For Internet connected computers, even for unimportant data, acertain baseline level of security will be required, to stop thiscomputer being used as a platform to attack further into thenetwork or other external networks. The following steps will help to determine the security needs of thissystem:
1. Data on this system
Considering the computer role, identify each kind of information thatwill be handled by this computer. Examples are:
client personal data
private keys and certificates
source code being developed in-house The list should also identify information such as user passwords,which may be typed into this computer but which also give accessto other systems that use the same password.
Consider the potential threats to each kind of information identifiedabove. Which classes of attacker will be motivated to read, modifyor disable each of these kinds of data?Consideration of the threat should include both targeted andindiscriminate attacks.
Targeted attacks refer to those where attackers may specificallytarget your business or your customers. Depending on the kind of information processed, threats may include malicious changes by adisgruntled insider, a denial of service attack for the purpose of extortion, or industrial espionage or sabotage.
All computers on the Internet are subject to these threats. Someorganisations believe that their systems will not be of interest toattackers; this is incorrect. Attackers are interested in controllingyour computers for a number of reasons, including to launch attackson other organisations, to send spam, or to capture users'authentication credentials.