My first post of interest is about the security perimeter. Where is it? What are we trying to secure? I have started listening to a new podcast from Exotic Liability which is just brilliant. They are straight to the point and very direct. In episode 13 Chris Nickerson brought up an interesting topic on the differences between the information perimeter and a perimeter. Most people consider the perimeter in an organisation to be geographical with a firewall etc and everything outside that perimeter is considered bad and untrusted. However, as Chris points out, information is everywhere and as such needs to be the core of our security program. In this context you can't think of the perimeter as being geographical. Many organisations post documents on the web and more often then not, the associated metadata is not sanitised and could contain sensitive information. Attackers (I refuse to use the word hacker) can search for this information using tools such as FOCA and Maltego to target companies. Furthers, attackers can use tools such as MetaGooFil and libextractor to extract the metadata which could contain user names and server names and other items related to the environment.
Is this information sensitive to the organisation and could this be considered a perimeter? Perhaps you should consider reviewing your security strategy. A point to make here is this information can be gathered passively without sending a single packet through the perimeter aka firewall and router. Similarly laptops could be considered a perimeter as staff take them home or on the train etc packed full of sensitive data?
Chris summaries it well - the security of information can be improved using the following simple steps:
- have a security strategy based on information creation,
- classification (how important is this document to the organisation),
- understand based on classification that certain levels cannot be placed on the internet or stored on local hard drives etc
Other related items of interest:
- Tech Segment: Metagoofil: Google, Document Metadata and You
- The NIST Guide for Mapping Types of Information and Information Systems to Security Categories - SP800-60_Vol1 & SP800-60_Vol2
- Security in the New Zealand Government Sector - Information Classification
- A good presentation by Brian Markham, CISA titled Data Classification and Privacy: A foundation for compliance
Comments welcome.