Businesses have to monitor, discover, and implement policy to protect the sensitive information resources. I usually think of the data discovery process as coming before the monitoring step, and it can arguably be done either way effectively as long as both processes are used to enhance one another. For example, if you start monitoring for sensitive data first, you won't fully understand what data needs to be monitored before discovering it. Initial monitoring will be for generic things such as Social Security numbers and credit card numbers until data discovery is done and what needs to be monitored is refined.
If data discovery takes place first, then more specific rules can be put into the monitoring system; however, generic rules should still be kept in the monitoring system to help identify systems and data that may have been missed. Once the data is discovered and is being monitored, policies need to be implemented that define what systems should be using the data and what users should have access to, and the monitoring system should be updated again to reflect those policies in order to detect, and hopefully, prevent violations.
In nearly every security book and class I've taken that covers the attack process, the first step is enumeration of the target's resources in order to find the best avenue for attack. One of the more common areas to target is a new merger or subsidiary of the target because their network is less likely to be secure and could end up being a back door into the target through a hastily set-up VPN.
With the eWeek blogger writing, "with current economic conditions greasing the skids for a merger frenzy," I think we're looking at the potential for a number of companies to get hacked due to poor due diligence in securing the networks of the merged/acquired companies' resources in addition to intentional data theft and accidental data loss.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.