I recently came across this article on the “Top hacker disasters of 2011”, written by David Aitel of Immunity Inc. David has put together a brilliant article that lists some of the high profile attacks and five lessons to be learned. One key point that you should notice in this article is that there was no single security failure points that caused the company’s breach. The points of attack ranged from technology being cracked to poor security practices within a corporation.
After reviewing David’s 5 lessons, I wanted to comment on each to add a little more insight.
In Lesson 1: Protecting critical data, David points out how the RSA SecurID token was hacked. He also discusses that most executives do not even know what critical information is in their databases, and the need for a chief information security officer (CISO). While I agree with this the other take away is that security technology alone cannot protect the company. Anything that is created by human can eventually be broken by human given enough time, resources and money. This is what happened with the RSA SecurID token.
In Lesson 2: Segmenting your network, an additional point that I would add is to segment the data that is stored on the network into confidential and public. By segmenting the data into these two classifications security can be designed to meet the specific needs. Segmentation also will keep costs down. Why pay for high encryption to secure a press release? You also want to segment the employees into different groups as to what data they are allowed to and not allowed to access. Read More→