Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, December 03, 2007

Study Reveals Overlooked Sources of Leaks

There are a whole lot of ways for sensitive information to leak from your organization, and most of them wouldn’t be prevented by data leak prevention tools, according to a new report issued today.  In a detailed study of 887 leak incidents, the Information Security Forum—an international, non-profit consortium of security-focused enterprises and vendors—found that many leaks are caused accidentally, often through non-technical means.  “Think about how often you hold the door open for a stranger carrying something heavy, or what you can overhear in a conversation on an airplane,” says Simone Seth, senior research analyst at ISF.  “That’s the sort of thing we found over and over again in the study.”  While there have been many studies recently on insider attacks, most of them focus primarily on online leaks, without taking into account the “old” sources of leaks that have been around for years, she observes.

Lost laptops, emails sent to the wrong address, sensitive documents left on photocopiers, employees walking out of the building with confidential papers or storage media—these are not new sources of leaks, but they remain the most common, the study finds.  “Most of these are accidental, not malicious,” Seth says.

Some employees repeat sensitive information on social networking sites such as MySpace or Facebook, while others may be overheard in a restaurant or on an airplane.  An employee might be shoulder-surfed at a coffee shop or on a train, or lose an unencrypted storage device in a public place, the study observes.

The study also found some methods of leakage that may not be anticipated, such as “print screen” capabilities or photographing of screens on mobile devices.  “I know it’s a tired phrase, but we’re talking about human behavior here, and the only way to correct the problem is to correct the behavior.”

Posted on 12/03