Difference Between Internal & External Threats to an IT Database
By Shea Laverty
The vast amounts of data stored in a database makes it a critical point of defense for any enterprise -- and a prized target of electronic ne'er-do-wells. While external threats are always a priority in data security, a potentially more dangerous and insidious threat is always ever-present: an attack from within. Learning the differences between an internal and an external attack can help you better safeguard your database against attack from all side.
Invaders vs. Saboteurs
The fundamental difference between an external and internal threat is the identity of the attacker. A simplified way to view this is looking at invaders versus saboteurs. External threats, or invaders, act from outside the company and must overcome your exterior defenses in order to reach your database. Internal threats, or saboteurs, work within the company and can thus bypass exterior defenses. As trusted members of the company, they already have far more access than any external threat.
Intention of Threat
The intentions behind a threat to the database is another key issue. External threats are almost always malicious, with data theft, vandalism and disruption of services all possible goals. Internal threats can be equally vicious and may also include blackmail or other illicit activities. Internal threats, however, are not always malicious. Sometimes, the threat isn't a person at all, but poor internal security policies and measures that cause unexpected or unintentional database breaches, or expose weaknesses to external attackers should they breach or circumvent external security measures.
External threats are limited to what access they can get from outside your company's data network. They must successfully bypass or disable external defenses before they can even log into the network and access what data is available to non-privileged accounts. Internal threats have varying levels of access based on privilege level but generally have access to basic network resources through legitimate log-in information. More privileged users may also have direct access to the database and other IT resources as well as potentially sensitive information.
Internal Components of External Attacks
Many external attacks have an internal component that facilitates easier access or carry out their own illicit operations. While in some cases this is an actual saboteur, many other internal components of external attack include Trojans, keyloggers and other malicious software that either create open channels for intruders or enable them to use legitimate log-in information to gain unauthorized access.
Social engineering, or the manipulation of personnel into creating or revealing security weaknesses, serves as both an external and internal threat. Social engineers prey on unwitting victims with scams including calling and pretending to be technical support to gain sensitive information or install malicious software and leaving official-looking physical media loaded with malware for unsuspecting victims to find. Social engineers may even prey on common courtesy, following unaware personnel into restricted areas and pretending to have lost their validation token or identification card. The only way to really mitigate attacks by social engineers is to rigorously train employees about password confidentiality and security protocols and enforce these protocols.
Precautions and Countermeasures
Purely external threats are primarily covered with strong firewall and IPS protection on the network perimeter. The more difficult task is internal security, which often requires considerable policy changes. This includes changing password policies to increase password strength and monitoring all database access, especially by users running from abnormal locations like applications outside of the network. Internal security should be geared in a top-down fashion, with security measures in case for users of all privilige levels, as saboteurs can come from any level of the organization.