Vulnerabilities of low probability bring about devestating impact
(Continued from Consumerization of IT and state of the security industry and a reply to Low probability but a devestating impact.)
After lunch, we broke up into several groups and I headed to the discussion on “next generation threat analysis,” which worked to identify vulnerabilities with a low probability of being exploited, but have a huge impact on business. Some of the vulnerabilities were very sensitive, so I’ll be vague here — sorry guys.
Corporate espionage and planting evidence was at the top of our lists, followed by sensitive unencrypted network traffic, SCADA, legacy applications and weak database security. Also included was sensitive information being stored in clear text, ssh port forwarding and encrypted outbound channels. These are definitely not unique to one company — I’m sure many companies worry about these exact vulnerabilities as well.
I’ve seen data classification, knowing what you have and where it is come up in many discussions with folks at conferences and other meetings. Definitely tough with so much data, you have to ask where to start — usually you have no choice but to start classifying new data. Classifying existing petabytes of information is close to impossible!
You hit a ton of info and issues in this one post! Yikes!
Interesting about ssh port forwarding and what is basically looking at covert channels. I’d love to work in a larger campus and get a chance to play with mitigating those issues on the network.
Data classification….man. The only place that does this well is the gov’t, and really only because they’ve been doing it for many, many decades. Even smaller companies like mine find it impossible to try to classify and protect data and get mgmt buyin and employee support for it. I can’t even imagine it in a larger company. We can do a lot of lip service the “analyst way” by spouting best practices and we can try to make a dent, but I really truly believe no company has a handle on their data except in maybe a very broad stroke. “Uhh, everything is classified,” or “All emails should not be considered private…” and other such nonsense that isn’t accurate anyhow. Unless someone is looking at and classifying the data manually to some high degree or users are accurately classifying their own information, it’s just not gonna happen. Besides, companies have their product and their profits to worry about and spend money on… :(
Hell, it’s hard enough to get people to delete shit let alone classify it properly. It’s crazy how much information clogs up the network devices and backups and systems like so much cholesterol in a McDonald’s junky. :(
LV, data classification has been a lost cause everywhere I’ve seen it tried. People begin to classify data, or have develop some plan; then over a couple years it dies away and a new initiative is introduced which is totally different bringing you right back to square one.
The reason why the government gets it right with classifying data is because there’s an actual incentive too… starting with one year in jail!