Gathering data and its security implications

At the RSA Conference Europe Advisory Board roundtable in London, new board members and experts Dr. Herbert Thompson and John Madelin, Verizon Business, headed a stimulating discussion related to the role of the different types of data in the context of information security.

Although great efforts are made to secure structured data like social security or credit card numbers, little has been done to take control of the massive amount of unstructured online information.

As new technologies proliferate, the line between private and public data is becoming very blurry. When you look at the volume of data that’s being generated online on popular services such as Twitter, Facebook or LinkedIn, there’s a ton of unclassified data, and some of it is of a sensitive nature. The real problem is that when it comes to new technologies, people are usually taught how to use them and how they can make their lives better, but at the same time, they are not warned about the dangers.

There’s been a lot of talk about insider threats in the past year, and one of the aspects that it’s usually left out of the conversation is the fact that the most significant problem is not the malicious employee – but the careless one. By not considering the way he treats the data and by constantly making non-intuitive and overall bad decisions, this person can misplace a USB stick on the subway or leave a laptop in a taxi. This kind of information loss doesn’t have to be devastating if the data is encrypted, but some kind of data will still be exposed. By acquiring a large amount of scattered data, an attacker can draw some valuable conclusions about his target.

Details about you (available on the Internet) can be used to influence various parts of your life. HR managers routinely check social networking profiles and use search engines to perform in-depth queries about people they consider hiring. This means that while you may be a well-adjusted person and qualified for the job, you might still be judged by what you do in your private life. The problem with data of this type is that it’s easily taken out of context.

In a business to business context, data leakages are another towering problem that can be used by your competitor. It’s definitely not company policy, but employees could basically “stalk” the workforce of the rival company for broadcasted data. Would they get an advantage? Definitely, it just depends on how much data they’re able to acquire.

The questions you have to ask yourself is: “How do you share valuable data that’s not going to be useful to the bad guys?”

Data has value only when it’s being used and to help you find data you can use, there are some very clever information gathering tools:

• Maltego – an open source intelligence and forensics application
• Exomind – an experimental Python console and programmatic framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging.