As someone who lives the data world I know that we work hard at protecting certain types of data more than others. PII, PCI, HIPPA, they all get extra attention, or perhaps the “other” data just gets less attention. We think of the worst case as a breach that leads to millions of credit cards being leaked, but the lesson we can take from Sony is that the data we need to protect exists in a lot of places besides databases, and even the other data in our databases can be damaging if leaked. Think about it on a personal level to really get it. What would you rather have stolen, your credit card number or your email archive? The lesson is that any data leak can be damaging, even catastrophic.
Can we protect everything? Or does that take us into the trap described in the old quote that says to defend everything is to defend nothing?
We put a lot of effort into securing he high value data stores (as defined by PCI, etc), but we typically put less effort and money into securing the secondary systems. That’s not wrong, we have finite resources, but the question is really whether we’re doing enough – a relative term – to secure the secondary systems. I think we have to revisit that. Ticket systems, QA systems, dev systems, think about what the bad guys could do to your company if they breached any one of those. Are we monitoring them as seriously as the rest? If not, why not? Are we purging data on a regular basis, or are we keeping it all because we might need it? Have we identified high value/high risk systems and databases based on a realistic evaluation, or have we played to the auditors who only care about certain kinds of data? Do we have an air gap between development and production, or could a breach of a lowly dev server be a stepping stone to breaching production (go check those linked servers!)?
It’s a hard game to win, but it’s harder to win if you aren’t really guarding all the places that matter, and deciding what matters is the decision that drives all the rest. Put on the black hat for a few hours and think about those other systems and how an attacker could hurt you if they had access to them.