Re: Internal Servers (noob post)

[Wim Remes <wremes () gmail com>]

Ron,

I can't let that one pass.

Verizon publishes a yearly breach report, the latest of which you can  
find here : http://www.verizonbusiness.com/resources/security/databreachreport.pdf 
 ).

You are correct in stating that there are far fewer breaches from the  
inside than from the outside (17% vs 73%) the impact of internal
breaches is much higher though, $377k vs $30k. If you take into  
account breaches where partners are involved (which I would categorize  
as internal anyway),
it amounts upto +$500k.

Case in point, this report only covers the breaches handled by  
Verizon, but I think an extrapolation wouldn't really differ from the  
numbers in this report.

Which metrics have you seen ?

While fighting the dark side is much more exciting, working with the  
business to reduce the actual threat surface is where it's really at.

Regards,

Wim
On 04 Jun 2009, at 17:28, R. DuFresne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 3 Jun 2009, Gorgon Beast wrote:
>
>                 [SNIP]
>
> > Since many attacks happen from the inside anyway, you should  
> > protect those machines. If you want to get really granular (which a  
> > lot of companies are, lately), you can put your servers in an  
> > internal DMZ as well, behind a firewall and only all authorized  
> > workstations to connect to them. This take a lot of work to  
> > implement if you are already set up.
>
>
> Insider threat is often stated, and the metrics I've seen on it do  
> not seem to be backed up.  Can you back up yours here, with  
> something solid on the actualy threat from internal users and admins?
>
>
> Thanks,
>
> Ron DuFresne
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>        admin & senior security consultant:  sysinfo.com
>                        http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
>
> These things happened. They were glorious and they changed the  
> world...,
> and then we fucked up the endgame.    --Charlie Wilson
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFKJ+gQst+vzJSwZikRAnuQAJ0dXvUVxlT6yXWjBXSI1EX5zkwCzACeK7zX
> hfzCDdey2VAuiOieLZnMci0=
> =WDkc
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification  
> Review Board
>
> Prove to peers and potential employers without a doubt that you can  
> actually do a proper penetration test. IACRB CPT and CEPT certs  
> require a full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------