The Many Faces of Data Leaks
While there are many ways that data can be leaked from an organization, not all are the result of some malevolent perpetrator handing data to an external party in a dark alley. In many cases, it is a simple lack of awareness and attention to detail that causes the most damage. Generally speaking, there are four weak points for data loss that should be considered.
Many examples of data leaks are caused by accidental or improper configuration and deployment of systems and documents. Glaring examples can be found using simple tools such as the Google search engine and FOCA.
No, this is not the Freedom of Choice Act! FOCA is an open source data mining tool that searches for hidden metadata in documents indexed by Google and other search engines. FOCA can extrapolate this hidden data, which often contains sensitive information about organizations.
A notable example of how this hidden data can be used was demonstrated several years ago. The writer of the Mellisa virus/worm, David L. Smith, was identified and convicted based on the details captured from a Word document's metadata. Failure to properly scrub metadata from documents from external-facing websites remains a significant source for data leakage.
Improper Access Control
Another leading cause for data leakage is simply poor administration around the provisioning and revocation of access. Unfortunately, this often boils down to laziness of managers and administrators. Many of us have seen firsthand how people moving around within an organization acquire more and more access from each position they hold.
This phenomenon is affectionately known as "access creep" and often leads to the ability for a single individual to wield significantly more control over systems, logs, and data than is appropriate.
Social engineering and other forms of end user attacks continue to be one of the biggest vectors for system compromise and data loss. While security tools and techniques have matured and have become more effective in identifying attacks there is still one chink in the armor—people!
It is much less risky for a would-be saboteur to attack the end users than harden systems. There are many different types of social engineering attacks, and numerous books and articles written on the subject—including some excellent ones on InformIT.
Whether it is a phone call, a phishing email or complex attack using pretexting and hardware such as a Teensy device, the end result is often the same. People can be manipulated and will frequently give up valuable information.
Insiders with intent to leak or sell data are by far the most devastating to organizations. These individuals are also the most likely to be successful in exfiltrating data.
Insiders typically already have access, are trusted, and have intimate operational knowledge of an organization. These factors make insider threats extremely difficult to detect and identify. Often insiders make use of a combination of administrative error, improper access control, and social engineering to achieve their objectives.