Here is an interesting post on how you as a consultant could discover sensitive information such as “TOP SECRET” docs using Nessus for discovery.
From Tenable Network Security:
There are many consultants that use Nessus to scan a customer network for vulnerabilities and report a laundry list of security issues which need to be fixed. Another valuable service that can be performed by a consultant is to audit where sensitive data resides in an organization and what sort of access can be gained to it. This blog entry discusses what can be accomplished with the Nessus scanner and what additional types of data analysis can be performed with the sensitive content checks available with the Nessus Direct Feed.
What is “Sensitive Data”?
In the government and military, there are in-depth standards for classifying the sensitivity of data such as “SECRET”, “TOP SECRET” and so on. This classification details who can have access to the data and what level of security assurance should be invoked to protect inadvertent disclosure.
For the rest of the world, classifying data may not be as simple. An organization may draw data classification requirements from the compliance regulations it is under. A public and private company both governed by PCI will likely treat their customer credit card data the same way. However, the public company may consider emails about projected revenues, mergers and such, much more seriously than a private company due to SOX requirements. Other companies may have unique requirements to protect the secret beverage drink recipe, plans for the new stealth bomber or conceal the latest marketing campaign.
As a consultant, asking the customer what their data controls and concerns are is a very good place to start.
For the full article read on.
Article Link
[tags]Sensitive Information, Data Discovery, Electronic Discovery[/tags]
