Enemies Inside the Gates
Cautionary tales of Internet hackers extraordinaire and other dangers lurking in the Web forest have led us down the path of constructing steel doors in open fields. The emphasis has been on the doors, rather than on what they are protecting. Truth No. 2: We must become less perimeter-centric and more asset-centric, because the reality is we can't protect it all.
Without a firm grasp of what we're guarding, where it resides and how valuable it is, how can we hope to quantify necessary levels of protection, much less achieve them? Without open lines of communication between IT and business units, how can security teams quantify the true threat to digital assets?
Unfortunately, when it comes to assets, the problem lies with the business and security teams; most business operators know little about infosec, and infosec practitioners know little about the business. Without a better understanding, a common ground will not be found.
In a cost-conscious economy, organizations don't need more expensive security controls, they need more effective ones. It's time to regroup, re-evaluate, and make 2003 the year holistic strategies take center stage.
Infosec Triage
As any data defender in a large enterprise will tell you, it's a lot easier to attack than it is to defend. Intruders need find only one chink in the armor, while protectors need to outfit all their assets with armor while battling restrictive budgets, limited resources, nebulous perimeters, open systems and an onslaught of ongoing technical vulnerabilities. Hence the continued emphasis on the "defense in depth" concept: creating multiple defense tiers in the hopes that, should one fail, another will provide the necessary protection. But what should we be defending? Servers? Networking equipment? Desktops? Files? Backup tapes? Applications? Databases?
Most security personnel will say: "All of the above," and while that answer isn't necessarily wrong, there's a greater chance of achieving world peace. Remember: You can't protect it all. While no one likes picking sacrificial lambs, infosec triage is a necessity. Protecting what is most important is the best you're going to do, because cold hard truth No. 3 is that bulletproof security does not exist. The basis of the triage process is distinguishing what is more valuable from what is less valuable, taking into account the heart of information technology: information. Propagating, distributing and using information are what drive the need for desktops, servers, software and networking gear. And, within most organizations, the value of information varies based on business importance and sensitivity. This is no surprise. However, just what value should be assigned to each piece of data is not always clear to IT and security personnel. In addition, some types of information have proven more prone to attack then others.
For example, if we examine loss statistics, a story unfolds: Certain types of data are more tempting targets, and the losses associated with these targets are substantial. The 2002 CSI/FBI Computer Crime and Security Survey of 503 computer security practitioners makes clear that while abuse of Internet access and virus outbreaks are the most common incidents with financial ramifications, theft of proprietary information is by far the most expensive. The survey also notes that proprietary-information theft can come from both internal and external intruders (see report highlights).
The top items stolen include financial statistics, research and development data, strategic plans and customer lists, according to the results of a survey of 138 companies, including both Fortune 1000 and small and midsize businesses, conducted by ASIS and PricewaterhouseCoopers ("Trends in Proprietary Information Loss," at www. asisonline.org/pdf/spi2.pdf).
REPORTS
ANALYTICS
Follow 
