Confidential Data: You're Giving Away Your Corporate Secrets!

In the hands of a skilled attacker, even the most innocuous piece of data can be used to attack the system and gain access to the crown jewels.

By Neil Smithline on Fri, June 13, 2008

CIO — A security review or security audit is a process that helps an organization determine if they have the appropriate security measures in place; that is, if the amount they are spending on each security countermeasure approximates the cost to the company of the expected loss. While there are many methodologies for performing a security audit, most include the following steps: identification of valuable assets, estimating their value to the company and their cost if they are somehow damaged, determining their current level of protection, determining the probability of a potential break-in (i.e., risk), deciding if an asset's current protection matches its estimated value and investigating what options are available to remedy any differences. At first glance, while perhaps time-consuming, this does not seem terribly complex. Ask several top executives what they consider to be the company's valuable assets; merge and prioritize the lists, and you are likely well on your way.

If your executives did well, they will have included many types of assets including physical assets such as buildings, technological assets such as computers, intellectual property assets such as domain knowledge, etc. They might have thought to list risks such as fire, theft, computer break-ins, industrial espionage and even natural disasters.

If you add input from the IT team, you will likely get items added to the list involving security of employee passwords, firewall and other Internet-protection mechanisms, power and air-conditioning failures, etc.

Once complete, you will likely have a very comprehensive list of your company's assets that need protection. But one asset is nearly always forgotten. This is the internal configuration of a company's computer systems. "Internal configuration" includes:

  • Internal network topology including firewalls, internal IP addresses, and other networking information and configuration that only need to be accessible from within an enterprise's private network.
  • Hardware and software products, including their manufacturers, models and versions.
  • Usernames, administrative accounts, privileged individuals.
  • Internal or external services used by the company (e.g.: travel agency, office supply website, Active Directory services) and the means of connectivity to those services.
  • Computer languages and software frameworks used for networked applications.
  • Whole or partial source code—including stack traces.

These pieces of internal configuration, along with many others that have been omitted from this column for brevity, all share one thing in common: They are frequently thought of as non-confidential data, yet, in the hands of a skilled attacker, each might contribute to a break-in. With confidential data such as passwords or private keys, the threat from exposure is clear. But from these trivial configuration facts (e.g.: an IP address that is only accessible from within the enterprise network), the threats are less obvious.

Continue Reading

data

Get up to speed on mobile security.

Learn More »
Loading...
Most Recent Security Stories
Managing the security and availability of email is complex. This paper will discuss the wide variety of challenges associated with email security and availability and illustrate how integral email is to the operations of any organization.
Based on a survey of 273 IT managers, we reveal the top ten web threats to business and outline a solution that uses MessageLabs Security Safeguard.
Online spam campaigns have become more sophisticated and precisely targeted. Spammers routinely disseminate millions of fraudulent emails which sap bandwidth and productivity. Learn how a hosted anti-spam service provides multi-layered protection against spam, improves employee productivity and lowers costs.
Users are increasing influencing IT security decisions, according to new research from IDG Research Services, and IT is somewhat ill-prepared to embrace this trend. Workers are flocking to mobile devices and are becoming increasing vocal about the types of devices they want to use in the corporate world.
Discover how Citrix Delivery Center provides an efficient and secure architecture for virtual workforce success.
Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.
This virtual meeting for IT managers and CIOs is based on a new IBM study. Senior Vice Presidents and a Chief Technology Officer provide guidance on business resiliency, security and cloud computing. What steps should you take to achieve a more pro-active, comprehensive approach to risk management?
With almost everything now connected through the Internet, organizations become more vulnerable to cyber intrusion. As a result, cyber security is a senior management issue, not just a technical problem. Join Accenture and Forrester to explore the current global cyber security situation and learn how your organization can adopt a proactive cyber security approach.
The economic downtown has forced many companies to rethink the way they approach IT. CIOs are increasingly being asked how they can drive competitive advantage through technology. Many organizations have recognized that workforce mobility and collaboration are important drivers of increased productivity. These forces are creating a new challenge: the need for dynamic security.

In this webcast, Phil Go, CIO of Barton Malow, discusses how this leading national construction firm is tackling these issues, along with the technology he is adopting to ensure mobile security.
Learn how RSA, the Security Division of EMC helps companies create the intersection of IT operations and Security o...
Moderated by CSO Publisher, Bob Bragdon, hear from this esteemed panel as they share practical approaches to simpli...
This Webcast discusses the highly scalable, superior IT optimization and workload consolidation that System z deliv...
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Resource Center