullsh@+ is not the way to do it. The
way to do it is to point out that, as an enterprise grows, the personnel
perimeter grows with it, and sooner or later you'll have a Bad Guy on the
inside. And, it's probably a safe bet, a Bad Guy on the inside will have a
higher level of access, a lower level of audit, and a greater knowledge of
where the goodies are - and will be accordingly more dangerous. Will they be
80% dangerous to the Internet script-kiddy's 20%? It's silly to put a number
on it.

        If you're out in the jungle someplace, do you worry more about a
tiger, or a bacterium? The wise man worries about both! :)

mjr.
(* Poll source: I asked my horse. He appeared dubious.) 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
  - Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
    - RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
  - Re: Firewalls and 802.1q trunking t (Dec 13)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
  - RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
    - RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
- Re: Firewalls and 802.1q trunking Brian Ford (Dec 15)