External data breaches from groups like Anonymous and internal data leaks from insiders such as Edward Snowden have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are there security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?
Much of the questions and confusion has to do with executives not understanding where their critical assets are and how they need to be protected. Their sense of security is skewed by the fact that they’ve passed their compliance requirements causing them to think they are safe. For most companies, if they were truly targeted by a sophisticated and determined attacker, they would fail miserably.
Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration testing organizations from all different industries, companies are doing a great job of locking down there externally exposed assets, with the exception of Web servers. There are fewer devices exposed and even less ports open that could provide an avenue for attack.
via Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches.
Read the article for the details, but the four problem areas are:
- Asset management and putting in place proper protection mechanisms for those assets
- Not knowing or understanding the “principle of least privilege” (I’d also add “default deny”) and “need to know”
- Security training and awareness
- Shared credentials and password resuse
In my opinion items 1, 2, and 4 tie into my preference for dealing with security’s “low hanging fruit”, the basic tenets we all should do 100% of the time. Security awareness and training has value, but I think there’s too much focus on it. That focus takes time, money, and effort away from those security tenets I mentioned before.