Information theft is not always a planned and systematic process. A lot of people can become attackers should an opening present itself, for a several motives, most frequently greed. To minimize such incidents, a company needs to be vigilant against "targets of opportunity" within their company.
By a military definition, a target of opportunity is a visible target within range of available weapons against which attack has not been scheduled or planned.
Similarly, by an information security definition, a target of opportunity is an unmonitored information carrier resource within grasp that not been scheduled or planned for theft.
Under both definitions, an attacker might decide that the target is valuable enough to be taken, and performs an attack.
Information Targets of opportunity can take many forms:
- Unattended confidential documents left in an unmonitored environment (on the desk in an empty office, in the coffee room, on the network printer, on the photocopier...
- Unattended information carriers (USB, CD-ROM, smart card, laptop) left in an unmonitored environment. Stolen for any purpose, most simply because USB's can be used or sold. Whatever is contained therein is additional value
- Unlocked (and open) documentation cabinets in visitor accessible spaces. All it takes is for someone to reach in and grab a set of papers, for later review.
- Unattended key chains with keys to documentation cabinets - simple walking and taking a key-chain can go utterly unnoticed
- Unattended Laptops in public spaces (left in airport lounges, cafes, malls unmonitored laptops can easily be stolen, simply for the face value of a computer. Any information contained therein is additional value
- Improper transport or transport by unauthorized personnel of systems from IT to the business or from the business to IT - unmonitored systems due to improper transport can be stolen or dismantled, simply for the face value of the components. Any information contained therein is additional value
There is no systematic method to deem which targets will be deemed valuable enough by which attackers, so a company needs to cover all possible bases.
Controls to minimize Information Targets of opportunity:
- Create and rigidly enforce formal company procedures for clear desk policy (no unnecessary documents left on the desk)
- Create and rigidly enforce a formal company procedure for securing of all media containing company information
- If technically possible, encrypt content on all media containing company information (especially USB and Laptops)
- Where technically possible, implement self-locking document cabinets with a non-contact lock, so there will be no keys left in the lock
- Where technically possible, implement authorized printing on network printers - the person who printed a document has to authenticate on the physical printer before printing commences, thus confirming physical presence of the owner of printout.
- Where legally allowed, implement video surveillance. Video surveillance is always an excellent deterrent for attacks of opportunity, since they are not systematic.
- Create and rigidly enforce system transport rule set - who is authorized to take, transport and deliver a system from the business to IT and vice-versa. Never entrust an outsider with such transport, regardless of personal trust, unless formal contracts and security verifications are in place.
Talckback and comments are most welcome