The US military and CERT have released some interesting data on the insider threat to organizations. You can find a media write up of it here.
Of most interest were some of the numbers. I was pretty amazed by the fact that 86% of the insider threat originates in IT and that some 90% of incidents involved people who already had Administrator/root privileges on the network!
It makes sense that IT would be a large source of cyber threats, but I really had always thought that we were doing a better job of teaching ethics to IT staff. The percentages seem to disagree with that and I think it makes a clear statement that we need to improve on developing not just technical skills in our teams, but also ethical behaviors and insight.
That 64% of incidents involved remote access systems like terminal servers, VPN and such combined with non-terminated password accounts or known accounts that did not change their passwords is NOT amazing to me. This remains one of the most serious threats that organizations face today – especially if they are larger than a small company.
Quite simply, password management has become a nightmare, and passwords remain the largest threat to the security of any organization. Password changes are too difficult in most environments, too many applications require administrative access to operate and there are little true technical solutions to the problem. Hopefully in the future, some real and functional technology will arrive to replace passwords – but most of the current solutions seem to fall far short in terms of cost, reliability and ease of management. (Bonus to vendors and developers: Make something to fill this niche that meets those three requirements and get rich!)
I don’t think anything in the article is rocket science, but it is nice to get firm numbers that confirm what security pundits (myself included) have been saying for close to a decade. Insiders matter. Ethics matter. Passwords just have to go.
In the meantime, while we wait for maturity of technical solutions on the password front, we can certainly begin to identify ways to increase cyber ethics and to help educate people and companies about the insider threat. Truly, as with most cases, education seems to be the key to affecting change. Maybe, if we begin to strengthen the ethical training of tomorrow’s network and system admins, we can lower those percentages and the risks for future generations.