Corporate Open Source Information Leakage

Not every corporation is aware of the fact that sensitive information about its activities can easily be found on the Internet. Or that this information can represent a major threat and could possibly be used for open source intelligence by providing quick profiles of the enterprise (footprinting). Hence a major indirect insider threat to corporate information is online user activity. For example employee online shopping habits can provide intelligence agents with specific information that can later be leveraged to obtain confidential or proprietary corporate information. The publicized example of Amazon.com's "Purchase Circles" tracks purchases and other metrics about some of the most influential European enterprises. Even Usenet groups are a common source of online vulnerability. If IT employees from a given enterprise are frequently posting technical problems in Usenet groups, a particular query can be used to collect this information and analyze it to reveal the technical flaws in the enterprise´s infrastructure, possibly even uncovering confidential information. It is a proven fact that server and firewall configurations of top enterprises are readily available in Usenet.

The author has extensively analyzed this particular kind of corporate open source intelligence threat. The analysis of various European and global companies has been based on the case study methodology and directed toward the creation of a prototype of a self assessment model. The goal of such an approach was to study the feasability of building a measurement tool with multidisciplinary applications, from internal auditing up to classical information security and awareness. Creating such an approach would allow an enterprise to measure the amount of open source intelligence available about the enterprise on the Internet. By using a series of specific indicators, modelled around security benchmarks, and using particular boolean operators and search techniques, the authors have created a model of assessing the relevance of the sensitive information available on the Internet. The various indicators are then ranked by their degree of sensitivity. This metric is then used to build a risk class, for which it is possible to confront the overall threat grade. The presented prototype contains organizational (policy and awareness) as well as technical measures to reduce the corporate “open source intelligence” risks. For the publication several anonymized screenshots will be used to better demonstrate the current state of such threats.

It is the author´s goal to introduce this particular prototype, and possibly to initiate a discussion on the possibility of a national independent benchmark authority that would assess the corporate level of transparency. Such an isomorphic approach would allow the creation of best practices for protecting and restricting access to corporate open source information.