Tuesday, August 31, 2010
Information Security for New Hires
The next several posts will be dealing with the establishment of an information security awareness, training and education program where nothing existed before. I will deal with project plans, policy writing, bureaucracy and the approval process, eLearning modules within an learning management system[LMS] and evaluations. While this may be quite a bit of information it should serve as a starting point or at least a blueprint. Hopefully this will commence in the next week to 10 days.
Wednesday, August 18, 2010
Information leakage: The misunderstood security risk
Information leakage represents one of the most common, but misunderstood, security risks faced by business and government alike. Though it impacts many organizations every single day, they may not even be aware. Firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are deployed, along with investments in the security mission—yet, the perception of the secure perimeter may be at odds with reality. This is where awareness, training and education come into play.
One set of examples is that of some government web sites that were discovered to have sensitive information assets residing on their Internet presence. Using a tool like FOCA, attackers could download and interrogate data at their leisure. They could then dig to the next level, pulling back metadata and revealing more snippets of unintended releases of information into the public domain or the hands of criminals. Microsoft Office tool Track Changes is yet another way to publish more than was intended to a wide and potentially unauthorized audience. Through lack of process or procedure, such comments can and do get published, resulting in possibilities of embarrassment or, worse, security exposures.
Let us not forget information that gets committed to mobile phones, PDAs, USB keys and laptops, and it very soon it becomes clear that, where no process or policy exists, each and every time any form of memory retentive device is utilized, the potential for creating an interesting leaky footprint for future exploitation exists.
It is amazing where snippets of information may be overlooked. For example, a recent project deployment of simple printing devices demonstrated that one may never take the security eye off the ball. A security impact assessment was conducted and all was found to be in order—the only problem was that the new printer replacements were installed with internal 360GB hard drives, were accessible via IP and retained information post print—a case of data, data everywhere, but not a bit secure! See the post from Thursday, April 22, 2010 “Breach Alert: Copiers Are a Risk”.
One set of examples is that of some government web sites that were discovered to have sensitive information assets residing on their Internet presence. Using a tool like FOCA, attackers could download and interrogate data at their leisure. They could then dig to the next level, pulling back metadata and revealing more snippets of unintended releases of information into the public domain or the hands of criminals. Microsoft Office tool Track Changes is yet another way to publish more than was intended to a wide and potentially unauthorized audience. Through lack of process or procedure, such comments can and do get published, resulting in possibilities of embarrassment or, worse, security exposures.
Let us not forget information that gets committed to mobile phones, PDAs, USB keys and laptops, and it very soon it becomes clear that, where no process or policy exists, each and every time any form of memory retentive device is utilized, the potential for creating an interesting leaky footprint for future exploitation exists.
It is amazing where snippets of information may be overlooked. For example, a recent project deployment of simple printing devices demonstrated that one may never take the security eye off the ball. A security impact assessment was conducted and all was found to be in order—the only problem was that the new printer replacements were installed with internal 360GB hard drives, were accessible via IP and retained information post print—a case of data, data everywhere, but not a bit secure! See the post from Thursday, April 22, 2010 “Breach Alert: Copiers Are a Risk”.
Subscribe to:
Comments (Atom)