“If you fail to plan, then you plan to fail” is the adage.
The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, then how are we going to decide the amount of time, effort or money that we should spend on securing these assets?
Real case scenario
A former Dallas hospital guard was charged for breaking into the computers, planting malicious software and planning a distribution-denial-of service (DDos) attack.
The majority of the insider unauthorised activities involved a heating, ventilation and air conditioning (HVAC) system containing confidential patient information.
This HAVC was located in a locked room, but the insider uses his security key to obtain physical access.
The insider installed malware to allow unauthorised individuals to remotely access and take control.
The malicious insider activities caused the HAVC system to become unstable, which eventually led to outages.
The insider was caught after he posted pictures on the Internet of the compromised HVAC.
The case illustrates how a single computer system caused a significant amount of damage to an organisation. Modifying the HVAC could have potentially been life threatening.
The point is, the HVAC computer was located in a locked room, rather than a data centre or a server room. Secondly, If the organisation had fully realised the potential impact, it could have implemented additional controls to prevent this type of attack
The essential function of any organisation business is to understand it’s critical assets and to ensure its confidentiality, integrity and availability (CIA).
Critical assets can be thought of as something of value that which if destroyed, altered, or otherwise can cause major harm to the organisation.
Critical assets can both be physical as well as logical
A complete understanding of critical assets (both physical and logical) is valuable in defending against attackers (whether they are insiders or outsiders) who will often target the organisation critical assets.
The following questions will help you identify and prioritise the protection of your critical assets.
Once critical assets are identified and prioritised, you must identify the high-risk users that interact with these assets.
A question that you must ask - What could a user that has authorised access to the critical asset do either intentionally or unintentionally to cause harm?
By answering this specific question to every critical asset will help you drive the right control and policies that need to be set.
Real Breach Example: Data leakage
Date of Breach: 16th of October, 2019
Over 1.2 billion records of personal data have leaked online in a massive security breach. The leaked data contains email IDs, employers, social media profiles, phone numbers, names, job titles and even geographic locations.
The exposed data comes with an index which suggests it was essentially sourced from a data enrichment company called People Data Labs. The unprotected Elasticsearch server contained as many as 622 million unique email addresses, researchers added.
Let’s start by focusing on one of your key assets – Data.
Answering these questions will help you to inventory the data and systems that must be protected from various attacks.
If you find the above a challenge due to time and resource constraints, consider that Naked Insider can offer this service for you.
While I’m guessing that you have reasonably good visibility and the idea of where your critical and sensitive data resides, you may not be aware of other sets of information. These ad-hoc data sets may have been generated over time and maybe sitting on someone’s laptop, but how would you know? And what is the risk to your business and your reputation?
The data discovery scan is a fast and easy way to scan your network and identify the precise files containing sensitive data and their location. The entire process can be completed within a couple of days.
Interested in finding out what the process is?
Interested in seeing a sample report?
Interested in knowing what your investment is?
Contact us at [email protected] with a subject line “Data Discovery”