网络安全行业的内部威胁问题并非关于背景调查
Source: Dev.to
Insider Threats in Cybersecurity: A Systemic Problem
两位资深网络安全专业人士刚刚对参与针对自己客户和雇主的勒索软件攻击认罪。讽刺的是:我们信任来抵御网络犯罪的人,竟然自己成了网络犯罪分子。
但在我们急于指责个人道德失范或背景审查不充分之前,必须面对一个令人不安的行业真相:网络安全领域系统性地制造了内部威胁的完美条件,而我们当前的防范方式根本失效。
The Pattern
这些案件的细节遵循一种令人沮丧的熟悉模式:
- 高度熟练的专业人士 拥有合法的强大工具和敏感系统的访问权限,却决定将这些权限用于个人利益。
- 他们没有被我们自诩的安全控制或行为分析捕获。
- 他们没有被伦理培训或安全许可阻止。
- 他们仅仅在某一天决定,键盘另一侧的工作更有利可图。
这不是偶发事件;而是我们构建行业方式的可预见结果。
Why Cybersecurity Professionals Are Prone to Insider Threats
- 独特的压力——我们是技术领域中既最受压力又最具权力的劳动力。
- 管理权限——我们可以访问包含数百万客户记录的系统。
- 对漏洞的深度了解——发现漏洞是我们的工作。
- “破解事物”的文化——像攻击者一样思考是核心能力,且常被鼓励。
然而,当我们中的一些人真的变成攻击者时,却表现出惊讶。
The Real Problem
传统观点指向个人性格缺陷或审查不足。真正的问题在于我们已经打造了一种吸引正好具备内部威胁危险特质的人才的职业,随后系统性地让这些人接触到造成最大破坏的工具和知识。
Why Traditional Counter‑Measures Miss the Mark
| 方法 | 为什么失效 |
|---|---|
| 更彻底的背景调查 | 大多数叛变的专业人士在被雇佣时并非罪犯;他们在多年合法就业后因财务压力、工作不满或逐渐意识到作案容易而走向犯罪。背景调查无法预测未来的道德选择,就像它们无法预测离婚或赌博成瘾一样。 |
| 测谎仪测试 | 我们让受过训练去规避安全措施的人接受安全戏码。一个多年研究社会工程和心理操控的网络安全专家,恰恰是最不可能对测谎仪产生脆弱的人选。 |
| 持续监控与繁复的许可流程 | 把内部威胁视为招聘问题,忽视了系统性设计缺陷:我们赋予高度能力的个人无限权力,却缺乏足够的技术防护。 |
根本缺陷在于把内部威胁当作招聘问题,而实际上它是系统性设计问题。
Culture of Secrecy & Compartmentalization
网络安全文化通过对保密的执念进一步放大这些风险:
- 对漏洞的了解被严格控制。
- 少数人拥有极其敏感信息的访问权,却几乎没有监督。
这种保密在防止外部威胁时有其正当目的,但也为内部威胁制造了盲点。当安全团队孤立运作、情报仅在“需要知道”基础上共享、事件响应流程被视为机密时,我们就为内部滥用创造了完美条件。
讽刺: 许多组织对外部攻击面的可视性要好于对内部安全的可视性。
Source: …
rity operations. They can list every CVE in their environment but can’t easily identify which employees have the technical capability to cause the most damage.
How Other High‑Trust Professions Mitigate Risk
| Profession | Controls Used |
|---|---|
| Banks | Dual‑custody requirements, real‑time transaction monitoring, strict segregation of duties. |
| Hospitals | Automated dispensing systems that track every controlled substance. |
| Cybersecurity | Often only logging, which may not be reviewed until after an incident. |
In cybersecurity, we routinely give individuals root access to critical systems with nothing more than logging that nobody reviews until something goes wrong.
The Paradox of Talent
- The field actively selects for personality traits and skill sets that increase insider‑threat risk: creative problem‑solving, independent work, minimal supervision.
- These are exactly the characteristics that make someone dangerous if their loyalties shift.
This isn’t an argument for hiring worse security professionals. It’s an argument for recognizing that the skills we need inherently create risk, and we need to design our systems and processes accordingly.
Paradox: The better someone is at their job, the more dangerous they become as a potential insider threat. Traditional risk‑management assumes you can separate “good” employees from “bad” ones through screening and monitoring. In cybersecurity, that assumption breaks down because the technical capabilities required for the job are indistinguishable from those needed for malicious activity.
A New Direction
The solution isn’t better background checks or more intensive monitoring of employee behavior. It’s designing technical architectures that assume some insiders will eventually go rogue and building controls that limit the damage any single individual can cause.
- Implement true zero‑trust architectures internally, not just at the network perimeter.
- Require genuine multi‑person authorization for sensitive operations, not just sign‑offs on policy documents.
- Create technical controls that make insider threats difficult to execute and impossible to hide.
Some organizations are already moving in this direction:
- Just‑in‑time access that requires approval for every administrative action.
- Immutable logging systems that can’t be modified by the people being logged.
- Separation of sensitive operations across multiple people and systems so no individual has end‑to‑end capability to cause damage.
The key insight is treating insider threats as an engineering problem rather than a human‑resources problem. Instead of trying to identify who might go rogue, assume someone eventually will and make sure they can’t succeed.
Rethinking the Profession
The cybersecurity industry must have an honest conversation about whether our current approach to staffing and organizing security teams creates more risk than it mitigates. We’ve built an entire profession around the idea that a small number of highly trusted individuals can be given extraordinary access and capabilities with minimal technical constraints.
That made sense when cybersecurity was a small, specialized field dealing with limited threats. Today, security teams have access to systems containing billions of dollars in assets and millions of personal records; the tools we use daily could shut down critical infrastructure. Continuing to rely primarily on trust and good intentions is reckless.
The recent guilty pleas should force us to confront these questions directly:
- How many more insider incidents will it take before we admit that our fundamental approach is flawed?
- How much damage are we willing to accept because we’re uncomfortable implementing technical controls that might slow down our own teams?
Real change will require admitting that some of our most fundamental practices are securi
ty theater 旨在让我们感觉更好,而非真正降低风险。教导这些专业人士已经了解的相同原则的伦理培训、无法预测未来行为的背景调查,以及在损害已发生后才发出警报的监控系统,都不足以应对。
前进的道路在于接受内部威胁是我们构建该领域方式的必然结果,然后构建技术防护,使此类威胁难以实施且无法隐藏。这意味着要重新设计我们的工具、流程,甚至可能彻底改变组织安全团队的方式。
这将并不舒适。它要求安全专业人员接受对自身能力的额外技术约束,放慢某些操作,并在其他方面制造摩擦。
但另一种选择是,每当受信任的防御者变成攻击者时仍感到惊讶,然后用同样无效的措施来应对,这些措施未能阻止上一次事件的发生。
网络安全行业的内部威胁问题并非个人道德失误,而是系统性设计失误。除非我们愿意解决后者,否则前者只会愈演愈烈。