Gânduri Eclectice – Eclectic Thoughts

Time flies when you're having fun. Measure spiders when you're not.

Insider Risk: Not An Excuse!

DALL-E imagines insider risk. Unfortunately, it isn’t usually quite as obvious as this.

Avis are in the news with 299,006 customers’ information stolen & leaked.

Such breaches are not uncommon, sadly. But the spin on this one has me concerned. Avis blame “Insider wrongdoing” for the breach, as if this is some acceptable explanation. To be clear: it is not.

Risk management doesn’t stop at the front door. What goes on inside the organisation matters too and must be part of the process.

How did ONE person have access to so much data, the ability to extract it without anyone noticing, and the ability to then exfiltrate it outside of the organisation?

There are several controls that should be in place to prevent this, or at least make it vanishingly unlikely that it is successful, should someone try. Those controls range from technical controls through to personnel controls & processes, and include auditing & alerting.

Inside sensitive Government & related systems, there is usually a requirement for personnel vetting, but even with this we don’t (or at least, we shouldn’t!) assume that this adqeuately deals with the threat. Personally, I like to use some statistical methods to assess the likely numbers of Bad Actors within groups of individuals with various levels of access (unprivileged, privileged, and shades between) and various levels of vetting (including “none”). A Bad Actor here means someone who is: corrupt, corruptible, or otherwise wishes to deliberately undermine the C/I/A of a system.

If you can assess the likely numbers of Bad Actors within various groups, then you can deploy suitable controls to mitigate the risks down to suitably low levels compatible with the organisation’s risk appetite.

So blaming “Insider wrongdoing” screams (to me) of “we didn’t properly consider the risks of insiders”. It’s not a free pass. It’s not a “Get Out Of Jail Free Card”. And it’s not an acceptable excuse. It’s a big old FAIL, unless they explain what controls were in place and how amazingly unlikely this successful attack was. I’m not holding my breath on that one.

TL;DR: Humans are part of the system. Humans are complicated messes of competing motivations. Humans make choices which sometimes render them vulnerable to external pressures. Humans circumstances change over time. This must be assessed realistically as part of the risk management, otherwise you’re not actually managing the risk.

AI Transparency Statement

, , , ,

Leave a comment