Unauthorized Disclosure of Information

Sensitive information can be disclosed intentionally or accidentally, but the results
are the same, individuals have access to information that was not intended
for their eyes.A big part of access control is preventing this type of activity from
taking place.Many times, different types of media are used by different people
within an organization. Floppy disks are shared, hard drives are checked out
from a media library for different employees to use, and shares on servers are
used by many to store information. These different media types can hold sensitive
information that can be accessed by more individuals than should be allowed.
Also, new employees often inherit old computers,which could contain sensitive
information, from former employees. These are some examples of object reuse,
which means that some type of media (object) that could contain sensitive data
is being used by a different subject. The following issues should be considered
when dealing with unauthorized disclosure of information:
• Media containing sensitive information may need to be degaussed to
properly erase all data.
• Deleting files on a disk removes only the pointers to those files, not the
files themselves, thus they are still available for unauthorized disclosure.
• Formatting a drive rewrites only the allocation table, but does not actually
remove the information held within the drive’s sectors.
• If media containing sensitive information cannot be properly erased, it
should be physically destroyed.
• Processes within an operating systemshould erase their memory segments
before other processes are allowed to use the same memory portions.
• Social engineering can be used to trick someone into providing confidential
information to unauthorized individuals, thus is a possible threat
to sensitive data.
• Zeroization is the process of writing null values over media several
times to ensure that data is not available to others.
Keystroke monitoring tools are hardware- or software-based utilities that are
used to capture each and every keystroke an individual inputs into a computer.
They can be used to monitor employees for suspicious activities or can be used
by attackers to gain access to confidential information. A common trick is to
load a Trojan horse onto a user’s system, which then installs a keystroke-monitoring
programto capture usernames and passwords and send themback to the
attacker. The attacker then uses these credentials to fraudulently authenticate as
that user and access resources and information not intended for him.