Leak Hunters

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/document.asp?doc_id=118872

By Tim Wilson
Site Editor
Dark Reading
MARCH 6, 2007 

Would you know if one of your employees was giving away insider 
information in a Web chat room? Would you know if a phisher was using 
your company's email template to fake messages to customers? Or if a 
competitor or reseller was misusing your company's brand to further 
their business?

If you're like most companies, you probably answered "no" to all three 
questions. True, all three of these are activities that take place on 
the public Internet. But who has time to track all of that Web activity?

Increasingly, the answer is cyberintelligence companies.

For a fee, enterprises can now hire a third-party service provider to do 
all of the legwork required to investigate the use -- or abuse -- of 
company information on the Internet. Collecting this sort of data, 
sometimes called "open source intelligence," can help organizations 
understand how their data is being used on the Web -- and nip potential 
security risks in the bud.

"One of the problems with leak prevention is that you don't know what 
you don't know," said Terry Gudaitis, director of open source 
intelligence at SAIC, in a presentation at last week's "Defending 
Against Insider Threats" conference in Arlington, Va. "And you don't 
always have the resources to find out."

Companies such as SAIC, NetFrameworks, and Cyveillance maintain staffs 
of researchers trained to find potential security problems by surfing 
the Web. Some of them focus on tracking the activity of specific 
individuals, such as employees or prospective hires, while others orient 
their efforts toward finding any misuse of a company's name or 
information, including phishing sites or fraudulent endorsements.

The idea isn't a new one. Way back before there were computers, large 
organizations and military units collected open source intelligence by 
monitoring radio and local newspapers to help identify potential 
security leaks or improper publication of confidential data.

With the emergence of the Web, however, there are many more outlets for 
security leaks, because individuals can publish directly to the Web 
without a middleman. Less than two years ago, the CIA opened the Open 
Source Center, where government staffers do data collection and analysis 
of blogs worldwide.

"A lot of blogs now have become very big on the Internet," noted OSC 
Director Douglas Naquin in an interview with The Washington Times. "Were 
getting a lot of rich information on blogs that are telling us a lot 
about social perspectives, and everything from what the general feeling 
is to... people putting information on there that doesnt exist anywhere 
else."

SAIC, which offers similar services for large corporations, spends a 
good deal of time monitoring blogs and chat rooms for misuse of 
corporate information, Gudaitis says.

"A lot of what we find is completely unintentional," Gudaitis says. For 
example, teenagers with their own blogs sometimes discuss what they've 
heard from their parents at the dinner table, and unknowingly give away 
confidential information. IT people sometimes reveal confidential 
information while seeking technical assistance on bulletin boards or 
technology chat rooms. Some employees discuss their activities on social 
networking sites, not realizing they could be violating company security 
policies.

No matter what their initial intent, though, such leaks can cause 
companies to expose themselves to attacks, or even run afoul of 
government regulations.

"One of the things we can do is find out about the blogging habits of a 
prospective employee as part of a background check," says Gudaitis. "If 
a person is giving away information about their company in a blog today, 
they might not be someone you want to hire tomorrow."

Monitoring blogs can also help warn companies when an employee is about 
to go over the edge, Gudaitis observes. In one memorable case, SAIC 
found the following blog written by an employee about its employer: "I 
don't want to live, and those bastards shouldn't, either. I don't know 
whether it would be beter [sic] to blow my brains out in front of them, 
or take them with me -- Friday is good, will trash their fairy 
weekends." The employee was subsequently approached, and went 
voluntarily to a treatment facility for depression.

While this type of online research could be valuable to a company's 
security, though, some experts wonder whether it oversteps the bounds of 
privacy. "Should somebody in their 30s have to answer for a blog they 
wrote when they were in their teens?" wondered Brian Contos, CTO of 
ArcSight and author of Enemy at the Water Cooler. "It's something to 
think about."

Outside the company, the uses of open source intelligence are less 
murky. Companies can use the services to find out whether partners, 
competitors, or phishers are using their data or trademarks illegally, 
and how that activity might be affecting their brands. "That's 
information that can help you not only from a security perspective, but 
from a marketing perspective," Gudaitis says.

It's also information that doesn't come cheap. Open source intelligence 
services can be expensive, costing in the tens of thousands or hundreds 
of thousands of dollars, depending on the depth of research and 
information the client requires. SAIC's open source intelligence 
customers so far are generally in the Fortune 50, Gudaitis says.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org