Finding the golden eggs

The perimeter, just like the city walls of past centuries, is all but gone. Proliferation of Internet of Things-devices and cheap SaaS-solutions that can be bought by anyone with a credit card has decreased the little control the CIOs had on their perimeter security to a point where “zero trust” has become the new paradigm.

But even zero trust suffers if you do not know what to protect. Configuring every application, firewall or service from a zero-trust perspective creates enormous amounts of administrative backend. Just like DLP-technology, it is a great idea on paper, but applying it wholesale to any large IT-environment becomes an endless “false positive” nightmare until someone simply turns it off.

The city walls of old did not disappear by themselves. Much like todays IT-landscape, technological advances created new problems that the city walls were not adapted to. Old city walls were built high and slim. The prime objective was to prevent someone climbing over. Gunpowder and artillery changed that. As walls needed to be built thicker and thicker, they became hard to move. They cost astronomical amounts and restricted the growth of cities. Finally, they became tourist attractions and were replaced by a new paradigm. The new way to protect is to designate key targets such as parliament, banks and critical infrastructure and then protect these targets in a way that adapts to the threat.

IT security is going in an analogous direction with better detection and response-capabilities, as well as protection of the information at source. But what is the source that needs to be protected? Many organizations have not defined their critical assets, or “golden eggs”. But without doing that, you cannot really protect your organization in an efficient way.

How do you find your golden eggs?

A simple way of doing this is to interview the leaders of your organization and ask them: “what information, if it were lost, leaked, offline or changed, would have catastrophic impacts on your area of responsibility (e.g. production, sales, etc.)?” Even without knowing anything at all about IT security, any leader should be able to answer that question. Deducing where that information resides should then be the work of the IT and Security people. If you cannot get that information from top management, there are other ways which we will come back to in other articles.

Typical “golden eggs” that most organizations share are quarterly reports, recipes, formulas, product intellectual property and know-how, short term corporate secrets (such as lay-offs or marketing campaigns), incident reports, customer lists and money streams (e.g. banks and treasuries).

Having defined your “golden eggs”, you can then designate them as critical objects in your securiCAD model and see how vulnerable they are to attacks.

Article by: Jacob Henricson, Head of Risk Services, foreseeti

securiCAD is the world leading tool when it comes to design case threat modeling, IT risk assessment, and automated modeling and security analysis. The approaches employed in the tool are inline with the most recent research in the field, taking place in Stockholm at KTH Royal Institute of Technology.