Re: Statistics

[Alessandro Bottonelli <abottonelli () libero it>]

On Monday 24 November 2003 16:57, Jack Solomon wrote:
> I often hear statistics bandied around like 85% of attacks are internal.
> Can anyone point to a reliable/quotable source of stats?  
82% Internal (of which 55% accidental) are quoted from a research (not 
public) of either Ernst&Young or Datapro--can't remember right now which one.

> I'd like to prove
> to my cynical managment that we are not safe behind the corporate
> firewall...
Beware! You are right, but this issue is highly political, management 
don't like to be told they cannot trust their employees. Make sure YOU know 
how to state this.

> Also, I'd be interested in stats on amout of money lost
Hmmm. When it comes to money things are even worse. Insiders have more 
opportunity, means and motive to hit you hard. In a research paper of mine (I 
found no one here in Italy available to pubblish it... wonder why) I made 
this consideration (which is not by far a statistics):

-1- SQLWORM hits the Italian Post Office. Zero insiders, a unaccounted number 
of outsiders: estimated damage 150,000 Euros

-2- CREDIT CARD CLONING in an Italian (Tuscany) Bank. One insider, five 
outsiders: measured damage 1,000,000 Euros

-3- INS OUTSOURCER DESTROYS (willingly) some thousands documents (in order to 
look good on their SLA...). Three insiders, zero outsiders: assessed damage 
250,000,000 dollars (the value of the 5-year contract with INS).

Be careful when (if) using this with your management, as we say in Italy: 
"wrap it with plenty of vaseline grease ..." <grin>

-- 
Alessandro Bottonelli
CISSP, BS7799 Lead Auditor
www.axis-net.it

---------------------------------------------------------------------------
----------------------------------------------------------------------------