Have you ever wondered how our confidential or personal information leaks from us? Or how they fall into the wrong hands? The answers differs from a simple methods to advanced ones, so firstly for someone who may not be involved in cyber security to understand overall pictures is to know what is data breach? And where do data flow?
Data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner which can cause a small company or a large organization to suffer great loss. Stolen data may involve sensitive, proprietary, or confidential information, such as credit card numbers, customer data or trade secrets.
There are so many ways data can easily leak out of an organization. There are three buckets or containers where information “lives and flows”; in digital form, in hard copy (paper) and in the conversation. Information is constantly flowing between these containers, usually resting in more than one of them at any given moment without some type of map or landscape that lays them all out. Data leak is divided into 2 classes which are internal data leakage and leakage from external threats. In total, there are shown 19 ways below.
Instant Messaging (Peer to Peer)
- Many organizations allow employees to use instant messaging from their workplace which include products such as Skype, Google talk and peer to peer (P2P) networks. These programs could act as file sharing networks that allow users to inadvertently share confidential documents to an external users.
- Email also represents a route for a simple data leakage. Because traditional email clients, such as Microsoft Outlook, etc. are widespread within organizations. Internal users could even be tricked to email or inadvertently send confidential documents as an attachment to an unauthorized individual due to employee oversight or poor business process.
- Web mail runs over HTTP/s which an organizations’ fire wall may allow it through uninspected. When the connection is initiated by internal IP user, an individual may leak their confidential data, either as an attachment or message body.
Web Logs / Wikis
- Web logs and Wikipedia site are a collaborative website where everyone could write their thoughts, comments, opinions and edit on any particular subject. These site could be used as a way to release confidential information, simply entering the information on the blogs. However, these are perhaps a less likely medium to leak confidential information because they would most likely be able to be tracked.
Hiding in SSL
- Another ways to leak sensitive data is through SSL connection. Users may try to obscure data by utilizing a public proxy service via an SSL connection. They enter the proxy service with a browser, type in the URL of the site and then their entire session is encrypted without any detection of firewall.
Malicious Web pages
- Visiting either a compromised or malicious sites could present user’s computer a great risk of being infected with malware. A web page containing malicious code with an OS/browser. The malware could be in form of a Trojan, Key logger, etc. Users might download a key logger/backdoor, thus providing the attacker with full access to user’s computer.
Data theft by intruders
- There have been numerous stories about the theft of credit card information or others electronic break-in to an organization by intruders. This particular event holds remarkable concern, because resumes contain a significant amount of information of individual, including their personal information or even details of third parties. Believable phishing attacks or social engineering could be used by a theft to obtain these sensitive data.
- Malware can evade inbound gateway protection measures and desktop anti-virus then initiate outbound communications, sending out files which may contain sensitive data. Malware can be categorized as Virus, Worm, Trojan horse, Spyware, Key logger, etc. These allows a hacker to remotely access your computer, perform various operations such as capturing potentially sensitive information, corrupting files on target computer and so on.
- SQL injection is a code injection technique that can be used in a range of ways to cause serious problems. By using SQL injection, an attacker could bypass authentication, access, modify and delete data within a database. The initial action of the attack could be to enter a single quote within the input data in a POST element on a website. Following with trial and error by the attacker could eventually reveal table names, field names and other information. This will allow an attacker to construct SQL query within the POST element that yields sensitive data.
- Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email. Typically a victim receives a message that appears to have been sent by a known person or organization. An attachment or links may install malware on user’s device or direct them to malicious website and cause them to lose sensitive information. Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate email than trying to break through a computer’s defenses.
- Many organizations that do not take appropriate care with destruction of hard copy information have a risk of confidential data falling into dumpster diving. Instead of having the document destroyed securely, Individual may throw their confidential information into the rubbish which could be discovered by an attacker through this method.
- Many organizations underestimate the importance of keeping their offices and their equipment physically secure. They often lack a clear policy describing what measures they should take to protect computers and backup storage devices from theft. As a result, Poor physical security at an organization’s file or poor security practice of individuals creates a possibility of physical theft. Physical theft of devices such as laptops, computer systems, back up tapes, and other media also post a risk for data leakage to organizations.
Removable Media / Storage
- Theft or loss of a data storage medium such as USB memory key, and external hard drives made up nearly 54 percent of all identity theft-related data leaks. Due to the size, USB keys are so easy to lose. Although some data when were copied to the key are legitimate, the risk of the key lost onto the third party still exists.
File Transfer Protocol (FTP)
- FTP represents another method for a user to leak their information. It is simply straightforward to install and configure a basic FTP server external to the organization. The shortcomings of FTP stem from both the design of the protocol and evolving business requirements. The individual then merely has to install a publicly available. FTP client and upload the file.
Security Classification Errors
- Security models are intended to provide a framework for organizations to avoid classified and / or sensitive information being sent to individuals (internally and externally) without the appropriate security clearance level. It is conceivable that an individual with Top Secret clearance may either intentionally or inadvertently send a Top Secret document to another individual with only “Classified” clearance.
- If an individual wishes to provide a competitor with sensitive material, and the victim organization has already implemented electronic countermeasures, it is still possible for the individual to print out the data and walk out of the office with it in their briefcase. Or, they simply place it in an envelope and mail it, postage happily paid by the victim organization.
Inadequate Folder and File Protection
- If folders and files lack appropriate protection (via user/group privileges etc) then it becomes easy for a user to copy data from a network drive (for example) to their local system. The user could then copy that file to removable media, or send it out externally by methods discussed above.
- A determined individual may choose to take digital photos (or non-digital for that matter) of their screens. A camera is not even needed nowadays. Cellular telephones today are likely to have a camera built in, perhaps with up to 2 mega pixels or more. The photo could then be sent by email or Mobile Messaging directly from the telephone.
Inadequate Database Security
- Poor SQL programming can leave an organization exposed to SQL injection attacks, or allow inappropriate information to be retrieved in legitimate database queries. Additionally, organizations should not implement broad database privileges as this can lead to users accessing confidential information (either intentionally or inadvertently).