Security in every organization works somewhat differently. Proper security measures must be determined based on the risks, threats, budgets, and general make up of an organization. The same security measures cannot effectively be applied to different organizations with different values, different risks, and different architectures. It is thus important for any organization desiring security to first develop a security profile. A security profile defines several of the unique elements within an organization that can help focus security efforts. This is not a risk analysis, nor a vulnerability assessment (both of which are discussed elsewhere in this book); this is simply a guide on how to view ourselves through the eyes of our enemies. The unique security measures that should be applied to an organization should include this information as one of several defining factors. Unique HackersEvery organization has its own unique way of attracting hackers. Some organizations can go years without ever being the direct target of an attack, while others cannot last five minutes without attracting someone's attention. By defining who your hackers are and what their capabilities may be, you can better understand how to design a defensive strategy to keep them out. Unique TargetsThere are systems within any organization that are more likely to be struck than others. Combined elements of visibility, functionality, and vulnerability make some devices more likely to catch a hacker's attention. Identifying where such systems exist and why they are potential targets can assist in the placement of security defenses. Who Are the Hackers?Earlier in this chapter, we discussed the different categories of hackers, including their unique motives and capabilities. Each form of hacker presents a different type of threat to an environment. Some hackers are quite easy to deal with, while others are seemingly impossible. Knowing the type of hacker that may be drawn to your environment can be key in determining the length to which you will go to secure yourself. Determining an Organization's Hacker TypesTable 7.1 is a chart of some common elements that will attract the attention of various hackers. This type of worksheet can be very useful in visualizing why an organization would be the target of a hacker and should be used as a guide. Each reader is encouraged to consider the unique elements within his or her environment that may draw the attention of a hacker and list them in the blank rows at the bottom.
When the scoring has been completed, compare the values derived from the different types of hackers. This should give you a general idea of what kinds of hackers may be attracted to your environment. The higher the number, the more likely an organization is to encounter a specific type of hacker. What Are the Targets?Of course, any device within an organization is a potential target for attack. However, some systems, due to their function, content, and location on the network are much more likely to be targeted than others. I previously discussed where common targets exist, how they are commonly attacked, and what damage an individual could do with a successful "hack." We will now use Table 7.2 to help identify which objects are most likely to attract attention. Determining Most Likely TargetsTake the following points into consideration for each object you wish to evaluate. Objects with higher point values could indicate they are more likely to be targets of an attack.
|