Info leakage 200510


Published on

An old presentation on the subject of Real-Time Data Leakage!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Info leakage 200510

  1. 1. The Ramifications of Information Leakage in the Public & Private Sectors REAL WORLD AGILE THREAT MODELLING
  2. 2. Freedom of Insecurity (Information)  FOI is the Journalists, Data Miners, Cyber Criminals, Organised Crime, and even Terrorists new Best Friend.  Consider the implications of not correctly assessing what is relapsed into the Public Domain Outside of its own individual context.  Can FOI be the means by which to endanger lives?  Is this Risk appreciated?  We shall see . . . .
  3. 3. Unintentional Disclosure!  The next, and close Best Friends of are those accidental, unintended, and unintentional Disclosures. Crooks, O The Cyber  One slip of the Web Server Administrators Digit, could in fact cause Public Publication  Content, NOT on the Internal Intranet, but in the rather more Public Space of the INTERNET . Here it may be assured to get many more visits!  It may be that out of misguidance, some well meaning internal user releases Sensitive Information, and Documents into the arena of Public View - the INTERNET. This driven out of sheer lacking of understanding of the Big Could this Happen? YES Has it Happened?? Picture implications! YES
  4. 4. And What About MetaData It is a very common find to discover revelations from Metadata which may have been overlooked pre-publication and release of documents. 1) Track Changes – 2 Examples of INSECURITY relating to Human Resources, and Client Pricing Schedules. 2) No Cleansing Policy – Excessive Publication of unintended materials, and information Artifacts – 2 Examples relative to Government Sites. 3) On Mass Locating, and Download of Materials containing Metadata – 4 Examples from both Government and Commercial Sectors.
  5. 5. What About Waste? Now, one would imagine that those who hold Client, and Business Customer information would take all necessary steps to ensure it is Secure whilst in use, and at end of life. Note the bag of waste, which is one of many continually dumped on the pavement outside a Building Society in London, W2. The strips of shredded waste still contain complete visible characters and numerics
  6. 6. Casual Loss March 2010 – Example of the potential for Casual Loss – This Gentlemen took a car for a Test Drive, leaving his Laptop and Papers in the Showroom!
  7. 7. Background Leakage Many organisations deploy I/O USB Blocking Technologies, Web Filtering, and all is presumed to be fully secure. However time, and tenacity has demonstrated this is not always the case – consider (or maybe Don’t): a) The Internet b) Dynamic URL’s c) Home Servers d) Cloud Based File Sharing (Google, Amazon, SkDrive and so on . . . . e) Cloud Based SharePoint f) MS Groove g) Desktop SharePoint
  8. 8. Lack of Standards (Bad Practice) In many organisations, and in particular, within the Public Sector very little exists in the form of Standards, or Cleansing, or Securing Documents.  Published with masses of Metadata  PDF with NO inherent Security published into the Public Arena  Inappropriate Publications into Public Arena  FOI Releases which do not consider the Bigger Picture of Aggregated Risk.
  9. 9. DNS can Give Up a Lot  DNS can provide interesting Artifacts when selecting targets.  On Average recent Research identified that around 17% of a 100 Group Sample had security issues.  6% had High Risk Security Exposures (Zone Transfers)  External, and Third Party External DNS Testing can be, and does get overlooked
  10. 10. Real Time Target Mapping For both Criminal, Social, and more worryingly use by Terrorists, it is no secret in Underground Communities that the lacking of policies, linked to what seems to be the continuous revelation of unintentional publications of artifacts and data (Intel) provides very rich pickings to target Individuals, Organisations, and Groups. This could be (is) used to facilitate purpose of Grooming, Exploitations, or in the most Extreme of cases Wet Target Selection.
  11. 11. Target Selection in Action Step 1 – Get to Know the Advanced Features of Google Searches Step 2 – Have the right toolsets on hand Step 3 – Originate a map of potentials targets Step 4 – Set off on a Spidering Mission Step 5 – Identify interesting Artifacts, Mine, and Retrieve Step 6 – Analysis Phase Step 7 - EXPLOIT
  12. 12. Example of Real Time Mapping - 1 Step 1: Decide the Target type and information/artifacts of interest Step 4: Review Artifacts and Download as required Step 2: Identify and Footprint using Advanced Searches (FOI) Step 3: Run Application / Tool against identified Targets Step 6: Step 5: Analysis Phase EXPLOIT
  13. 13. Example of Real Time Mapping – 2 (AKA – How to Create a Soft Targets) FOI MI5 – MI6 Link Thames Housed
  14. 14. Who Cares? This is a good question – it would appear, based on previous examples that with end users there are still shortfalls (as would be expected). In the case of Government – the areas introduced relating to potentials of Mapping of, and Creation of Soft Targets, Low, or No Standards, Inappropriate Public Facing Publications, and Masses of Metadata has been reported on Multiples of occasions in the last 12 Months – to date: No Action – and these exposures Still Exist
  15. 15. Be Proactive  Consider you own Enterprise – Do any of the previous exposures exist  Review and releases into the Public Arena before the go – Aggregation  Consider areas of potential for Unintentional Disclosure  Consider Standards and Process – if Gaps are Identified fix them  If reports are received – consider, and act on them as appropriate  Last but not least – consider the Real Time and Life Implications of Potential Impact
  16. 16. Thank you for Listening