Sunday, October 11, 2009

"Protect the Data" Where?


I forgot to mention another thought in my last post "Protect the Data" from Whom? Intruders are not mindly attacking systems to access data. Intruders direct their efforts toward the sources that are easiest and cheapest to exploit. This produces an interesting corollary.

Once other options have been eliminated, the ultimate point at which data will be attacked will be the point at which it is useful to an authorized user.

For example, if a file is only readable once it has been decrypted in front of a user, that is where the intruder will attack once his other options have been exhausted. This means that the only way to completely "protect data" is to make it unusable. If data is not usable then it doesn't need to exist, so that means intruders will always be able to access data if they are sufficiently resourced and motivated, as explained in my first post on this subject.

1 comment:

Kevin Rowney said...

@taosecurity RT "Intruders direct their efforts toward the sources that are easiest and cheapest to exploit."

This matches with our experience as well. There are numerous documented cases of large scale internal data-spills that become the focus of attack. The classically trained security teams have no idea that these data spills exist as a possible target. Independent data backing this up: p.34 of VDBIR:2009

How to find these data spill events? Information Centric methods do this exceedingly well.

You go on to say: "Once other options have been eliminated, the ultimate point at which data will be attacked will be the point at which it is useful to an authorized user."

What's the best way to find the most at-risk authorized user? A good starting point would be those with heavy loads of confidential data on their endpoint systems. Once those systems are ID'd, enterprises can make sharp decisions about further lock-down on those systems and that data.

Look, we agree that just encrypting everything or DRM'ing it all is not the end solution; but I think you under-estimate how far advanced the new capabilities are in the detection of exposure and flow of sensitive data.


Enjoying jousting against you on this topic,

@krowney
p.s.: Great blog!