Get smart about intelligence

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0630schwartau.html

By Winn Schwartau
Network World
06/30/03

Recently a reporter called the Pentagon's public affairs office and
asked for the location and itinerary of certain aircraft carriers and
their battle groups. He was told that this information is classified
and not available to the media.

The reporter then went to Google, entered the name of the aircraft
carrier, found its home page and printed out the ship's entire
schedule for the next year. He also got all sorts of juicy information
about the captain, his military history and tons of tidbits on the
senior officers.

You might think that no company in its right mind openly would publish
on the Internet key data about its firm, staff, finances or technical
issues. But almost every major U.S. company does exactly that. This is
what open source intelligence is all about.

Traditionally, intelligence has been the domain of the CIA and foreign
national intelligence services. But today, Robert Steele, former CIA
case officer and now president of OSS, says his personal unclassified
contacts and information sources could do as well as, if not better
than, the combined resources of the intelligence community in a
comparative intelligence analysis.

Say I want to know secrets about your company. Maybe I'm a competitor;  
maybe I'm a potential attacker. Either way, I'm going to employ
generally non-technical intelligence means from my desktop such as
Google, Securities and Exchange Commission databases such as Edgar,
and the American Registry for Internet Numbers, which provides a
convenient search function for registered domain owners. In a matter
of minutes, I can find an amazing array of information, including:

* Names, biographies and contact information (both work and home) for
  key executives.

* Information about the corporation's infrastructure and Internet
  connectivity.

* Lists of the corporation's service providers and major IT equipment
  suppliers.

* Testing and policy guides, personnel procedures, disaster-recovery
  services and methods of business continuity.

* User IDs of all staff on internal mail and groupware systems.

* Technical problems the company is experiencing (innocently divulged
  in chat rooms by engineers seeking help from peers).

Does your company want this sort of information available to everyone
on the Internet? Probably not. But what can you do about it?

First of all, you have to realize that open source information is
valuable to the bad guys and potentially harmful to you. The next step
is to perform an honest, in-depth assessment of your exposure to this
simple, yet highly effective, means of intelligence gathering.

Then you must make some tough policy decisions. What information on
your corporate home page, while nice for marketing and image, has the
potential to damage your firm if used by the wrong people? Can
technical staff use their work e-mail addresses when conducting
Internet research, or should they have aliases? How much Internet
travel should be done anonymously to hide any trails that could give
away valuable information to a competitor or adversary?

I have never been a supporter of security by obscurity. I believe
cryptographic source code and algorithms should be made fully public
for peer testing and acceptance. But I also believe in controlling the
release of information that can be used against me. Hanging clean or
dirty laundry on the Internet in the name of self-promotion is a sure
way to divulge too much information - unless clear-cut policy and
review procedures are in place.

Companies need to form procedures to control what corporate
information is released, how it is released and how it relates to all
other public information releases the company makes. The combined
results could show the company unintentionally is giving away the keys
to its own kingdom.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.