Designing an effective Information Security Program is a process that requires a thorough knowledge of your assets (what you’re protecting) and the threat sources (the type of entity that might try to get it). Understanding these two factors is foundational to building an Infosec program. Based on the results of this characterization you will have an idea of the level of security you need. For example some workplaces have snacks in their lunch room that rely on the honor system. Take a cookie, put 50 cents in the jar. This may be acceptable given the asset (a cookie) is pretty low value, and the threat sources (employees) are likely somewhat trustworthy. However, I have never seen a bank rely on the honor system. A large pile of cash in the lobby would be a bank robbers dream. Instead, video surveillance, guards, and sometimes mantraps are the norm. Cash is a very valuable asset and the bank robbers (threat sources) are highly motivated.
Most businesses fall somewhere in between. Their assets are more valuable than cookies. Often the regulated industries such as healthcare(HIPAA), merchants (PCI), and Financial Institutions (FFIEC) have instutionalized the assets (EPHI, Cardholder Data, Account Information) and prescribed some of the types of controls and testing these firms should undergo. This does (or at least should) result in comprehensive security controls and regular testing via security assessments and penetration testing.
Many other firms have a challenging time understanding the value of their assets. It is easy to fall into the trap of thinking that you are safe because you don’t have PCI or financial data, but in this slow economy cybercrooks are likely to be more creative in their money making endeavors. A couple of breaches over the last few weeks have caught my eye as examples of hackers targeting assets that have not traditionally been viewed as high value.
Email addresses: McDonald’s, Walgreens, Garnet Hill and possibly hundreds of others had their email lists stolen. Silverpop (the email marketing vendor) likely didn’t have sophisticated security controls. They probably viewed themselves as a low risk target. After all, who would want to steal just email addresses?
Twitter Accounts: Compromised Twitter accounts (possibly from the Gawker breach) were used to promote Acaia Berry (as well as get rich quick and other scams).
Google Page Rank: The site www.aintitcool.com was recently hacked to insert hidden links for blackhat SEO purposes. The goal was to use the links to trick Google into ranking the hackers web sites higher in the search results.
How can you protect your organization? Your internal team has the best understanding of your assets. Take a few minutes and think through the misuse cases. What assets do you have that are valuable to an outside attacker? Make sure you know your risk and allocate your limited security resources optimally.