Security == Asset Value

When securing an asset it is important to remind yourself about the fact that an extremely well secure environment is not always the best solution. Before determining what security measures are going to be implement you should always ask yourself how important the security for the particular data is. One of the most important questions during this process should be: “how valuable is the information”. The data you’re protecting can be customer data, source code or a database containing application information (doesn’t have to have a high value). The protection for different types of data will change when the value increases. Example: government secrets have a much higher value (so are much better secured) than a database containing forum threads discussing every day topics.

Other example: when working on a web application the application itself can hold a lot of data. But is this data important? How useful would this information be to an attacker? The best argument I ever heard regarding this topic is: “If the attacking effort is higher than the value of the asset, it is more likely the data will be left alone”. This basically means that when the value of the data increases you’ll have to make it more difficult for an attacker to get it. Because as we all know: it is not a question of ‘if’ but ‘when’. So when securing an asset, you need to decide if you’re going to use a easy to use but less complete monitoring system or a complicated IDS (where you’ll probably have to get one of your employees educated), go back to the question “How valuable is the data I’m securing?”. Because sometimes you don’t need a complicated IDS but simply a decent configuration in your iptables.

One last note, do not mistake my argument with solving or preventing misconfigurations. Misconfigurations are issues you should take care of regardless of the value of the data.

Cheers, Ruben.