
Infocon Magazine Issue One,
October 2003
Corporate
Open Source Intelligence on the Internet
Raphael Rues
Abstract Not every corporation
is aware of the fact that sensitive information about its activities
can easily be found on the Internet. Or that
this information can represent a major threat and could possibly
be used for open source intelligence by providing quick profiles
of the enterprise (footprinting). Hence a major indirect insider
threat to corporate information is online user activity. For example
employee online shopping habits can provide intelligence agents
with specific information that can later be leveraged to obtain
confidential or proprietary corporate information. The publicized
example of Amazon.com's "Purchase Circles" tracks purchases
and other metrics about some of the most influential European enterprises.
Even Usenet groups are a common source of online vulnerability.
If IT employees from a given enterprise are frequently posting
technical problems in Usenet groups, a particular query can be
used to collect this information and analyze it to reveal the technical
flaws in the enterprise´s infrastructure, possibly even uncovering
confidential information. It is a proven fact that server and firewall
configurations of top enterprises are readily available in Usenet.
The author has extensively analyzed this particular kind of corporate
open source intelligence threat. The analysis of various European
and global companies
has been based on the case study methodology and directed toward the creation
of a prototype of a self assessment model. The goal of such an approach was
to study the feasability of building a measurement tool with multidisciplinary
applications, from internal auditing up to classical information security and
awareness. Creating such an approach would allow an enterprise to measure the
amount of open source intelligence available about the enterprise on the Internet.
By using a series of specific indicators, modelled around security benchmarks,
and using particular boolean operators and search techniques, the authors have
created a model of assessing the relevance of the sensitive information available
on the Internet. The various indicators are then ranked by their degree of
sensitivity. This metric is then used to build a risk class, for which it is
possible to confront the overall threat grade. The presented prototype contains
organizational (policy and awareness) as well as technical measures to reduce
the corporate “open source intelligence” risks. For the publication
several anonymized screenshots will be used to better demonstrate the current
state of such threats.
It is the author´s goal to introduce this particular prototype, and possibly
to initiate a discussion on the possibility of a national independent benchmark
authority that would assess the corporate level of transparency. Such an isomorphic
approach would allow the creation of best practices for protecting and restricting
access to corporate open source information.
Corporate
Open Source Intelligence on the Internet Paper
IWS welcomes suggestions
regarding site content and usability. Please use our contact
form to submit your comments.
Last
modified:
30 December, 2007
by Wanja Eric Naef
IWS Copyright © 2000 - 2008
|