[Owasp-cincinnati] Addressing security in the workplace

James Walden james.walden at gmail.com
Tue Oct 6 10:07:17 EDT 2009


On Tue, Oct 6, 2009 at 9:55 AM, Brad Gardner <bgardner87 at gmail.com> wrote:
> I was hoping that someone could point me to a few resources.  One of the
> common thought processes that I am seeing at work has become "This
> application is strictly internal, so we don't need to worry about
> security".  I know that security inside the perimeter should be of
> significant concern, and have found some tech talks and ebooks that suggest
> up to 80% of attacks come from inside the corporate network.  Is this an
> accurate number?  Furthermore, if anyone has any thoughts or resources to
> share on this subject, and particularly strategies for eliminating this
> mindset in the workplace, I would be very interested to hear them.

I've seen wildly different numbers for insider attacks; I tend to
believe the numbers suggesting relatively low numbers like 10% because
of the constant probing systems experience from external attackers. If
someone said that 80% of successful attacks were from the inside, I
could believe that, as insiders are more likely to conduct targetted
attacks and have more knowledge of the target before beginning.

That said, it's worth remembering for web attacks that the firewall
means little when an attacker can use Javascript they tricked another
site to host to cause an internal user to portscan and fingerprint the
network from the inside, then launch targetted attacks on the
identified web servers.

James Walden


More information about the Owasp-cincinnati mailing list