May 17 2005
The Insider Threat
insidercross051105.pdf (application/pdf Object)
As an Intrusion Detection System administrator, I’ve long thought that the threat offered by a trusted insider is much greater than any threat from a hacker. After all, it’s easy to write a signature to catch malicious traffic as it crosses the network. On the other hand, it’s impossible to write a program that identifies the difference between valid usage of system privileges and the abuse of the same privileges. How is the computer going to know the difference between Johny Clerk printing out a copy of someone’s file for official business and printing the same information to take home with him?
The good news is that insider threats seem to be a lot less prevalent then those from outsiders. A hacker scanning for vulnerable systems has nothing to lose if his target picks up on his attacks. On the other hand, the insider has limited targets to choose from and is directly linked to the target. The insider also has more to lose if caught.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}