Every organization I’ve ever assessed, military or civilian, spent an inordinate amount of time, money, manpower and resources protecting information that had already been compromised. I know it doesn’t make a lot of sense but here’s one way this happens. An organization has an outdated Critical Information List (CIL) – or one stolen from another…did I say “stolen”? I meant benchmarked. So they have a “benchmarked” CIL from another organization – either way, they find themselves (quite unwittingly) with a bad CIL. And then they go about trying to protect all the information on the CIL without giving any thought to the reality of the situation and they’re wasting time, money, manpower and resources.
But how do you know truly what is already known about your company or military organization? Get, or perform yourself, and Open Source assessment of your own organization. Start by looking in the mirror – cuz baby, you ain’t seen nothing yet if you haven’t done this. That’s right, start with looking at your own web sites. I’ve seen a lot of corporate (and military for some unknown reason) CIL’s that list items that are readily available on their web site. And I’ve got to ask; “Why are you telling your people to protect what is already available in open source?”
Now, civilian corporations are going to have a tough time with this because if you don’t advertise your products and capabilities you will lose customers. You’ve got to deal with your marketing and advertising departments don’t you? Yep – that’s a tough one.
I’ve sat in a number of assessment in-briefs where I’ve been told that the information I was about to receive was company proprietary and shouldn’t be talked about outside of the company and then they show me the exact information that I saw when I looked at their web site the night before! At this point, very early in the assessment process, it starts to get painful for them – this realization that we couldn’t get through the in-brief without highlighting a significant security concern.
So, whattaya gonna do now? Well, after you finish your Open Source assessment you most likely will need to rewrite your CIL so that it concentrates on protecting your truly sensitive or critical information that has yet to be compromised.
Can we hide that a military unit is deploying? Probably not. But can we protect where that unit is going and how long they anticipate being there? When hundreds of pizza’s start showing up a the Pentagon (or we keep the food court operating 24/7) can we deny that something is going on somewhere? No, but we can protect exactly what is going on and where it just might be happening. When a car company is developing a new model can they hide that this new model is coming out soon. Probably not. But we can paint the car in weird ways and add some plastic molding to that competing car companies won’t get any good pictures of the car. Can we totally protect that we’re holding contract discussions with another company? Most likely not, but we can protect exactly what that contract will be for and how much it’s going to cost and how long it’s going to last. Was Henry Ford II able to protect the fact that the Edsel was coming out? No way. But did he protect the design? Absolutely not! You’ve seen the car – there was no reason to protect the design. Same goes for the Pacer, the Gremlin and the Reliant K. Focus here folks…
Spend your time, money, manpower and valuable resources protecting what isn’t already known.
Keep the Faith!
You Ain’t Seen Nothing Yet – Bachman – Turner Overdrive