Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Procedural flaws cause MoD leak

Imperva : 09 October, 2009  (Technical Article)
Imperva believes the recent leak of MoD documents onto the web resulted from poor handling procedures of old documents
Whilst reports that a UK government document advising officials on how to keep documents from leaking to the Internet has actually leaked on the Web may sound amusing, the reality is a whole lot different, says Imperva, the data security specialist.

According to Amichai Shulman, Imperva's chief technology officer, the fact that the 2,400 page defence `manual of security' was published on Wikileaks - a site designed for anonymous leaks of documents from governments - suggests that the leak was caused by a breakdown in IT security procedures.

'The document contains three volumes and together, they are listed as restricted. However, some sections are available to the general public - a simple Google search shows these results,' he said.

'At first sight, given the above, we could assume that this may have been the result of the actions of single member of staff - someone with access to the CD itself, or perhaps the Ministry of Defence intranet,' he added.

However, says Shulman, the document's datestamp is October 2001, so the MoD probably considers the file to be outdated.

The Imperva CTO went on to say that, perhaps the file was on its way to be digitally demolished, or left on some old misconfigured server and a Google search picked it up.

An additional scenario, says Shulman - and one that he has witnessed whilst working in the armed forces - is that a classified military contractor may have been given the documents and placed them on an internal network.

And then, he explained, the data may have leaked from the internal network to a public-facing server over a period of time.

The leakage of such a document - and the attendant publicity the incident has received - should, he says, serve as a wakeup call for organisations that, when sharing sensitive information with partners, they need to have adequate security in place at all times.

'While an organisation may have very tight internal controls regarding sensitive information, when this information is shared with business partners it is subject to whatever controls are applied by that partner,' he said.

'This is, for example, why the PCI-DSS standard requires that PCI-related information from a PCI compliant organisation is only shared with other companies that can demonstrate compliance with the PCI standard,' he added.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo