ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Information leakage: The most misunderstood security risk

Information leakage: The most misunderstood security risk

| Posted at 8:56 AM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (2)

Information leakage represents one of the most common, but misunderstood, security risks faced by business and government alike. Though it impacts many organisations every single day, they may not even be aware. Firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are deployed, along with investments in the security mission—yet, the perception of the secure perimeter may be at odds with reality.


One set of good (bad) examples is that of some government web sites that were discovered to have sensitive information assets residing on their Internet presence. Using a tool like FOCA, attackers could download and interrogate data at their leisure. They could then dig to the next level, pulling back metadata (data about data) and revealing more snippets of unintended releases of information into the public domain or—even worse—the hands of criminals. Sadly, this does not stop there—for example, the very useful Microsoft Office tool Track Changes is yet another way to publish more than was intended to a wide and potentially unauthorised audience. Through lack of process or procedure, such comments can and do get published, resulting in possibilities of embarrassment or, worse, security exposures.


Let us not forget information that gets committed to mobile phones, PDAs, USB keys and laptops, and it very soon it becomes clear that, where no process or policy exists, each and every time any form of memory retentive device is utilised, the potential for creating an interesting leaky footprint for future exploitation exists.


It is amazing where snippets of information may be overlooked. For example, a recent project deployment of simple printing devices demonstrated that one may never take the security eye off the ball. A security impact assessment was conducted and all was found to be in order—the only problem was that the new printer replacements were installed with internal 360GB hard drives, were accessible via IP and retained information post print—a case of data, data everywhere, but not a bit secure!


John Walker, CISM, FBCS CITP, ITPC, Member ENISA CEI Listed Experts

Secure Bastion LTD




How to minimize metadata in Word 2003:

Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF -

These are for awareness.
Adrian Munteanu at 7/16/2010 6:52 AM

Re: Information leakage: The most misunderstood security risk

John has rightly pointed out a risk which is often improperly managed in most of the organizations. Another common practise which I have observed is that most of the key executives keep sensitive information on their laptops without 'encrypting' their hard drives. There are lot of other examples which we can found around us. I request John to write in more detail on this topic for creating awareness to a larger extent.
kaymalik at 7/26/2010 2:07 AM
You must be logged in and a member to post a comment to this blog.