Information leakage is possibly one of the most common, and misunderstood security risks faced today, and potentially one which impacts organizations every single day. When linked to electronic distance information gathering, it can, and does pose significant security risks to any business, or government agencies alike.
Information leakage and gathering may be employed to determine much about the internal business model, and strategies – for example:
- Organizational connection
- Working practices
- Mobility of information assets
- Levels of sensitivity
- Personalities and contact information
- Infrastructure and application components
- Third party relationships
For instance, it is possible to obtain from information published to the Internet a pen-picture of what an organization/agency looks like on the inside. Maybe some information made public under an FOI request could provide an intelligence insight, which when conjoined to say other public articles or press releases could provide an indication of the organizational profile, and estimation as to the type, classification, and sensitivity of anticipated information assets under process, retention, or custodianship within a particular area of the business. Of course this is particularly of interest if such information assets are subject to governmental protective marking.
It may of course be that a department or agency has a very low profile, and it is to some extent nondescript, but nevertheless it may have established connections with sensitive government agencies, law enforcement, or other such official bodies. Such leakage of information could also provide an attacker with valuable information as to the type, and value of data which may be physically communicated, and thus this make the job of targeting a business, agency, or organization much easier.
FOI Extract from the Internet
With such collateral in the possession of the attacker, they may then turn to what other valuable information may be obtained about the internal employees, associated contractors, and any third parties. Here direct opportunities may well exist supporting the application of social engineering against identified personalities. Or it may be utilization of those dark skills to infiltrate one of the associated partnering organizations who are supporting the potential target to carry out long-arm infiltration. It has happened and will continue to do so.
It may also be that some external communications which have been published provide a valuable insight for the attackers to the internal organizational ecosystem, such as. but not limited to:
- Servers
- Operating systems
- VoIP
- Infrastructure components
- Users
- Logon ID
- Printers
- File Shares
- Patch Levels
Again with these valuable titbits in the kitbag, attackers may then underpin any future attacks with known and credible intelligence – and simply remove some of the early need for guessing, and leg work to reveal the unknown unknowns.
The Internal Attack: This particular example relates to personal family information held by a Coroner’s Office with regard to a death of a family member in which the estate was in some state of dispute. Multiples requests submitted by the extended family to identify additional information were by the Coroner’s Court as unnecessary and the requests declined. However, being determined to gain access, the family employed the Internet to glean information about the personalities, and internal dealings, and socially engineered circumstances to their advantage.
Within months they had placed a personal family as an insider having gained employment in the said office, with the objective of illicitly obtaining access to the information of interest. However, thanks to a vigilant employee who noticed that a lot of very detailed questions were being asked about storage of particular types of data, a close eye was maintained on the new member of staff – only to find one lunch time when they returned back to the office early, the new staff member was attempting to access the desired records. Needless to say they were dismissed.
Undesired Disclosure: In this example, the backdrop of insecurity related to multiples of information assets finding their unintended way from the Intranet, to the Internet side of the organization’s web space, providing unintended access to around 230 individual documents and reports containing:
- Organization charts – with email addresses
- Other internal contract e-mail, and telephones numbers
- Department descriptions
- Agenda of internal security committee meetings (along with the outcomes)
- Budget Information
- Documents which indicated storage, and process, of high value protectively marked information assets
Furthermore to give further creditability to the published information, other FOI Information Assets were made available. These were associated with other agencies, hinting at the type of information that had been stored [or was], and processed by this particular agency for some considerable time – thus heightening the real-time attractiveness of the target. Add to this confirmation of on-going links to the UK government security services, and one may soon realize they have a very high gain, and a very soft target.
In the aforementioned example the wide proliferation of publicly shared documents containing invisible hidden content in the form of metadata, and unseen track changes gave away additional snippets of valuable and potentially sensitive information, or intelligence. We may soon realize just how valuable these may be when removed from isolated snippets, and moved into an aggregated map of intelligence.
So what you may ask? Well in this age of internal tensions, with the associated risk of terrorism, it should hopefully follow that such circumstances as the above should be of serious concern. However, when one links this to a time in which the national security stance is high, the expectation of a commensurate response should go without saying – or at least one would hope.
Ashley Madison: And then we come to the mass compromise against the Ashley Madison site which suffered compromise of a database containing over 30m records of cheating lovers, resulting in names and the associated details being released into the public arena. OK, so here we may tend to over focus on the implication of the root because data breach. However, if we stop and think for just a moment, we may start to see the indirect potential of the real-world security exposure – so please allow me to explain.
So with the drive of professional curiosity I fired up my TOR, and started to dig around in what we refer to as the ‘Dark Web’ and located what I considered to be a data source of the said leaked information which I regarded as having high level of providence. The act driven out of my curiosity then took me to look at the actual content, and to assess its potential security implications. The first observation was that the suggested registered users in this release were drawn from a diverse range of males, females, who had registered with both private, and work email addresses.
However, the next level of digging against the ‘work’ email address group identified a number of personalities who were inferred to be holding sensitive positions, in some very sensitive organizations – this leaving only more level to investigate, and that was the world of Social Networking - which added more vibrancy to the HUMINT picture and tended to qualify the inferred personalities, their roles, and established that fact that in a number of cases, they were holding very, very sensitive posts – again, so what?
So, as an example from the above, let us consider a case involving the identification of a married man with 2.4 children, who is occupying a key position in a bank, or a sensitive public service agency. Thus it must follow that such a compromised HUMINT [Human Intelligence] target may well be open to pressure and manipulation to accommodate a request for some form of insider act or insider service by their controller – after all this is the methodology that has been applied to international security services for decades, and it is equally applicable in 2015 to the commercial world in instances where there are high stakes in play. Thus, such big data compromises as have occurred against sites such as Ashley Madison may see the indirect security implication for organizations be a very personal matter, and something they need to consider for their high profile employees.
What such Information leakage does provide an attacker is ease of identification of soft targets, and points of potential manipulation which hold desired levels of accommodated access to a desired target; or it could be that, by associations it is not necessarily that it is the information which may be the target, but the actual facilities for plotting a physical attack. Thus where Information Leakage of the aforementioned types does exist, it can have very real potential to support an attack which could manifest in the compromise of an individual, or individuals, assets, or in the worst case scenario result in injury, and loss of life.
There are of course some very basic cyber threat intelligence steps which may be applied to mitigate, or to reduce the exposure, and to accommodate high gain security to protect such soft targets. They include:
- Ensure that any externally published information assets are appropriate for release
- Control what is released, and published about your organization via social media
- Consider the implications, inferences of any information that is published in relation to partner, or other sensitive agencies
- Agree a corporate communications approach to manage all information releases
- Deploy cyber threat intelligence capabilities to periodically trawl the internet looking for signs of information leakage and other forms of interesting intelligence
- Have a process in place that removes metadata from all documents prior to publication or external release
- Consider applying security settings, and/or encrypting the content if your organization publishes documents in PDF format
- Invert security and employ the same levels of dark arts and tools as would an attacker to glean any other items of intelligence interest which could impose direct or indirect on your business
Remember what may seem to be of little value in isolation, may be completely different ball game when assessed against other aggregated information assets obtained (AKA - Intelligence).
Above all remember, we are living in an interconnected world which in most cases is based on chap-and-cheerful COTS (commercial off the shelf) applications. Don’t forget most organizations have been hacked or compromised, and the association of an era in which the internal, and International tensions are running high. Thus no matter the presumed lowly value of the snippet, in the bigger picture the implications could be serious to both information, and in the most extreme of cases life. Thus it may be a reasonable assessment to say that cyber threat intelligence is no longer a nice to have, but instead a must.