Most organisations are aware of the need to stop obviously confidential information from being leaked by staff, but few have policies in place to control "gateway data" and information equivalency threats. However, those less-discussed sources of information can be just as damaging to your organisation.
Herbert "Hugh" Thompson, chief security strategist for People Security, argues that while companies have recognised the threat which social networking sites such as Twitter pose when obviously confidential information is shared, they have yet to realise the more subtle ways in which online information can be mined.
"We're in a really weird period," Thompson told attendees at RSA Conference Europe in London. "We've seen social networking sites become so popular, and people are posting indiscriminately. They're putting really weird info out there."
"There hasn't been a commensurate education on what information we should share. Bad guys are going to be able to use that data at some point."
Thompson outlined the concept of "gateway" data: information that in itself seems relatively benign, but which can be used to deduce or access more sensitive information. He identifies three common categories: direct use gateway data, amplification data, and collective intelligence data. "It's data that seems harmless but when used properly can facilitate access to highly sensitive information," Thompson said.
"We really need to look beyond traditional personally identifiable information and things that are currently protected, and look to information that is equivalent to other information," Thompson said. "Information equivalency is going to be a huge issue going forward. We need to make sure this information isn't just low hanging fruit waiting for an attacker to pluck it off the tree.
Direct use data is information which is disclosed publically and might be used to access other services, the classic example being information used in password reset services such as your mother's maiden name or first school. As well as being accessible via social networking sites, it can also often be found in other sources of personal information online. "Old resumes are a wealth of information for this kind of attack," Thompson said.
Even the security-aware aren't immune from attackers seeking to exploit this information. "Even if your data hygiene is pretty good, you might be collaterally exposed by other people," Thompson said. "The new kind of insider threat is the person that is very chatty online."
The idea of "amplification data" is to create a false sense of reassurance for a dubious service. "This is data that when bounced off a human gives credibility to a user," Thompson said. For instance, many people are used to seeing account numbers partially identified by the final four digits. Scammers may try using the first four digits, which are rarely unique but can convince many people that a service is genuine. "This is like a pseudo-personalisation of an attack."
"We're seeing a huge maturity in the credibility infrastructure that attackers build," Thompson noted. One area of growth is in fake corporate sites designed to lend credibility to scam job offers. "Think about the time invested in creating a completely fictionalised, totally fleshed out web site, and the only reason is for that job vacancies page and that one fictitious open job. We're going see a new wave of attacks that use some personalisation coupled with a credibility infrastructure."
The largest category of gateway data, information gleaned from "collective intelligence", is the "scariest by far", Thompson suggested. "This is information that's revealed in very small chunks from individuals about, usually, a company."
Such disclosure is rarely malicious or ill-intentioned. "Most people are reasonably prudent in not disclosing really huge things, and those [that do] tend to be lower down the food chain. What's becoming increasingly interesting is telegraphed information -- information that was revealed very subtly."
A prominent example is location-based information. Thompson used the example of someone posting the information that they were making a business trip to Bentonville -- information that seems benign unless you know that the town's only claim to fame is as the headquarters for retailing giant Wal-Mart. Even if people remember not to disclose that detail, automated geotagging services could trip them up, Thompson pointed out.
Another rich source of information are changing relationships and activities on LinkedIn, the most prominent professional social networking site. Somebody posting a large number of recommendations might be looking to get their own recommendations in the near future, suggesting that they'll soon be leaving their current post. If a large number of people from two disconnected companies become linked, that might point to an impending merger.