The Ramifications of Information Leakage in thePublic & Private Sectors

REAL WORLD AGILE THREAT MODELLING

CONFIDENTIAL

SECRETTOP SECRET

PROTECT

STRICTLY IN CONFIDENCE

Freedom of Insecurity (Information)

FOI is the Journalists, Data Miners, Cyber Criminals, Organised Crime, and even Terrorists new Best Friend.

Consider the implications of not correctly assessing what is relapsed into the Public Domain Outside of its own individual context.

Can FOI be the means by which to endanger lives?

Is this Risk appreciated?

We shall see . . . .

Unintentional Disclosure!

The Cyber Crooks, O

The next, and close Best Friends of are those accidental, unintended, and unintentional Disclosures.

One slip of the Web Server Administrators Digit, could in fact cause Public Publication

Content, NOT on the Internal Intranet, but in the rather more Public Space of theINTERNET . Here it may be assured to get many more visits!

It may be that out of misguidance, some well meaning internal user releasesSensitive Information, and Documents into the arena of Public View - the INTERNET.

This driven out of sheer lacking of understanding of the Big Picture implications!

Could this Happen? YES

Has it Happened?? YES

And What About MetaData

It is a very common find to discover revelations from Metadata which may have beenoverlooked pre-publication and release of documents.

1) Track Changes – 2 Examples of INSECURITY relating to Human Resources, and Client Pricing Schedules.

2) No Cleansing Policy – Excessive Publication of unintended materials, and informationArtifacts – 2 Examples relative to Government Sites.

3) On Mass Locating, and Download of Materials containing Metadata – 4 Examples from both Government and Commercial Sectors.

What About Waste?

Now, one would imagine that thosewho hold Client, and BusinessCustomer information would takeall necessary steps to ensure it is Secure whilst in use, and at end oflife.

Note the bag of waste, which is oneof many continually dumped on the pavement outside a Building Society in London, W2.

The strips of shredded waste still contain complete visible characters and numerics

Casual Loss

March 2010 – Example ofthe potential for CasualLoss – This Gentlemen tooka car for a Test Drive, leavinghis Laptop and Papers in theShowroom!

Background LeakageMany organisations deploy I/O USB Blocking Technologies, Web Filtering, and all is presumed to be fully secure. However time, and tenacity has demonstrated this is not always the case – consider (or maybe Don’t):

a) The Internetb) Dynamic URL’sc) Home Serversd) Cloud Based File Sharing (Google, Amazon, SkDrive and so on . . . .e) Cloud Based SharePointf) MS Grooveg) Desktop SharePoint

Lack of Standards (Bad Practice)

In many organisations, and in particular, within the Public Sector very littleexists in the form of Standards, or Cleansing, or Securing Documents.

Published with masses of Metadata

PDF with NO inherent Security published into the Public Arena

Inappropriate Publications into Public Arena

FOI Releases which do not consider the Bigger Picture of Aggregated Risk.

DNS can Give Up a Lot

DNS can provide interesting Artifacts when selecting targets.

On Average recent Research identified that around 17% of a 100 GroupSample had security issues.

6% had High Risk Security Exposures (Zone Transfers)

External, and Third Party External DNS Testing can be, and does get overlooked

Real Time Target Mapping

For both Criminal, Social, and more worryingly use by Terrorists, it is no secret inUnderground Communities that the lacking of policies, linked to what seemsto be the continuous revelation of unintentional publications of artifacts and data (Intel) provides very rich pickings to target Individuals, Organisations, and Groups.

This could be (is) used to facilitate purpose of Grooming, Exploitations, or in the most Extreme of cases Wet Target Selection.

Target Selection in Action

Step 1 – Get to Know the Advanced Features of Google Searches

Step 2 – Have the right toolsets on hand

Step 3 – Originate a map of potentials targets

Step 4 – Set off on a Spidering Mission

Step 5 – Identify interesting Artifacts, Mine, and Retrieve

Step 6 – Analysis Phase

Step 7 - EXPLOIT

Example of Real Time Mapping - 1

Step 1: Decide the Target typeand information/artifactsof interest

Step 2: Identify and Footprint usingAdvanced Searches (FOI)

Step 3: Run Application / Toolagainst identified Targets

Step 4: Review Artifactsand Download as required

Step 5: Analysis PhaseStep 6: EXPLOIT

Example of Real Time Mapping – 2(AKA – How to Create a Soft Targets)

FOIMI5 – MI6 Link

Thames Housed

Who Cares?

This is a good question – it would appear, based on previous examplesthat with end users there are still shortfalls (as would be expected).

In the case of Government – the areas introduced relating to potentials of Mapping of, and Creation of Soft Targets, Low, or No Standards, Inappropriate Public Facing Publications, and Masses of Metadata has been reported on Multiples of occasions in the last 12 Months – to date:

No Action – and these exposures Still Exist

Be Proactive

Consider you own Enterprise – Do any of the previous exposures exist

Review and releases into the Public Arena before the go – Aggregation

Consider areas of potential for Unintentional Disclosure

Consider Standards and Process – if Gaps are Identified fix them

If reports are received – consider, and act on them as appropriate

Last but not least – consider the Real Time and Life Implications of Potential Impact

Thank you for Listening