Focusing too much on protecting only the crown jewels of the enterprise might leave gaps in security for criminals who are seeking other valuable assets. The hackneyed expression, \u201cOne man\u2019s trash is another man\u2019s treasure,\u201d serves as a reminder that what the enterprise values is often different from what a criminal values.Defending a network and the critical assets of an enterprise is a lot like safeguarding a home. There are layers of security in homes just as there are in the enterprise. From the windows to the doors to the locks and alarm systems, home owners know the vulnerabilities and put protections in to keep criminals out.\u00a0Ryan Stolte, CTO, Bay Dynamics said, \u201cThe big idea is that people are very specifically and deliberately attacking organizations.\u201d The intent of those attacks, however, is not always the crown jewels. In order to defend the expanding network and everything that connects to it, \u201cYou need to put yourself in the shoes of bad guys."In planning their attacks and seeking their victims, criminals look for the easiest access point, whether that is the organization that has, \u201cMinimal security tools, lax security policies and\/or exploitable employees and third party vendor users,\u201d Stolte said.\u201cThey collect their own social intelligence, gathering information about the victim business regarding what its surface areas look like, where it stores its most valuable data, which third-party vendors have access to their network and how they gain access, and which employees log in remotely and how they gain access to the network,\u201d Stolte said.In most breaches, organizations are being hacked by individuals. \u201cIt\u2019s not just people sitting in China,\u201d said Stotle. What most criminals want is data and their goal is to get access to credentials to get that data. \u201cAfter they have breached you and gotten inside, they do it all over again, but from a different layer, to continually get deeper into an organization,\u201d Stolte said.The easiest ways for outsiders to gain access is by trying to compromise a particular person or to sneak in through an open door. \u201cTechnical engineering and social engineering go hand and hand,\u201d said Stolte.Social engineering is made a lot easier by the extensive use of social media platforms.\u00a0 Increasingly criminals are patient and take a longer and windier road to reach the final destination of their intended target.\u00a0Tim\u00a0Erlin, director of IT security and risk strategy, Tripwire said, \u201cShodan allows anyone to search for vulnerable things. They are scanning company networks and gaining access to internal networks by probing the individuals who interact with customers or the public. The one that is increasing is the supply chain attacks. Instead of attacking directly, they are going after their vendors and contractors to gain access.\u201dPublic information provides a gold mine of useful tidbits for criminals. Will Gragido, head of threat intelligence at Digital Shadows said, "Gleaning career and relationship information, like the names of colleagues, mentors and friends from sources like Facebook, LinkedIn, and alumni sites helps establish cover for spear-phishing and other social-engineering campaigns.\u201dPublic information provides a gold mine of useful tidbits for criminals.While these commonly used social media have much to reveal, there are others that can be more revealing of information about software and code that is really useful to criminals.\u00a0[ ALSO ON CSO: US cyber criminal underground a shopping free-for-all ]Gragido said, \u201cOnline profiles that might be easily misconfigured, such as GitHub accounts, frequently leak other types of information publicly, such as the identities of specific software developers in targeted organizations and snippets of the code they are working on, which, taken together, yields a lot of useful intelligence."This extensive information that is often leaked unknowingly is particularly threatening to the security of an enterprise. "The challenge is that this information leaks from third-party sources far outside of organizations' own security boundaries, meaning they are almost blind to these exposures and cannot act in time to prevent them from fine-tuning attacks, like a precision attack on a specific software developer,\u201d said Gragido.The expanded network has posed many challenges to security teams, and Gragido said, "Other sources of reliable attack intelligence are exposed storage devices and cloud platforms.\u201d In Gragido\u2019s experience, he has seen instances of sensitive corporate information, such as strategy documents and board meeting details from a health insurer, that were publicly 'over-shared' by being posted in cloud sharing sites with inadequate password controls.Gragido said, \u201cLikewise, we have seen sensitive files pertaining to banks' ATM networks, for example, accidentally broadcast to the Web because employees have placed them on misconfigured remote storage drives in their homes."Criminal actsRyan Stolte, CTO Bay Dynamics recommends asking these 5 questions from the perspective of a criminal:Which websites does the victim business host?What does their infrastructure look like (i.e. where are their doors and windows)?How do insiders remotely gain access to the network?Who are their third-party vendors?Who has the keys to the kingdom (think about employees who have the highest level of access to the business\u2019s valuable information)?Whether they are after credit card data, payment data, customer information, or any other kind of credentials from user names, to passwords, and healthcare records, criminals are gaining access even with extensive security measures in place, which begs the question how do security teams stop them?If only there were an easy answer that didn\u2019t require time and resources beyond those which are already stretched and limited. The first step is recognizing that it\u2019s important to prioritize what is secured.\u00a0All of this exposure creates avenues for criminals or other hostile groups to find an organization\u2019s weak points for more targeted and efficient cyber-attacks, said Gragido.\u00a0 \u201cThere is a greater premium on getting in front of these exposures with better situational awareness today, so that affected companies can recognize and eliminate these leaks at the source, outside their walls," he continued.A combined focus on technical and human surveillance is good security practice.\u00a0 \u201cHave employees be aware. Lock doors and windows. There are a lot of technology things you can do. Bad guys have as good of technology as the good guys. We scan and find, but bad guys do too, but they act before the hole is fixed,\u201d Stolte said. \u00a0A slight shift in language when talking about security and data can also help security teams think like a criminal. Erlin said, \u201cIt\u2019s a very common best practice for organizations to identify sensitive data. Using the term valuable instead twists perception away from what organizations feel is sensitive to what might be valuable to a criminal.\u201dRegardless of what other information criminals might find valuable, the crown jewels will always remain sensitive and top priority. Stolte said, \u201cOrganizations do the surveying, but one thing they fail to do well is protect the crown jewels. They need to know where they are and use that information to close off and fix the highest priority stuff.\u201dThink like a bad guy. Stolte said, \u201cTake an inside-out approach to vulnerability management. Ensure that you are patching the right servers and that people don\u2019t have more access than they should to layers of the network. Only the right people should have access to sensitive information at the application level.\u201d\u00a0Erlin said, \u201cThreat modeling should be a continuous exercise. Threats change and evolve. It\u2019s valuable because no one has infinite resources, so you have to focus on the most probable and impactful threats.\u201dCriminals are always after the weakest link, and they search for anything on the internet that might provide some kind of access. Information is out there, and security teams who use what criminals learn as part of their strategic security plan might be lucky enough to act before a breach.