I read a survey today about about the state of government security as perceived by more than 200 government IT security professionals.

I found the results to be very interesting. The survey shows concern is mostly about inside problems. The further outside the threat is, the less it is considered a threat. I find this interesting because many security people tend to be worried about external threats that are not well defined. I suspect the reason for worrying more about the internal threat is the size of the organization and an inability to control it.

Insider threat and poor practices rank at the top of the What list. This demonstrates, in my opinion, a lack of control over the organization. The next item on the What list is Exploitable software vulnerabilities. Software vulnerabilities are a bigger threat when there are many software packages from many vendors deployed across the organization with little control. As you can see, everything points to a large organization that is not security minded.

The Who list also shows a similar trend as Careless users rank number one followed by Inside employees and Inside contractors. The trend is clear when moving further outside the organization the threat diminishes.

The question I pose after reading such a survey is “What should a security professional do in such an environment?”

One path is the political path. Push for more support from management. Management support will bring security mandates, more security people, more budgets, better training and a general focus on security. It would be great to have such a security focus from management, but it will take time. Given the way the government work, it might never happen at all.

The second path is more active – Focus on the resources you need to protect, and guard them from the company. The problem in protecting the data from the company is that preventative controls cannot be effective. The employees that are considered a threat need access to the data. The systems that are considered vulnerable need to be used to access the data. So while preventative control are important, they are far from being sufficient against an internal threat.

The only solution I know to this problem is Activity Monitoring. Watch who’s doing what in your systems in general, and in your databases in particular. Database Auditing / Activity Monitoring is a fundamental tenant in any security strategy, and is the only security measure against insider threats.

See my blog entries that analyze audit reports of the DHS and the IRS that arrive at similar conclusions.