'Defenestration' Testing

Does your organization even know what secrets it's supposed to be keeping?

4:26 PM -- The Ponemon Institute has just released a study it conducted with CipherOptics that finds, among other things, that a key part of the security landscape these days is the "desire to enforce and easily manage network encryption." Additionally, the study found:

    Surprisingly, when asked, 'Does you network environment permit sensitive or confidential information to pass over third party networks in clear (readable) text?' -- only 35% of respondents said no, leaving 65% admitting yes or that they were unsure of their network policy.

Now, this shouldn't actually be particularly surprising, given that organizations clearly haven't fully bought into encryption. On the other hand, the news is better in some quarters: The CSI Computer Crime and Security Study has found for the past couple of years that roughly 60 percent of respondents say they encrypt data in transit. (The latest round of the 12-year-old study is coming in a couple of weeks, and CSI will be pre-releasing some of the findings here on Dark Reading, so stay tuned).

What I'd be really curious to know, though, is whether most people know which bits of information are "sensitive" or "confidential" in the first place. I'm guessing no -- in large part because at lots of companies, nobody knows. This raises the question of what percentage of companies have a clear policy for determining what data is confidential.

Take it a step farther: How many organizations pay attention to whether they're giving away too much information, information that can be assembled from all its various sources to show a surprisingly detailed picture of the organization's inner workings? It's pretty amazing how much can be pieced together with some Google work and a couple phone calls.

So, sure, encrypt the stuff you know is confidential, if you've got that figured out. And do some penetration testing to see if hackers can get at the endpoints and see the data before it's encrypted. But it would probably be smart to think about "defenestration testing" to see what valuable information is simply being tossed out the nearest open window for anyone who's interested to collect and piece together -- with no one ever really considering whether it should be classified "sensitive."

— Robert Richardson is director of the Computer Security Institute (CSI) . He's nailed all his windows shut but you can reach him by email at [email protected].

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5