Sobre ameaças internas - MUITO BOM!

Para quem ainda não tem o securosis no blogroll, é hora de colocar. Este post aqui é sobre "insider threat". Quem esteve no YSTS viu que é um dos meus assuntos favoritos. É frequente a discussão sobre o que é maior, a ameaça interna ou a externa. Os pontos levantados pelo Mogull no post são extremamente claros e dão uma noção muito exata do problema. Para os que viram minha apresentação, atenção ao item 7 da lista. É o motivo pelo qual acho que toda empresa deveria pensar em um processo de monitoração de seu ambiente interno. E quando digo monitoração, lembrem-se, não estou falando (só) de IDS...

Do post do Mogull (negrito no item 7 é meu):

1. "Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
2. Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some aren’t.
3. The best defenses against malicious employees are often business process controls, not security technologies.
4. The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
5. The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
6. If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
7. Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
8. Preventative controls built into the business process are more efficient than external technological preventative controls."