Imperva says UK MoD manual leak caused by breakdown in security procedures

(PresseBox) ( Redwood Shores, CA, )
Whilst reports that a UK government document advising officials on how to keep documents from leaking to the Internet has actually leaked on the Web may sound amusing, the reality is a whole lot different, says Imperva, the data security specialist.

According to Amichai Shulman, Imperva's chief technology officer, the fact that the 2,400 page defence 'manual of security' was published on Wikileaks - a site designed for anonymous leaks of documents from governments - suggests that the leak was caused by a breakdown in IT security procedures.

"The document contains three volumes and together, they are listed as restricted. However, some sections are available to the general public - a simple Google search shows these results," he said.

"At first sight, given the above, we could assume that this may have been the result of the actions of single member of staff - someone with access to the CD itself, or perhaps the Ministry of Defence intranet," he added.

However, says Shulman, the document's datestamp is October 2001, so the MoD probably considers the file to be outdated.

The Imperva CTO went on to say that, perhaps the file was on its way to be digitally demolished, or left on some old misconfigured server and a Google search picked it up.

An additional scenario, says Shulman - and one that he has witnessed whilst working in the armed forces - is that a classified military contractor may have been given the documents and placed them on an internal network.

And then, he explained, the data may have leaked from the internal network to a public-facing server over a period of time.

The leakage of such a document - and the attendant publicity the incident has received - should, he says, serve as a wakeup call for organisations that, when sharing sensitive information with partners, they need to have adequate security in place at all times.

"While an organisation may have very tight internal controls regarding sensitive information, when this information is shared with business partners it is subject to whatever controls are applied by that partner," he said.

"This is, for example, why the PCI-DSS standard requires that PCI-related information from a PCI compliant organisation is only shared with other companies that can demonstrate compliance with the PCI standard," he added.

For more on the MoD manual of security leak:

For more on Imperva:
Für die oben stehenden Pressemitteilungen, das angezeigte Event bzw. das Stellenangebot sowie für das angezeigte Bild- und Tonmaterial ist allein der jeweils angegebene Herausgeber (siehe Firmeninfo bei Klick auf Bild/Meldungstitel oder Firmeninfo rechte Spalte) verantwortlich. Dieser ist in der Regel auch Urheber der Pressetexte sowie der angehängten Bild-, Ton- und Informationsmaterialien.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an