View
351
Download
1
Embed Size (px)
DESCRIPTION
An old presentation on the subject of Real-Time Data Leakage!
Citation preview
The Ramifications of Information Leakage in thePublic & Private Sectors
REAL WORLD AGILE THREAT MODELLING
CONFIDENTIAL
SECRETTOP SECRET
PROTECT
STRICTLY IN CONFIDENCE
Freedom of Insecurity (Information)
FOI is the Journalists, Data Miners, Cyber Criminals, Organised Crime, and even Terrorists new Best Friend.
Consider the implications of not correctly assessing what is relapsed into the Public Domain Outside of its own individual context.
Can FOI be the means by which to endanger lives?
Is this Risk appreciated?
We shall see . . . .
Unintentional Disclosure!
The Cyber Crooks, O
The next, and close Best Friends of are those accidental, unintended, and unintentional Disclosures.
One slip of the Web Server Administrators Digit, could in fact cause Public Publication
Content, NOT on the Internal Intranet, but in the rather more Public Space of theINTERNET . Here it may be assured to get many more visits!
It may be that out of misguidance, some well meaning internal user releasesSensitive Information, and Documents into the arena of Public View - the INTERNET.
This driven out of sheer lacking of understanding of the Big Picture implications!
Could this Happen? YES
Has it Happened?? YES
And What About MetaData
It is a very common find to discover revelations from Metadata which may have beenoverlooked pre-publication and release of documents.
1) Track Changes – 2 Examples of INSECURITY relating to Human Resources, and Client Pricing Schedules.
2) No Cleansing Policy – Excessive Publication of unintended materials, and informationArtifacts – 2 Examples relative to Government Sites.
3) On Mass Locating, and Download of Materials containing Metadata – 4 Examples from both Government and Commercial Sectors.
What About Waste?
Now, one would imagine that thosewho hold Client, and BusinessCustomer information would takeall necessary steps to ensure it is Secure whilst in use, and at end oflife.
Note the bag of waste, which is oneof many continually dumped on the pavement outside a Building Society in London, W2.
The strips of shredded waste still contain complete visible characters and numerics
Casual Loss
March 2010 – Example ofthe potential for CasualLoss – This Gentlemen tooka car for a Test Drive, leavinghis Laptop and Papers in theShowroom!
Background LeakageMany organisations deploy I/O USB Blocking Technologies, Web Filtering, and all is presumed to be fully secure. However time, and tenacity has demonstrated this is not always the case – consider (or maybe Don’t):
a) The Internetb) Dynamic URL’sc) Home Serversd) Cloud Based File Sharing (Google, Amazon, SkDrive and so on . . . .e) Cloud Based SharePointf) MS Grooveg) Desktop SharePoint
Lack of Standards (Bad Practice)
In many organisations, and in particular, within the Public Sector very littleexists in the form of Standards, or Cleansing, or Securing Documents.
Published with masses of Metadata
PDF with NO inherent Security published into the Public Arena
Inappropriate Publications into Public Arena
FOI Releases which do not consider the Bigger Picture of Aggregated Risk.
DNS can Give Up a Lot
DNS can provide interesting Artifacts when selecting targets.
On Average recent Research identified that around 17% of a 100 GroupSample had security issues.
6% had High Risk Security Exposures (Zone Transfers)
External, and Third Party External DNS Testing can be, and does get overlooked
Real Time Target Mapping
For both Criminal, Social, and more worryingly use by Terrorists, it is no secret inUnderground Communities that the lacking of policies, linked to what seemsto be the continuous revelation of unintentional publications of artifacts and data (Intel) provides very rich pickings to target Individuals, Organisations, and Groups.
This could be (is) used to facilitate purpose of Grooming, Exploitations, or in the most Extreme of cases Wet Target Selection.
Target Selection in Action
Step 1 – Get to Know the Advanced Features of Google Searches
Step 2 – Have the right toolsets on hand
Step 3 – Originate a map of potentials targets
Step 4 – Set off on a Spidering Mission
Step 5 – Identify interesting Artifacts, Mine, and Retrieve
Step 6 – Analysis Phase
Step 7 - EXPLOIT
Example of Real Time Mapping - 1
Step 1: Decide the Target typeand information/artifactsof interest
Step 2: Identify and Footprint usingAdvanced Searches (FOI)
Step 3: Run Application / Toolagainst identified Targets
Step 4: Review Artifactsand Download as required
Step 5: Analysis PhaseStep 6: EXPLOIT
Example of Real Time Mapping – 2(AKA – How to Create a Soft Targets)
FOIMI5 – MI6 Link
Thames Housed
Who Cares?
This is a good question – it would appear, based on previous examplesthat with end users there are still shortfalls (as would be expected).
In the case of Government – the areas introduced relating to potentials of Mapping of, and Creation of Soft Targets, Low, or No Standards, Inappropriate Public Facing Publications, and Masses of Metadata has been reported on Multiples of occasions in the last 12 Months – to date:
No Action – and these exposures Still Exist
Be Proactive
Consider you own Enterprise – Do any of the previous exposures exist
Review and releases into the Public Arena before the go – Aggregation
Consider areas of potential for Unintentional Disclosure
Consider Standards and Process – if Gaps are Identified fix them
If reports are received – consider, and act on them as appropriate
Last but not least – consider the Real Time and Life Implications of Potential Impact
Thank you for Listening