There are no internal applications

I read this post by Rafal Los (Wh1teRabbit) and wanted to agree completely. If you still believe you can have a firewall and an IDS and "trust" your users, you are inviting a problem. If you have a team that is convinced that nothing bad could ever happen to their infrastructure because they are 1337, you have a bigger problem. The blog post and comments focus on the fact that data is what needs protected, not just the location of the data. As mentioned in an earlier post, mobile computing and new threat and attack vectors are removing your borders for you.
Your people are your greatest asset and your biggest risk. Somebody in your organization clicks links, brings in infected USB drives, plays of Facebook all day, or actually wants to steal your data. I have been inside some supposedly very secure networks before where nothing but everyone's good intentions, and some veiled threats, stopped them from doing whatever they wanted. I don't just mean a penetration tester with network access, I mean anyone that knows how to open network neighborhood or send email. Talking with the management in these organizations resulted in some head nodding and furrowed brows but no change or desire to change. Every now and then a technical person would get frustrated and leave only to be replaced by a project manager or an "architect." At one place, a mid/senior-level analyst left and the management decided to replace him with someone  that had no security experience. One of the quotes overheard from that management group was "We don't need anymore smarty pants around here, we need someone who can get along with everyone." I agree that your team should function well together, just not at the expense of your data's security.
So, think of it this way:
1. Can a malicious insider, no matter how unlikely, steal your data?
2. Can a non-malicious insider bring a threat inside that compromises your data?
3. In either case would you even know if this had happened?
4. Why can it happen?
5. What can be done to lower the risk or impact?
Good luck planning for future security projects, don't forget to use the wiki leaks trend to increase your budget for next year.

No comments:

Post a Comment