Information leakage represents one of the most common, but misunderstood, security risks faced by business and government alike. Though it impacts many organisations every single day, they may not even be aware. Firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are deployed, along with investments in the security mission—yet, the perception of the secure perimeter may be at odds with reality.
One set of good (bad) examples is that of some government web sites that were discovered to have sensitive information assets residing on their Internet presence. Using a tool like FOCA, attackers could download and interrogate data at their leisure. They could then dig to the next level, pulling back metadata (data about data) and revealing more snippets of unintended releases of information into the public domain or—even worse—the hands of criminals. Sadly, this does not stop there—for example, the very useful Microsoft Office tool Track Changes is yet another way to publish more than was intended to a wide and potentially unauthorised audience. Through lack of process or procedure, such comments can and do get published, resulting in possibilities of embarrassment or, worse, security exposures.
Let us not forget information that gets committed to mobile phones, PDAs, USB keys and laptops, and it very soon it becomes clear that, where no process or policy exists, each and every time any form of memory retentive device is utilised, the potential for creating an interesting leaky footprint for future exploitation exists.
It is amazing where snippets of information may be overlooked. For example, a recent project deployment of simple printing devices demonstrated that one may never take the security eye off the ball. A security impact assessment was conducted and all was found to be in order—the only problem was that the new printer replacements were installed with internal 360GB hard drives, were accessible via IP and retained information post print—a case of data, data everywhere, but not a bit secure!
John Walker, CISM, FBCS CITP, ITPC, Member ENISA CEI Listed Experts
Secure Bastion LTD