The CryptoLocker ransomware infrastructure, which encrypted victims’ data and then demanded money for the encryption key, was a sophisticated piece of malware that proved incredibly difficult to stop. It ultimately took an international working group to take it down. Welcome to today’s cyber threat landscape.
The job of IT security is harder and more critical than ever. While data must be protected, not all data is of equal importance and therefore not in need of the same level of protection. Security teams should consider the types of data that exist within their organizations and what security measures will work best for each.
It always costs more money and takes more time to manage sensitive data. Too often, though, organizations hoping to keep costs down fall into the trap of accepting lower levels of security for critical data. Best practices can help organizations identify the different categories of data within their networks and assign custom security levels as appropriate.
The most robust security possible is needed to protect an organization’s critical assets, whether those assets are a database of customer information or valuable intellectual property. Yet knowing how to identify the different security levels of data in an organization can be a challenge.
A best practice for determining the data security needs of an organization is to create a pyramid with different levels, each of which defines a separate class of data that needs its own security rank. Of course, this is not a new idea: governments and defense agencies have classified their data in a similar way for many years.
The base of the pyramid is easy. Outsiders are uninterested in the bulk of an organization’s data - the operational “workhorse” information that is necessary to the business but not a lucrative target for hackers. As such, it will not require as much protection as sensitive data at the top. Of that more sensitive information, a certain subset will be at the very top of the pyramid, as it is truly business-critical and most costly to protect. This data classification process ensures that security resources are applied where they are the most needed.
Determining which data is business-critical is not as obvious as it might seem. For example, technology companies like Cisco typically consider intellectual property such as source code to be business-critical, but not all source code is created equal. Open source code might be less important to protect since it’s available to everyone. However, specialized source code that provides a unique function that differentiates the company from its competitors would absolutely be considered top tier data, and therefore worthy of higher protection.
Another way to think about classifying data is to look at it from a cybercriminal’s perspective. What data could you sell or use? What data would you want to destroy? How would you gain access to it? There are all kinds of tricks hackers can use to steal enterprise intellectual property, and more are being created all the time. How will you get ahead of the attacker? Start with discovering potential weak areas in the computing environment. Even the most secure system can be brought down with a simple social engineering attack.
The old ways of protecting your organization’s data are simply no match for today’s sophisticated, well-funded and persistent threats. End-users access data from more places – and with more devices – than ever before, creating a labyrinth of new security challenges. Discovering how data is used within the organization is an essential step to securing information assets, paving the way toward integrating security into the process or technology itself.
As the example of CryptoLocker reminds us, data security today is both more complex and more necessary than at any other time in history. Hackers are looking for any vulnerability to exploit, and IT security teams must stay at least one step ahead by patching weak areas. A formal pyramid model of data classification that assesses threat risks relating to different data types and the impact of a successful attack will help you put your resources where you need them most. Focusing on what is of greatest importance will help keep the organization’s most critical assets out of cyber criminals’ hands.
* Steve Martino is chief information security officer and vice president of information security at Cisco.Copyright 2010 Respective Author at Infosec Island