Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/23/2007
08:26 AM
50%
50%

'Defenestration' Testing

Does your organization even know what secrets it's supposed to be keeping?

4:26 PM -- The Ponemon Institute has just released a study it conducted with CipherOptics that finds, among other things, that a key part of the security landscape these days is the "desire to enforce and easily manage network encryption." Additionally, the study found:

    Surprisingly, when asked, 'Does you network environment permit sensitive or confidential information to pass over third party networks in clear (readable) text?' -- only 35% of respondents said no, leaving 65% admitting yes or that they were unsure of their network policy.

Now, this shouldn't actually be particularly surprising, given that organizations clearly haven't fully bought into encryption. On the other hand, the news is better in some quarters: The CSI Computer Crime and Security Study has found for the past couple of years that roughly 60 percent of respondents say they encrypt data in transit. (The latest round of the 12-year-old study is coming in a couple of weeks, and CSI will be pre-releasing some of the findings here on Dark Reading, so stay tuned).

What I'd be really curious to know, though, is whether most people know which bits of information are "sensitive" or "confidential" in the first place. I'm guessing no -- in large part because at lots of companies, nobody knows. This raises the question of what percentage of companies have a clear policy for determining what data is confidential.

Take it a step farther: How many organizations pay attention to whether they're giving away too much information, information that can be assembled from all its various sources to show a surprisingly detailed picture of the organization's inner workings? It's pretty amazing how much can be pieced together with some Google work and a couple phone calls.

So, sure, encrypt the stuff you know is confidential, if you've got that figured out. And do some penetration testing to see if hackers can get at the endpoints and see the data before it's encrypted. But it would probably be smart to think about "defenestration testing" to see what valuable information is simply being tossed out the nearest open window for anyone who's interested to collect and piece together -- with no one ever really considering whether it should be classified "sensitive."

— Robert Richardson is director of the Computer Security Institute (CSI) . He's nailed all his windows shut but you can reach him by email at [email protected].

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...