Want to lower your risk? Lower the ROI of hackers

Taylor Armerding

He believes email lists have even less value. "They really require very high volumes to resell. Email lists are practically free these days," he said.

But not all his colleagues agree. Botezatu said customer emails, "are the foundation of any business. They are sold and rented on underground forums for a specific amount of money. Often they are sold to multiple cyber-criminals, so the profit, even if small, is constant."

And Coffman said email addresses are valuable because they are, "now used as account names. Once an attacker has an email account, that can be used to reset and access all other accounts that use that email address. If your bank will email your new password to your email account, then access to your email account is akin to access to your banking account.

Source code is another asset that prompts mixed opinions. Coffman described its value as, "very high as the attackers now know how to compromise the application in a way that is unlikely to be detected."

But Meltzer contends that protecting source code is not money well spent, since, "the same source code essentially ships to all their customers anyway. Why bother breaking into the company to steal product source, when it's so much cheaper and easier to just buy it?"

Spitler agreed with Coffman that source code can be, "a resource to be used in developing future attacks against the company or other users of the software." But he said it is rarely a target in a broad-based attack for simple profit because, "it is very hard to resell."

He said the same is true of corporate intellectual property (IP), which has, "a very limited set of buyers — the competitors of the company — so when it is targeted it is likely a nation state or a focused effort sponsored by a pre-identified buyer of the data."

Coffman said Social Security numbers (SSN) can be enormously valuable, "because we are still using them as a means for verifying identity. Once someone has your name, address, and date of birth, which are all easily obtained, they can, with your SSN, assume your identity and obtain credit, be arrested, get a medical procedure under your insurance, etc., and wreak havoc on your life, for the rest of your life."

Whatever the value of various assets to an enterprise, the ways to improve their security are not necessarily complex or expensive. Meltzer recommended decentralizing them, so they are not all in one place.

Coffman agreed, adding that they should be protected with strong encryption — something Bob West, chief trust officer for CipherCloud, said will effectively cut the ROI of an attacker. Even in the event of a breach, he said, it will be costly and time consuming to, "convert valuable data that's been strongly encrypted into its non-gibberish state."

Previous Page  1  2  3  Next Page