Tag Archives: Penetration test

Value is in the Eye of the Beholder

When I am working with clients, sometimes the hardest lesson is in calculating the value of information. Part of this is the difficulty in figuring out the risk calculations that determine appropriate care. The secondary part is figuring out what others think that information is worth, to determine the chance of being targeted in an attack.

Sometimes you get to know how valuable the information you control is. The Federal Reserve, for instance, knows that the data they release is worth for a fortune. As a result, they set up elaborate security for each report release. Despite this, timings from trades related to the “no taper” decision announced in September 2013 indicated that it still managed to leak early.

When you know that value, you still want to know how people would acquire it. The technical term for this is penetration testing. This is when an outsiders are paid to pose as attackers, and gain all the access they can in order to illustrate the methods that the client is vulnerable for. A good example of this can be found in the description from Adam Penenberg. The technical explanation from that same story can be found in a writeup from his attackers.

What makes this much harder is when you don’t even know what is valuable under your control. These are circumstances where the information you control becomes much more valuable to a given attacker. Examples of this can be pulled from the the attack on Mat Honan. There, the value was found in the mere knowledge of his email address, and then the last four digits of his credit card address, which Amazon displays once the account is compromised.

This illustrates how “trivial” information can have great value to the right audience, and why data security needs to be confirmed for all information under control and not just that which the controller believes to have worth. You will be compromised not for what you think is important, but for what your attackers decide they want. When you plan around everything having value, you can plan better how to protect yourself and those who depend on your business.