Main channels of information leakage
Information leakage channels exist in any information space. A leakage channel in the most general sense is understood as an uncontrolled way of transmitting information. As a result, an attacker can gain unauthorized access to the confidential company data he needs.
Leakage refers to:
- disclosure of data by those who have access to classified information;
- loss of flash drives and other types of data carriers on which confidential information was stored;
- deliberate theft of secret information with the use of espionage against open channels of leakage.
As a rule, the fact of leakage of sensitive information does not come off immediately. As a result, for example, of obtaining a commercial secret of an enterprise, a competitor may for a long time not give himself out and not distribute data. However, the fact of theft "emerges" over time, which is expressed in the form of serious financial or material losses for the organization.
General classification of leakage channels
According to the generally accepted classification, the existing channels of information leakage can be indirect or direct. When it comes to indirect channels, they mean that the attacker has direct access to the technical environment of a specific information security system.
Examples of indirect leaks:
The loss of flash media or its deliberate theft.
- Search for confidential data through attempts to investigate trash, discarded documents, etc.
- Reading of spurious electromagnetic radiation and interference.
- An attempt to steal information using optical means: photographing objects of the information system, listening to premises.
When interacting with direct channels, an attacker has access to hardware and information that is used in the information system.
A prime example of a direct leakage channel is the work of insiders. The employees of the company themselves, in most cases, become the means of transmitting information to the attacker. This can happen on purpose or accidentally. In the first case, an employee deliberately gets a job in an organization in order to further ferret out secrets, in the second, an unintentional disclosure occurs in an informal atmosphere.
Direct copying of information is also referred to as leaks through direct channels.
To protect data in companies, one main automated system is most often involved, so it is important to take into account all technical leakage channels that imply data theft options using the physical properties of the system.
Types of technical leakage channels include:
- acoustic - unauthorized reading of sound at the object of information activity, for example, wiretapping in real time or recording conversations;
- acoustoelectric - reading using sound waves, after which the information is transmitted through the power supply network, and on the side of the attacker is converted into a readable form;
- an optical channel is a variant of data theft, in which the pest takes photographs or conducts long-term visual observation of the object, etc.;
- vibroacoustic - reading the vibrations created by acoustics when influencing walls, windows and other architectural structures;
- electromagnetic - removal of inductive pickups from the fields of the information system;
- side electromagnetic radiation, which the intruder removes and with the help of special equipment converts into an understandable form.
The most common and dangerous from the point of view of storing confidential information is the acoustic leakage channel. There are thousands of known cases when a competitor tried to install wiretapping devices and sound recording devices at another facility. With directional microphones, you can access audio information in a room up to 200 meters from the building. In other words, an attacker only needs to sit in a car a few blocks from the negotiation point to easily find out the information being protected.
A practically universal channel of information leakage is acoustoelectric, since it can be used at any level of the electrical network; an attacker does not need to use additional microphones or radio patches to read data. Information is collected without a direct connection to the network; radiation in the form of electromagnetic waves is used. In some cases, bugs-amplifiers may be installed in a company building. During their operation, a competitor easily reads magnetic waves at a distance of up to 300 meters from the data source. Protection against impact on the acoustoelectric channel is provided by the so-called traffic intersection, which is capable of generating interference so that the pest cannot fully read the information.
An attacker can wiretap telephone conversations in the company. To implement this leakage channel, high-frequency imposition devices are used. As a result, the telephone line generates a modulated signal that is intercepted by a competitor.
The optical channel is available if the company's work process can be visually monitored, photographed and videotaped. Thanks to obtaining a "picture" of the stages of work, it will not be difficult for an attacker to reveal the secret that is guarded by the enterprise. Protection in this case is provided by the processing of confidential information only in closed rooms without windows with strong sound insulation.
In addition to technical channels, there is also a physical method of theft, which implies the seizure of a material medium with confidential information.
Companies that work with confidential information of any type need their own comprehensive security system, which is a barrier for an attacker at all levels of data processing.
The protection system should be created taking into account all the identified channels of leakage. In the future, the security service is responsible for supporting the automated protection system.
The fact of information theft is detected in two basic ways. In the first case, the employee witnesses the incident and can tell about who and how the information was stolen. In this case, the likelihood of catching the thief is always higher before he transfers important data to a competitor. It is important not to allow the organization to receive a loss, so they always try to identify the insider "in hot pursuit".
In the second scenario, the fact of theft becomes known after a competitive company has used the data for its own purposes. According to this scenario, events develop in the overwhelming majority of cases. The fact of theft, about which the owner of the information was not aware, occurred due to the use of a security hole by the attacker or due to the lack of a security system as such.
Data leakage is primarily the result of a violation of the method of protecting confidential data and the main cause of financial and “intangible” losses for the company. When a leak is identified, the main task of the security service is to start actions to identify the attacker as soon as possible.
The investigation is conducted within the framework of the law. The first step is to use organizational measures and close access to data, since there is a risk of re-theft. Next, you should start the proceedings. At the technical level, DLP systems can prevent leaks by automatically detecting an attempt at unauthorized transmission of information outside the protected environment.
At the first stage of the investigation, the security service determines the type and method of the leak: accidental or planned. As a rule, the fact of loss by negligence or unintentional data leakage is easy to identify at the stages of analyzing the report of the DLP system, talking with staff, or after watching videos.
As a result of information leakage, the company can suffer serious losses. The damage can be associated with various reasons: theft of product manufacturing technology, theft of important documents, disclosure of classified information, etc. Therefore, at the stage of developing a security system, one should take into account all possible leak channels through which an attacker can gain access to protected information.
If the leak has already occurred, the company can only try to identify the insider - the employee who stole the data or unwittingly became an accomplice to the theft. In addition, if the data comes from competitors, you should decide how to devalue the information in order to prevent possible losses in the future.