IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 3.44 Carelessness in handling information
It is frequently observed that although a number of organisational or technical
security procedures are in place, these are undermined through careless
handling of the technology. A typical example of this is the almost proverbial
sticker on the monitor which contains a list of all the access passwords.
Abundant other examples of carelessness, dereliction of duty or recklessness
in handling information that needs to be kept secure are also to be found.
Examples:
- Employees often divulge confidential information about their company
over mobile phones on trains or in restaurants. This information is not only
heard by the person the other end but also by everyone around. Examples
of particularly interesting internal information divulged in this way include
- why a contract with another company was lost or
- how many millions planning errors in the strategy department have cost
and how this could depress the share price of the company if anyone were
to find out about it.
- Often it is necessary during business trips to take a notebook, an organiser
or data storage media along with one. During breaks, these are gaily left
behind in the meeting room, the train compartment or the car. The data
stored on these mobile IT systems is often not backed up anywhere else. If
the IT system is then stolen, the data is lost for ever. In addition, a thief
may be able to make good money from the sale of potentially explosive
data that he has been able to access easily due to lack of encryption or
access protection.
- One reason for taking a notebook or files on business trips is to be able to
make productive use of travelling time. This practice often provides fellow
travellers with interesting insights, as it is virtually impossible on a train or
aircraft to prevent a person in the next seat from also being able to read the
documents or the screen.
Premises which are open to the public, e.g. hotel foyers, hotel business
centres or train compartments, generally provide little in the way of privacy
protection. If the user enters passwords or has to make changes to the
configuration, an adversary could acquire this information and misuse it.
- Articles appear at regular intervals in the press about public bodies and
companies whose dustbins in the rear yard contain highly explosive
documents. For example, pay information for all the employees in one
company and the ex-directory phone numbers of a company’s board of
directors have become public knowledge by this means.
- When IT systems develop faults, they are sent quickly for repair. Often
once a system has developed a fault it is no longer possible to delete data
that is stored on it. When a failure occurs the top priority is usually to have
a working machine again as soon as possible. For this reason, many
specialist suppliers offer a special customer service which involves simply
exchanging defective components and sending customers home with a
system that works.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Allowing information to
be overheard
Allowing information to
fall into the wrong hands
Allowing other people to
read information
Explosive information in
waste containers
Exchange of
components during
repair