The Price of Security Is Constant Vigilance
You have to assume that portions of your computing environment aren't safe, as Plunkett says. This means that your Windows computers have the same vulnerabilities as other Windows computers. Although you can be sure that the Windows machines at the NSA are a LOT more locked down than the machine on your desk, there is still an element of risk-that unknown vulnerability that first shows up when someone uses it to gain access to the NSA. Since you can't completely trust your infrastructure, what do you do? You make the infrastructure as safe as you can and then you use multiple technologies to keep any breach contained. You also track every access or attempted access to sensitive data so you can go back and reconstruct the breach if it happens. To do this, you need all of those old standbys-encryption, active security management, audits and the like. They may be old technology, but they can still work.And then you need to be vigilant. If PFC Manning's supervisors had decided to check on what he was doing with a CD in a secure computer (which isn't supposed to have a removable media drive), they would have short circuited that data breach. While your data may not be as sensational as those State Department messages, I'd be willing to speculate that your information is a lot more important to you. While WikiLeaks may be interesting to watch on the news, seeing a news story that your company has just lost 50,000 credit card numbers will certainly seize your attention-it could mean the survival of your business. So the bottom line is to pay close attention to Plunkett's assertion that your systems are probably not secure, and find a way to adjust your way of doing business so that an intruder doesn't cost you everything.
In reality, most companies with sensitive information should be making these same assumptions. If you have customer credit card numbers, for example, you need to have them stored somewhere else besides your public-facing Web server. If you have your accounting data or medical information or anything else that might be of value to your competition or to someone who can sell what you have, then you can't just assume that you're secure. You need to have the access controls, the vulnerability testing and all of the other security tools you can find.