Re: Internal Servers (noob post)

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 4 Jun 2009, Wim Remes wrote:

> Ron,
>
> I can't let that one pass.
>
> Verizon publishes a yearly breach report, the latest of which you can find 
> here : http://www.verizonbusiness.com/resources/security/databreachreport.pdf 
> ).
>
> You are correct in stating that there are far fewer breaches from the inside 
> than from the outside (17% vs 73%) the impact of internal
> breaches is much higher though, $377k vs $30k. If you take into account 
> breaches where partners are involved (which I would categorize as internal 
> anyway),
> it amounts upto +$500k.


Transitive trust is an issue and perhaps can well be considered an insider 
threat.  but the figures you state bring other questions to mind;  the 
cost ammounts listed, are based on what? average man hours to repair? 
some ambiguious claim to the value of the data breached/compromised?  A 
combination os those and other costs?

I recall all the claims made of the damages surrfered due to Mitnick's run 
a few decades back, and do not recall any of the numbers really being 
substantiated even back then.

> Case in point, this report only covers the breaches handled by Verizon, but I 
> think an extrapolation wouldn't really differ from the numbers in this 
> report.

I can agree with that assumption.  This is perhaps the most detailed 
accounting I've seen on the topic.  Most the reswt consists mainly of FUD, 
often expoused by industry leaders, at corporate heads to make them feel 
they have a hacker behind ever other desktoop in their environ.  One has 
to consider though, if you can't trust the technical staff you hire, then 
perhapsyou have a larger problem at hand?


> Which metrics have you seen ?

Mostly muddled claims with little substance besides inferences to other 
perhaps related statistics.  A google on insider threat is enlightening in 
the lack of detailed information being spread for sure.


> While fighting the dark side is much more exciting, working with the business 
> to reduce the actual threat surface is where it's really at.

I have no arguments against hardening hosts and such, but feel this is 
done to mitigate not so much against amlicious insiders as to mitigate 
things like an infected laptop used at home and work, or stupid user 
tricks whence a trojan or viri is unleashed cause someone opend that .exe 
that came in their mail, despite being in a security training session the 
week before which apprised them this was not a "good thing<TM>" to do.


Thanks,

Ron Dufresne


> On 04 Jun 2009, at 17:28, R. DuFresne wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Wed, 3 Jun 2009, Gorgon Beast wrote:
> >
> >                 [SNIP]
> >
> > > Since many attacks happen from the inside anyway, you should protect those 
> > > machines. If you want to get really granular (which a lot of companies 
> > > are, lately), you can put your servers in an internal DMZ as well, behind 
> > > a firewall and only all authorized workstations to connect to them. This 
> > > take a lot of work to implement if you are already set up.
> >
> >
> > Insider threat is often stated, and the metrics I've seen on it do not seem 
> > to be backed up.  Can you back up yours here, with something solid on the 
> > actualy threat from internal users and admins?
> >
> >
> > Thanks,
> >
> > Ron DuFresne
> > - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >       admin & senior security consultant:  sysinfo.com
> >                       http://sysinfo.com
> > Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
> >
> > These things happened. They were glorious and they changed the world...,
> > and then we fucked up the endgame.    --Charlie Wilson
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.5 (GNU/Linux)
> >
> > iD8DBQFKJ+gQst+vzJSwZikRAnuQAJ0dXvUVxlT6yXWjBXSI1EX5zkwCzACeK7zX
> > hfzCDdey2VAuiOieLZnMci0=
> > =WDkc
> > -----END PGP SIGNATURE-----
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can 
> > actually do a proper penetration test. IACRB CPT and CEPT certs require a 
> > full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually 
> do a proper penetration test. IACRB CPT and CEPT certs require a full 
> practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame.    --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFKMT5sst+vzJSwZikRApoXAJ9T60e1IGbvj7viKq7FG6IR0XRhrwCgzCa7
Nqa6eno3Nl3qvQ5ahoTQ+jo=
=5/E/
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------