The fastest way to get CISSP Certified. Join our bootcamp
In cybersecurity, we often overlook the problem of people deliberately leaking information. However, it’s still an issue that can cause considerable harm to a business. We most commonly come across leaks when someone within an organization leaks juicy information to the press. However, information can be leaked in a variety of different ways, such as an employee leaking information to a competitor in exchange for payment, or a spy leaking information back to their government.
At its heart, leaking involves an authorized person revealing information to an unauthorized party. It breaches confidentiality, one of the core aspects of the CIA triad (confidentiality, integrity, and availability).
Sometimes leaks can be fairly innocuous and not cause any lasting damage to the organization–someone may mention something confidential to their partner in an offhand conversation that the partner soon forgets. Obviously, these actions go against organizational policy and employees definitely shouldn’t do it, but in many of these minor cases, no harm will come to the organization.
However, leaking can cause significant damage to an organization, especially if someone is leaking information to the media that damages a brand’s reputation. One example is during a corporate scandal, where someone leaks the internal discussion to make the organization look even worse. Leaking can also harm a company if the leaker transfers company secrets or details on its latest technology to a competitor. This could make it easier for the competitor to catch up.
Catching a leaker
We will focus on the first type of leak–someone leaking to the press. This type of leak can be easier to track down because the fact that something is leaked to the media lets us know straight away that a leak has taken place. For other types of leaks, we may never even find out about them.
Let’s say that there is a corporate scandal, and someone in the inner circle keeps leaking internal memos which causes a media firestorm. As the CEO, you wrack your brain trying to figure out who it is, but no one stands out. Given how much harm they are causing, you absolutely must catch them. So you lay a trap.
If the inner circle is made up of 10 people, the next time you send out a memo, your trap involves sending out 10 separate memos with only subtle differences, one to each member of the inner circle. These subtle differences act as a unique signature for each of the ten individuals. To give you an idea of what this might look like, one memo could contain the line, “Our company acknowledges the errors and is working tirelessly to correct them.” Another memo could say, “The company is aware of the issues and is working on a fix.” A third could say, “We acknowledge the harms that have been caused and we are doing everything in our capacity to come to a solution.”
Each of the ten memos essentially say the same thing, but each one is unique. Once you have written the memos, all you have to do is send them out and keep track of who you sent each one to. Then you sit back and wait, this time hoping that the leaker does their thing and sends their memo to the press.
The next day, you are not surprised to see your company in the headlines once again. But this time, you actually smile. As you read the article, you see the quote, “The company is aware of the issues and is working on a fix.”
Gotcha!
Now you know who the leaker is—the second recipient. All you had to do was tailor the information that each party received, so that each one had its own signature. Now that you know who it is, you can set up the meeting with HR for termination.
The easiest and fastest way to pass the Security+ exam
Build Your Cybersecurity Foundation. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for Security+!
Prepare to Pass: Get the Right CISSP
Bootcamp
Master CISSP — as Easily and Quickly as Possible. Join our CISSP 5-Day Live Bootcamp with expert instructors Rob Witcher and John Berti to fast-track your exam prep and master all 8 CISSP domains. Live on Zoom, this intensive training is packed with real-world insights and Q&A—reserve your spot now!
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
