Firewall Wizards mailing list archives

Re: Intrusion Detection

From: Bret Watson <lists () bwa net>
Date: Thu, 18 Dec 1997 14:48:13

At 12:29 AM 12/18/97 GMT, Edward Cracknell wrote:

Can *we* call the internal monitoring of networks behind a firewall
'Intrusion' Detection when we are looking to identify 'insider' crime.
Surely this is not an intrusion if perpetrated by someone who is meant to
be there? I'm just concerned that we title this thing incorrectly in the
early stages and mislead customers when selling this.


I think it comes from the physical model - intrusion detection is about
detecting intruders (obviously). So what is an 'intruder'? Perhaps a good
definition is something like 'what is a weed? - a plant out of place'.
Similarly we can define an intruder as a person out of place, someone who
is where they shouldn't be at that time.

crime at best. Many surveys state that insider crime accounts for up to
81% of reported crime, others say 60%. My boss and mentor attributes the
change from 81% down to 60% due to an increase in Internet and external
network crime.

ACARB (an australian association) claims insiders are involved in up to 95%
(if I remember correctly) of computer related crimes. I think this includes
insiders sharing info such as work patterns etc...

So why do businesses appear to 'accept' insider crime when the type of
crime committed by insiders is typically financial, whereas external
crime equates more often than not, to nothing more than the drawing of
spectacles and a moustache on an expensive painting?


Face. A business loses face if they are found to have their own personnel
being disloyal - therefore quietly give the person the shove or sideline
them and keep it all under the covers. Otherwords, they are concerned, but
just don't want to know that it could happen to them. In some countries
(like Aust) there are major union problems as well - network monitoring
could show up just how little work the employees are doing, or show how
much company bandwidth is being used to download porn...


Cheers,

Bret
Technical Incursion Countermeasures 
Providing the means for your company's self-defense
consulting () ticm com                      http://www.ticm.com/
ph: (+61)(08) 9429 8898(UTC+8 hrs)      fax: (+61)(08) 9429 8800

Current thread:

Intrusion Detection Edward Cracknell (Dec 17)
- Re: Intrusion Detection Bret Watson (Dec 19)
- Re: Intrusion Detection and MUCH more Ziv Dascalu (Dec 19)