For HBGary, it was a less important website. For CardSystems, it was just a research database, not the critical payment processing systems. For Heartland it was also a minor web application. RSA initial compromise point was an end user workstation.

As we can see, big breaches not necessarily happen through an organization’s most important systems. That’s actually quite similar to security breaches in the physical world, it’s not common to see the attacker coming through the front door.

Even if that in mind, security decisions are still being made to protect the critical systems only, what is normally seen as appropriate “Risk Management”. I have no doubt we should protect critical systems first, but we also need to make executives aware that attackers are not picky about their targets. If they find what they are looking for (passwords, credit card numbers) in secondary, less important systems, they’re still happy with the outcome. And the breach will still be quite damaging; it doesn’t matter they didn’t reach your critical systems; they got what they want from somewhere else, and for everyone else it was just “they got it from your network”. It doesn’t matter which system was that.

Even if there’s no valuable data on secondary systems (are you really, really sure about that??), they still can be used as bridgeheads for attacks against the major data repositories. So, pay attention to your compartmentalization strategy (are those different levels really segregated from each other?) and your network wide monitoring capabilities. Those secondary systems may be part of critical processes or be responsible for any of your revenue, but they are still juicy targets for whoever is interested in your data.