Your SlideShare is downloading. ×
Info leakage 200510
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Info leakage 200510

334
views

Published on

An old presentation on the subject of Real-Time Data Leakage!

An old presentation on the subject of Real-Time Data Leakage!

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
334
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Ramifications of Information Leakage in the Public & Private Sectors REAL WORLD AGILE THREAT MODELLING
  • 2. Freedom of Insecurity (Information)  FOI is the Journalists, Data Miners, Cyber Criminals, Organised Crime, and even Terrorists new Best Friend.  Consider the implications of not correctly assessing what is relapsed into the Public Domain Outside of its own individual context.  Can FOI be the means by which to endanger lives?  Is this Risk appreciated?  We shall see . . . .
  • 3. Unintentional Disclosure!  The next, and close Best Friends of are those accidental, unintended, and unintentional Disclosures. Crooks, O The Cyber  One slip of the Web Server Administrators Digit, could in fact cause Public Publication  Content, NOT on the Internal Intranet, but in the rather more Public Space of the INTERNET . Here it may be assured to get many more visits!  It may be that out of misguidance, some well meaning internal user releases Sensitive Information, and Documents into the arena of Public View - the INTERNET. This driven out of sheer lacking of understanding of the Big Could this Happen? YES Has it Happened?? Picture implications! YES
  • 4. And What About MetaData It is a very common find to discover revelations from Metadata which may have been overlooked pre-publication and release of documents. 1) Track Changes – 2 Examples of INSECURITY relating to Human Resources, and Client Pricing Schedules. 2) No Cleansing Policy – Excessive Publication of unintended materials, and information Artifacts – 2 Examples relative to Government Sites. 3) On Mass Locating, and Download of Materials containing Metadata – 4 Examples from both Government and Commercial Sectors.
  • 5. What About Waste? Now, one would imagine that those who hold Client, and Business Customer information would take all necessary steps to ensure it is Secure whilst in use, and at end of life. Note the bag of waste, which is one of many continually dumped on the pavement outside a Building Society in London, W2. The strips of shredded waste still contain complete visible characters and numerics
  • 6. Casual Loss March 2010 – Example of the potential for Casual Loss – This Gentlemen took a car for a Test Drive, leaving his Laptop and Papers in the Showroom!
  • 7. Background Leakage Many organisations deploy I/O USB Blocking Technologies, Web Filtering, and all is presumed to be fully secure. However time, and tenacity has demonstrated this is not always the case – consider (or maybe Don’t): a) The Internet b) Dynamic URL’s c) Home Servers d) Cloud Based File Sharing (Google, Amazon, SkDrive and so on . . . . e) Cloud Based SharePoint f) MS Groove g) Desktop SharePoint
  • 8. Lack of Standards (Bad Practice) In many organisations, and in particular, within the Public Sector very little exists in the form of Standards, or Cleansing, or Securing Documents.  Published with masses of Metadata  PDF with NO inherent Security published into the Public Arena  Inappropriate Publications into Public Arena  FOI Releases which do not consider the Bigger Picture of Aggregated Risk.
  • 9. DNS can Give Up a Lot  DNS can provide interesting Artifacts when selecting targets.  On Average recent Research identified that around 17% of a 100 Group Sample had security issues.  6% had High Risk Security Exposures (Zone Transfers)  External, and Third Party External DNS Testing can be, and does get overlooked
  • 10. Real Time Target Mapping For both Criminal, Social, and more worryingly use by Terrorists, it is no secret in Underground Communities that the lacking of policies, linked to what seems to be the continuous revelation of unintentional publications of artifacts and data (Intel) provides very rich pickings to target Individuals, Organisations, and Groups. This could be (is) used to facilitate purpose of Grooming, Exploitations, or in the most Extreme of cases Wet Target Selection.
  • 11. Target Selection in Action Step 1 – Get to Know the Advanced Features of Google Searches Step 2 – Have the right toolsets on hand Step 3 – Originate a map of potentials targets Step 4 – Set off on a Spidering Mission Step 5 – Identify interesting Artifacts, Mine, and Retrieve Step 6 – Analysis Phase Step 7 - EXPLOIT
  • 12. Example of Real Time Mapping - 1 Step 1: Decide the Target type and information/artifacts of interest Step 4: Review Artifacts and Download as required Step 2: Identify and Footprint using Advanced Searches (FOI) Step 3: Run Application / Tool against identified Targets Step 6: Step 5: Analysis Phase EXPLOIT
  • 13. Example of Real Time Mapping – 2 (AKA – How to Create a Soft Targets) FOI MI5 – MI6 Link Thames Housed
  • 14. Who Cares? This is a good question – it would appear, based on previous examples that with end users there are still shortfalls (as would be expected). In the case of Government – the areas introduced relating to potentials of Mapping of, and Creation of Soft Targets, Low, or No Standards, Inappropriate Public Facing Publications, and Masses of Metadata has been reported on Multiples of occasions in the last 12 Months – to date: No Action – and these exposures Still Exist
  • 15. Be Proactive  Consider you own Enterprise – Do any of the previous exposures exist  Review and releases into the Public Arena before the go – Aggregation  Consider areas of potential for Unintentional Disclosure  Consider Standards and Process – if Gaps are Identified fix them  If reports are received – consider, and act on them as appropriate  Last but not least – consider the Real Time and Life Implications of Potential Impact
  • 16. Thank you for Listening