On Sat, 2 Aug 2003, Doug Hughes wrote:

...

Besides, firewalls only protect against outsiders, whereas most damaging attacks are from insiders. ^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ Do you have current data to support this? I believe this may have been true 5 years ago but is no longer true.

No, just my experience from working for the last 4 years in the security field (banking, insurance, government & US Army :)

Is this a case of distinguishing damaging vs non-damaging?

Yes. External attacks are mostly show-offs by kids. Insiders intend to do damage - that's the whole point of those attacks.

At my company, all recent attacks that I'm aware of have been from outside. Even if I allow for the fact that I'm not aware of all attacks

Internal attacks are rarely ever discovered because attackers have benefit of knowledge of the actual systems and can plan the execution, not just improvise (and trip detectors). Besides, intrusion detectors are mostly designed to detect footprints of the external attackers.

... the mere volume of ones that I'm aware of would stand as counterpoint to the assertion that most damaging attacks are from insiders. Certainly, insiders have the 'potential' to generate the most damaging attacks with greatest ease, but I'm not sure that establishes a causal relationship with occurrence.

You are right that it does not; I'm afraid nobody has real figures because these kinds of attacks are rarely reported even if discovered. BTW, taking an unauthorized copy of company's sources when leaving company IS an attack... how common is that?

Certainly the volume of attacks is strongly disproportional towards the outsider.

Yep. Automated scanning lets attackers to pick easy targets; thouse attacks are rarely targeted. --vadim