Information Leakage is possibly one of the most common, and misunderstood security risks faced today, and potentially one that impacts organisations every single day. This linked to Electronic Distance Information Gathering can, and does pose significant security risks to any Business, or Government Agencies alike.
Information Leakage and Gathering may be employed to determine much about the internal business model, and strategies – for example:
a) Organisations connections
b) Working practices
c) Mobility of information assets
d) Levels of sensitivity
e) Personalities and contact information
f) Infrastructure and Application Components
g) Third Party Relationships
For instance, from information which may be located on the Internet, it may be possible to obtain a pen-picture of what an Organisation, or Agency looks like on the inside. Maybe some information made public under an FOI request, linked by inference of content to a more recent publication relating to the type, classification, and sensitivity of an Information Asset under process or retention within a particular area. Of course this is particularly of interest if such Information Assets are subject to UK Government Protective Marking.
It may be that a Department or Agency has a very low profile, and are nondescript, but nevertheless has connections with sensitive Government Agencies, Law Enforcement, or other such official body.
Lastly such leakage of Information titbits can provide an attacker with valuable information as to the type, and value of data that may be physically communicated, and thus this make the job of targeting a Business, Agency, or Organisation much easier.
With such collateral in the possession of the attacker, they may then turn to what other valuable information can be obtained about the Internal Employees, Associated Contractors, and any Third Parties who provision support. Here opportunities exist to Socially Engineer any identified personalities, or to infiltrate one of the Third Parties who are supporting the potential target for long-arm infiltration – it has happened.
Last but not least. It may be that some external communications which have been published provide insight for the attackers to the internal electronic workings of the organisation – Servers, Operating Systems, VoIP, and Infrastructure Components that are deployed. Such information of which is valuable to underpin any form of future based electronic attack – it simply removes some of the early need for Footprinting, guessing, and leg work.
As an example consider multiples of Information Assets finding their way from the Intranet, to the Internet side of the organisations web space, providing access to around 230 individual documents, containing
a) Organisation Charts
b) Internal Contract e-mail, and telephones numbers
c) Department Descriptions
d) Agenda of Internal Security Committee Meetings (along with the outcomes)
e) Budgets Information
f) Documents which indicated Storage, and Process of High Values Government Protectively Marked Information Assets
Furthermore to add creditability to the published information, other FOI Information Assets which were made available on other Agency Sites, underpinning a conclusion as to the type of information that had been stored, and processed by this use – thus heightening the attractiveness of the target.
Add to this confirmation of on-going links to other more sensitive UK Government Services, and soon one realises they have a very high gain, and a very soft target!
Insecure Electronic Document: Publicly Shared documents containing invisible hidden content in the form of Metadata, and those unseen Track Changes which manifested in potentials of unintentional disclosure – all giving away additional snippets of information, or should we say Intelligence – in this case extracted from examples of the 230 farmed, downloaded documents!
So What!: In this age of internal tensions, with the associated risk of Terrorism, it should follow that such circumstances as the above would be of serious concern. However, when one links this to a time in which the National Security Stance is High, the expectation of a commensurate response should go without saying!
What such Information Leakage does provide an attacker is ease of identification of Soft Targets, which hold desired levels for information – it could be that, because of associations it is not necessarily the information that may be the target, but the actual facilities for plotting a Physical Attack – this where Information Leakage of this types does exist, can have very real potential to cause injury, and loss of life, and thus should be taken very seriously – Surprisingly this is not always the case!
Presentation is better than Cure: There are some very basic steps which may be applied to mitigate, or reduce the risk, and to accommodate high gain security to protect such soft targets, and they are as follows:
· Ensure that any Information Assets which are published externally are appropriate
· Control that may released, and published about your organisation
· Consider the implicatations, inferences of any information that is published in relation to Partner, or other Sensitive Agencies
· Agree a Corporate Communications approach to manage ALL information releases
· Have a process in place to periodically trawl the Internet looking for signs of Information Leakage
· Have a process in place that removes Metadata from any documents prior to publication or external release
· If the organisation publishes documents in PDF consider applying Security Settings, and Encrypting the content
Remember what may seem to be of little value in isolation, may be completely different ball game when assessed against other aggregated Information Assets obtained (AKA - Intelligence).
Above all remember, we are living in times where internal, and International tensions are high, thus no matter the presumed lowly value of the snippet, in the bigger picture the implications could be serious to both information, and in the most extreme of cases life!
