Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Imperva says UK MoD manual leak caused by breakdown in security procedures

October 2009 by Imperva

Whilst reports that a UK government document advising officials on how
to keep documents from leaking to the Internet has actually leaked on the Web may sound amusing, the reality is a whole lot different, says Imperva, the data security specialist.

According to Amichai Shulman, Imperva’s chief technology officer, the fact that the 2,400 page defence `manual of security’ was published on Wikileaks - a site designed for anonymous leaks of documents from governments - suggests that the leak was caused by a breakdown in IT security procedures.

"The document contains three volumes and together, they are listed as restricted. However, some sections are available to the general public - a simple Google search shows these results," he said.

"At first sight, given the above, we could assume that this may have been the result of the actions of single member of staff – someone with access to the CD itself, or perhaps the Ministry of Defence
intranet," he added.

However, says Shulman, the document’s datestamp is October 2001, so the MoD probably considers the file to be outdated.

The Imperva CTO went on to say that, perhaps the file was on its way to be digitally demolished, or left on some old misconfigured server and a Google search picked it up.

An additional scenario, says Shulman - and one that he has witnessed whilst working in the armed forces - is that a classified military contractor may have been given the documents and placed them on an internal network.

And then, he explained, the data may have leaked from the internal network to a public-facing server over a period of time.

The leakage of such a document - and the attendant publicity the incident has received - should, he says, serve as a wakeup call for organisations that, when sharing sensitive information with partners,
they need to have adequate security in place at all times.

"While an organisation may have very tight internal controls regarding sensitive information, when this information is shared with business partners it is subject to whatever controls are applied by that partner," he said.

"This is, for example, why the PCI-DSS standard requires that PCI-related information from a PCI compliant organisation is only shared with other companies that can demonstrate compliance with the PCI standard," he added.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts