practical skills and applied knowledge in Security, defense, and risk management

 

The many vectors to your private information

Most attacks on private information are vectored by some sort of information technology or communication technology: printed documents, social interactions, malware, databases, webpages, social media, postal communications, telephone communications, e-mail, removable digital media, cloud computing, and unsecured wireless networks.

​ Printed documents are ubiquitous; they include maps, plans, photographs, letters, notes, books, and other texts. The loss of information on paper is normally due to a failure to control social transfer or physical access.


Most harmful leakage of privileged information arises from a social interaction, such as when people talk too loosely about private information or are verbally persuaded to give up information to somebody who is not what they pretend to be.

Malware is software that is harmful. It is sometimes created by accident or for fun, but is usually developed or exploited for malicious objectives.

Almost everybody provides sensitive information that is held on some other organization’s media—sensitive information such as ethnicity, gender, sexuality, religion, politics, trade union membership, birth, death, marriage, bank account, health care, and crimes (either perpetrator or victim).

Most Internet activity involves online searches, browsing, and e-mail. Visiting the associated webpages exposes the user to malware—particularly if the user downloads or is misled into visiting a webpage resembling a login page, where the threat gathers the user’s passwords and other access keys.

Social media are normally websites on which personal users release information about themselves or subscribe to information from other users. Social media are exposed to anyone who browses the same sites. Some social media allow anybody to view information on anybody else, store such information in insecure domains, or even sell such information.

Posted mail can be intercepted; postal deliverers have been bribed to divert mail; threats can also seize the mail from the container into which it has been posted or delivered, before it is picked up by the deliverer or the recipient.

Telephones and the cables carrying wired communications always have been easy to “tap” for anyone with physical access to the hardware. A mobile or cellular telephone, like any telephone, can be tapped directly if the threat can physically access the device and place a bugging device within it. Smartphones (telephones that run software) can be infected, through Internet downloads or an open Bluetooth portal, with malware that records or allows a remote threat to listen in on the target’s conversations.


E-mail or electronic mail is a digital communication sent via some computer network. E-mails are prolific, users are casual in their use, and service providers tend to hold data on every e-mail ever sent, including user-deleted e-mails.

Removable media, such as plug-in Universal Serial Bus (USB) “flash memory” or “stick” drives and mobile telephones, can be used as vehicles for unauthorized removal of information out of a secured domain and as vectors for malware into a secured domain.

Cloud computing involves access from remote terminals to shared software or data. Cloud computing improves security in the sense that information and applications can be gathered more centrally and distributed only when properly demanded. However, centralization of data creates a single point of failure, and shared code implies more vulnerability to malware inside the system.

​ Wired networks can be tapped inside the network, either by malware or a hard device on the cables between computers. A wireless network is less exposed to a hard tap but more exposed to wireless taps. Since wireless traffic is broadcast, no one has to join the network just to record the traffic, although would need to break into the nodes in order to read the traffic.