A recent article by Tom Bowers, called “Smart security testing on the cheap”, makes a few good points:
“Most executives in a company are focused on building on the company's strengths. The chief information security officer, however, must look through a different lens. The job of the security chief is to measure the risks to the business, and then to work to reduce them. That means focusing on weaknesses, namely on weaknesses in the company's networks, systems, and business processes. It's a big job that requires a comprehensive plan, strong skills, and a good set of tools.
The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly. …”
Now, have a look at the mentioned “Google Hacking Database”. The key point that Tom makes here is that similar techniques could be used to “find privacy data of your employees that may have leaked to the Internet from your network”. This is actually important.
Given an enterprise, which confidential information has been disclosed/leaked (and for which reasons) on the web? Which (personal/business) information about people (in their roles as employees and private people) has been disclosed that could be used for cross-correlations and inferences about enterprises businesses or individuals?
In the context of current discussions about “Identity Providers”, it might also make sense to think about “Identity Leak” Services (or if you prefer, more in general, “Information Leak” Services) … providing (on payment?) consolidated information about leaked data (for a user, an organisation, in a specific area/context) AND potential predictions about risks and threats for the involved entities.
Something to think about …
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment