Firewall Wizards mailing list archives
RE: Firewalls and 802.1q trunking
From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 11 Dec 2002 10:39:06 -0500
The 80% number seems to have originated (or received additional validation) in this ComputerWorld article: Security Experts: Users Are the Weakest Link By DAN VERTON NOVEMBER 26, 2001 http://www.computerworld.com/securitytopics/security/story/0,10801,66047,00. html This seems to be the most credible data in the study: In addition, the U.S. Treasury Department said insiders committed 60% of the computer intrusions reported by banks and other financial institutions in the first four months of this year. Of course, using only "reported" intrusions limits the sample quite a bit. But how else can you get good data? It's embarrassing to IT managers/staff to report security breaches to anyone, especially someone outside the company, so accuracy in a statistic like the one above is limited. If you can't rely on reported intrusions, then you have to go with surveys, which are easily misused. In a February, 1998 editorial at the Computer Security Institute site, the 80% figure seems to lose a little more relevance: (from http://www.gocsi.com/ip.htm) According to a recent survey in the Current and Future Danger: A CSI Primer on Computer Crime & Information Warfare , over 80% of the respondents identified employees as a threat or potential threat to information security. So this statistic has nothing to do with actual intrusions, but rather with the perceptions of survey respondents. So the figure isn't completely made up, but almost. David Sloane -----Original Message----- From: Marcus J. Ranum [mailto:mjr () ranum com] Sent: Tuesday, December 10, 2002 11:01 PM To: Steve Evans; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Firewalls and 802.1q trunking Steve Evans wrote:
And can you say that the traffic coming from the internet is the most dangerous traffic on the network. I've always understood that the vast majority of the attacks come from the inside.
The "80% of attacks come from the inside" statistic that has been broadly quoted by INFOSEC practitioners is, as far as I can tell, completely made up. In fact, the shocking results of a recent study revealed that 99.5% of statistics regarding Internet Security are made up, or otherwise based on flawed assumptions.* If it _were_ a real statistic it'd have had to take into account some interesting questions: - What percentage of "attacks" did damage? - Were the "attacks" counted as "successful attacks" or did probes count as well? - Is a Nessus scan an "attack"? - Does an "attack" like a Nessus scan (if counted as an attack) count as one "attack" or as "N attacks" where N is the number of discrete tests attempted? - How many "attacks" does a Code Red worm launch? 1? 25? What about a mass-rooter? Does a "cluster attack" count as a single attack or a multiple attack. - Does a scan of a subnet count as 255 hosts attacked? Or 255 * number of ports scanned? Or what? - Is a virus an "attack"? What I think the people who made that saying up were trying to do was get people to keep a balanced perspective on the relative insider/outsider threat. But making up bullsh@+ is not the way to do it. The way to do it is to point out that, as an enterprise grows, the personnel perimeter grows with it, and sooner or later you'll have a Bad Guy on the inside. And, it's probably a safe bet, a Bad Guy on the inside will have a higher level of access, a lower level of audit, and a greater knowledge of where the goodies are - and will be accordingly more dangerous. Will they be 80% dangerous to the Internet script-kiddy's 20%? It's silly to put a number on it. If you're out in the jungle someplace, do you worry more about a tiger, or a bacterium? The wise man worries about both! :) mjr. (* Poll source: I asked my horse. He appeared dubious.) --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
- Re: Firewalls and 802.1q trunking t (Dec 13)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
- Re: Firewalls and 802.1q trunking Brian Ford (Dec 15)