11.1. Understanding the Sources of Information Exposure
One of the biggest security headaches an organization can face is trying to control the flow of information. Information is power and in the wrong hands can be used in an attack. An organization should seek to minimize the exposure of information and the impact that accidental exposure will have. The first thing an attacker does after identifying a target is research. This research mainly involves open and public sources of information (remember that 90% of information is publicly available). In the era of the Internet, it is possible to build a relatively complete profile of a victim without leaving the house. If you are trying to protect your company or organization, put yourself in the mind of a corporate spy: What information would be useful to you? Where would you look for it?
I've discussed a lot of this from the perspective of the attacker but, as far as security goes, the weak link in any chain is always people. Most people have no concept of security, usually because they don't appreciate the nature of risk or that risk even exists. Consequently, when you broach the subject and challenge an employee's lack of security awareness or violation of security policy, his or her reaction is usually one of baffled incomprehension or indignation. Although a company has a degree of control over the information it leaks about itself, it has very little control over what staff members choose to leak about themselves and, as I ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.