All of this exposure creates avenues for criminals or other hostile groups to find an organization’s weak points for more targeted and efficient cyber-attacks, said Gragido. “There is a greater premium on getting in front of these exposures with better situational awareness today, so that affected companies can recognize and eliminate these leaks at the source, outside their walls," he continued.
A combined focus on technical and human surveillance is good security practice. “Have employees be aware. Lock doors and windows. There are a lot of technology things you can do. Bad guys have as good of technology as the good guys. We scan and find, but bad guys do too, but they act before the hole is fixed,” Stolte said.
A slight shift in language when talking about security and data can also help security teams think like a criminal. Erlin said, “It’s a very common best practice for organizations to identify sensitive data. Using the term valuable instead twists perception away from what organizations feel is sensitive to what might be valuable to a criminal.”
Regardless of what other information criminals might find valuable, the crown jewels will always remain sensitive and top priority. Stolte said, “Organizations do the surveying, but one thing they fail to do well is protect the crown jewels. They need to know where they are and use that information to close off and fix the highest priority stuff.”
Think like a bad guy. Stolte said, “Take an inside-out approach to vulnerability management. Ensure that you are patching the right servers and that people don’t have more access than they should to layers of the network. Only the right people should have access to sensitive information at the application level.”
Erlin said, “Threat modeling should be a continuous exercise. Threats change and evolve. It’s valuable because no one has infinite resources, so you have to focus on the most probable and impactful threats.”
Criminals are always after the weakest link, and they search for anything on the internet that might provide some kind of access. Information is out there, and security teams who use what criminals learn as part of their strategic security plan might be lucky enough to act before a breach.
Sign up for Computerworld eNewsletters.