Information Leakage: Detection and Countermeasures

Phil Venables, Goldman Sachs

Introduction

Scope of Illegitimate Use of Legitimate Authority in the Context of Leakage

Leakage Channels Overview

Physical Channels

Good, Old-Fashioned Ways

Office Equipment

Media

Voice and Video Communications

Cell Phones, Cameras, Music Players, and PDAs

Classic Spy Equipment

Emanations

Media and Equipment Disposal

Laptops and Corporate PDAs

Electronic Channels

Messaging Systems

Communications Equipment

The Web

Indirect Inferential Disclosure

Social Networking and Contact Management Sites

Web Publishing, Blogs, and Bulletin Boards

Remote Control, Anonymizers, and Tunneled Protocols

Credential Sharing

Malware

Phishing

Human Channels

Word of Mouth

Use of Communications Technology in Public Places

Personal Relationships

Social Engineering

Misdirection of Communications

Use of Public Facilities

Countermeasures

Detection

Protection and Prevention

Correction

Conclusions

Glossary

Cross References

References

Further Reading

INTRODUCTION

Although information leakage can be the result of failings of security controls such as encryption and access control, in this context we use it specifically to mean the result of illegitimate use of legitimate authority over information, specifically, to obtain information in a legitimate way but subsequently use it in a way not intended by the granted access or organizational policies. For example, an employee leaving the company and taking his client list in electronic ...