Packet Pushers recently published an opinion titled “Pill-Chomping Hackers and Security Whack-a-Mole.” There are several very good points.
All information about a target is a potential vulnerability
Information is helplessly entangled and one piece of innocuous information can lead to other pieces of critical information
Information is only as secure as those protecting it
There is one point worth re-iterating: when you share your data (whether it is your social security number at a medical office or your credit card number at a restaurant) it is only as secure as the security of those holding it. In essence, both organizational and personal security must expand the boundaries to include anywhere their information is held.
However, there is one point I would like to argue, the implication that all data must be secured because it is a vulnerability. It is not possible to protect all data equally. A data owner must place different values on different datum and protected it appropriately.
Second, hiding all of your most critical data using in the most secure method still does guarantee security. Instead of attempting to build the best security controls and assume they work, it is better to protect your data as well as possible and then assume you will be exploited.
Don’t just protect the data, one must watch for signs of exploitation and prevent further exploitation. In the case of a social security number in the real-world, if one assumes the theft and misuse of the number then it is best to watch for further misuse (e.g. unauthorized new lines of credit being opened, activity on credit cards, etc.).
Furthermore, reduce loss. If at all possible, make sure that any compromise is as insignificant as possible. In the real-world, it is best to reduce password re-use so that if a password to one application or website is compromised, not all of your passwords have been compromised.
Yes, protect your data as best as you can, but assume it adversaries are out to exploit you – and they will be successful.
Ethan
Interesting article. I definitley aggree that everyone, whether its personal or your business should take a proactive approach to security rather than a reactive. It enables for faster detecion, reduced losses, and a better respone.