Every organization's security needs are unique -- as are the capabilities of every security product -- and so the same product that works well for one organization may be completely useless to another. And, while each organization does have its own unique circumstances, all organizations still share in common the simple fact that any publicly accessible information they have is also readily available to attackers. No security product in the world can change that reality, no matter what a vendor's messaging may suggest its product can do.
Certainly, organizations have to ask a lot of tough questions if they are to properly protect their systems, business data and intellectual property. But while the answers to the questions of who would attack their systems and why are extremely important for building out successful security programs, these two questions should only be addressed after determining what attackers would target and how.
This theme crept into many of the sessions at ISSALA. Among the speakers who covered the topic was McAfee's Security Research and Communications Director David Marcus, who discussed at length how hackers can leverage open source intelligence (OSINT) as a means to gain insight into an organizations' infrastructure, technologies and operations.
During his session, Marcus provided a healthy list of tools used by these innovative and collaborative adversaries, including Twitter, Pastebin, SHODAN and Metasploit. Presenting results from the use of these tools, Marcus showed the audience how easy it is to identify, capture, share and use public-facing information to extract knowledge which could be used to attack an organization.
To further illustrate the point, Marcus described how these same methods could be used to attack the critical infrastructure -- more pointedly, the seemingly forever-vulnerable SCADA systems.