No, really -- you have been hacked. You have lost organizational sensitive information and customer and employee personal information. If you don't think you have had such a loss, you are not looking in the right places.
Current security measures do not work efficiently. You may not realize this, but your adversaries do. Who is your adversary? It depends on your industry, but generally speaking your adversarial threats can be classified under corporate espionage, state-sponsored espionage, organized crime, hackers, and current or former employees with malicious intent.
These adversaries have one goal in mind: to extract all the information they can from your computing environment.
Your adversaries use automated tools to scan for vulnerabilities in your unpatched systems. They use spear phishing to trick your employees into visiting compromised websites that in turn compromise computing assets and data. They use social engineering techniques that bring your employee's guard down to the point where they will reveal sensitive information.
A determined adversary only needs to be right once to achieve their objective. Your organization's security measures need to be perfect all the time. Who has the upper hand? Not your organization.
The 2008 Data Breach Investigations Supplemental Report (http://www.verizonbusiness.com/resources/security/databreachsuppwp.pdf) compiled by the Verizon Business Risk Team, noted that nine out of 10 data breaches involved one of the following:
- A system unknown to the organization (or business group affected)
- A system storing data that the organization did not know existed on that system
- A system that had unknown network connections or accessibility
- A system that had unknown accounts or privileges
What does this mean for your organization? The latest and greatest security tool you just purchased will not fix your problems. Get your house in order; develop a process, with supporting tools and staff, to locate and maintain an inventory of all computing assets and related network connectivity; determine and track the information stored on those assets; create a program to deal with identity and access management to organizational resources; and create and test a plan for when the inevitable happens.
If you don't know what you have, you won't know what has gone missing.
Ben Halpert, CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions & requests can be sent to him at firstname.lastname@example.org; please include SECURITY in the subject line.