Are you concerned about protecting confidential data on computers in your organization? Sometimes it can be difficult, even for security experts, to know exactly what they are up against. This article not only enumerates threats to confidentiality, but also compares the ability of different security products to combat these threats. The resulting threat matrix paints a clear picture of exposure. This matrix also highlights the role of my own security software, Web Tap, which is partially responsible for the recent reduction in blog post frequency.

(more…)

In the last article in this series, we took a look at the benefits of hacking. However, not very many home computers are hit with sophisticated targeted attacks. The reason is that those attacks simply cost too much. The hacker’s time is the most obvious cost, but the risk of getting caught may also be serious in some cases. This article will attempt to quantify the costs of hacking and compare them to the benefits from the previous article in order to construct a reasonable model of attacks that are likely on your network. (more…)

The best way to determine what threatens systems in your network is to construct a cost-benefit model for hackers. This can be challenging because the cost of hacking is mostly time (often that of a clever but unpaid teenager) and the risk of fines or imprisonment. The benefits can be monetary, but are likely to be other things like entertainment, fame, or damaging an enemy. This article takes a general look at what a hacker has to gain from breaking into your network, taking all of these factors into account. (more…)

The first step in assessing a system’s security is asking yourself, and answering, some difficult questions:

1. How much is control over my system’s digital resources worth to a hacker?
2. Based on (1), who has sufficient incentive to attack me and what are their capabilities?
3. How much do I stand to lose from an attack?
4. How much will it cost me to prevent or reduce the risk of an attack?

The answers to these questions dictate your threat model, or, more simply, the level of risk you are willing to accept for different attacks on your system. For most, this risk level is as low as possible for rampant scriptkiddie hacks targeted at anything and everything with an IP address. However, only organizations with a lot to lose may find it economical to conduct employee background checks in order to combat theft by an insider. The following series of articles explore a methodology for answering the above questions and building a threat model that is appropriate for your organization.