This blog is inspired by the recent events and the new-found interest of the masses – Wiki Leaks.
Let us revisit the earlier post “How easy can it get?”
Thumb Rule for “Information”: Information should be available only on need to know basis and strict hierarchy should be followed top ensure smooth flow of information.
Leaked Information, based on the sensitivity of the data and its usage after leak can be classified either as an act of espionage or treason or information warfare.
By whatever name we call this or any technical jargon we use to describe the fall-out scenarios caused due to such incidents, the core issues remains unresolved and gravely misunderstood. The core issue is the Flow of Information. In order to understand the flow of Information we have to look at the Life Cycle of Information.
The Lifecycle of Information can be broadly classified into
The deciding factors are the life span and sensitivity of the information. These define the plan of action for the Life Cycle of Information.
Information access in cyberspace can be broadly classified into three distinct areas:
1: USB Devices / Mobile Phones / Mobile Storage Devices
Pendrives are becoming smaller and cheaper, on the other hand mobiles are becoming powerful and versatile. A Mobile Phone with a camera and a data card can hold more data in physical space that what was achievable a few years ago.
A Computer providing access to such devices can never be a secured terminal to store data. Most of the malwares, which are built with the intention of data theft use these devices to propagate. This is one example where an outsider has gained access to your data, if an outsider can gain access by way of this method, an insider already has access and the method to transport.
Blocking of USB devices is a better option and allowing only selected personnel and devices to access via the USB medium.
Incoming email protection is a defacto of this industry wherein we try to protect email servers from a variety of attacks be it Spam, phishing or Virus. Content of the valid mails differ from organization to organization and from business to business. Putting intelligence into an email system to recognize the content of an email is one thing and analyzing the actions of the email sender is another. Defining an email as a business mail or personal mail or data leak mail is a daunting task, as it involves generating the list of business ids , personal ids and then cross referencing the sent mails vis-à-vis the definition, is definitely difficult but not impossible.
Web-site access restrictions are the in-thing, the admin has to ensure that selected sites are available or none at all . But keeping a pro-active watch on the contents which are being exchanged is again difficult. A few questions which should be raised are:
A: Is the user eligible to browse Internet?
B: Is the data handled by this user sensitive or highly confidential?
C: Is this user’s system being handled by any entity other than the user?
D: Should this system be given the privilege to browse or send emails?
These are hard-hitting questions and if you are an organization which is paranoid about Data Security then these questions need to be answered.
Normally, there is no policy for handling of printouts. Their disposal is another gray area, which is rarely touched. Use a shredder and an incinerator for those extra confidential documents.
5: Network File Access
When doing a security audit / pen-testing for data breaches the first thing that should be done is recognizing network shares and user password policy, as a form of data leak source.
1: Vulnerable Services/Servers accessible from Internet
2: Social Engineering
3: Resident Engineers
According to some researchers, insiders account to more than 80% of data leaks. However, this research does not pinpoint that; majority of these insiders never had any form of authorization to access the data, but due to misconstrued information flow, these insiders were privy to this data.