Pulling it all together – Social Engineering Security Policy
6
Information Gathering: My Dossier
Week 2
Part A: Dossier
To compile information about myself, I thought of the place where I visit regularly and provide important details about myself. As Solove (2004) asserts, with the digital age it is so easy to access people’s personal information. I thought of web browsers as they contain numerous information about me starting from my bank details, passwords, location, and my work. My browser stores a lot of sensitive information about which I know if attackers accessed it, it would affect me a lot. To compile a dossier, I collected information from;
· Visited websites
· HTTP Cookies
· Saved logins information
· Local storage
· Autofill
First, I decided to find out the type of information that is in the local storage of my browser. I browsed the top popular sites that I always visit. I used Mozilla Firefox to modify privacy using the OpenWPM measurement framework on the browser. I navigated several links on the websites but I did not access any user information as I was not unable to log onto any of the sites. Therefore, I focused on finding out about my physical location. Benson (2018) asserts that the sites use geolocation to send Ads to different places, load balance traffic, and customize the experience of users.
Next, I used Google Chrome to browse because I know that almost everyone uses it. I wanted to find out if there was any remainder and prove of my user accounts and activities on the different websites I visited that could be available my local storage. I created accounts in these sites, logged in, and performed various actions such as sending emails on a webmail serve and viewing documents on cloud storage. I was keen to see what I could find. I conducted all the activities manually so that I could get information that really represents me and my activities on the internet. I selected a subset of domains that are common in my profiles. These include google.com, youtube.com, facebook.com, twitter.com, instagram.com, netflix.com, whatsapp.com, and paypal.com.
Findings
From researching my browser in the first part, I found around 30 websites that had a certain amount of information about my geographical location. Around 35 websites recorded my IP address. The information included the popular websites I always visit such as Amazon, Walmart, and Alibaba, and news websites such as the New York Times and USA Today. This implies that anyone who visit these websites can access my physical location, understand my daily routine on the internet, my interests, and my finances through what I purchase from websites such as Amazon.
In the second part of my exercise, I extracted a lot of potentially sensitive items such as my email addresses, usernames, downloaded files, viewed documents, and many other items that attackers too can access and use them to their advantage. In browsers that saved my passwords, I was able to extract my usernames and passwords easily. That means that attackers can access my accounts and track my devices.
Part B: Policy
Information in the organization is always stored in paper and electronic formats. A policy is required to cover the disposal of all protected and sensitive information regardless of where they are stored within the organization. The purpose of this policy is to provide all members of the organization with options and standards for disposing sensitive and protected information.
#1: Protected information paper documents
All paper documents containing protected organizational data must be disposed through shredding. All shredded paper documents to be disposed will be dropped in trash containers in your departments whereby they will be collected by licensed companies that destroy documents. The head of any department without a trash container should contact the management to arrange for one.
#2: Sensitive information paper documents
The departments that produce all sensitive information paper documents are responsible for disposing the data that exists in those documents. The department will decide which method to use to dispose the sensitive information paper documents. However, they are free to use shredding as in the protected information paper documents and then dropping the papers in trash containers.
#3: Protected information electronic documents
All protected documents and media in electronic format will be disposed through deletion. However, all the information in electronic documents and media must be sent to the Information Technology (IT) and Information Security (IS) teams for secure deletion. The IT and IS teams will destroy any electronic information which cannot be processed as per this standard.
#4: Sensitive information electronic documents
Sensitive data in electronic format will be disposed through deletion by the departments that produced those documents. They should ensure the documents are securely deleted. They can utilize the ITS Information Security team to accomplish the same.
#5: Information outside the organization
Any protected or sensitive information document be it in paper or electronic form that is taken outside the organization by employees, partners, or representatives of the organization should be brought back to the organization for proper disposal using the methods 1, 2, 3, and 4. Any party that is allowed to destroy sensitive and protected information out there by the organization should use a licensed document destruction company. If they destroy electronic documents by themselves, they should follow the standards outlined by the organization which include deleting or returning them to the company for secure deletion.
References
Benson, R. (2018). How Criminals Can Build a “Web Dossier” from Your Browser. Information Security. Retrieved from https://www.exabeam.com/information-security/criminals-can-build-web-dossier-browser/
Solove, D. J. (2004). The digital person: Technology and privacy in the information age (Vol. 1). NyU Press.