In finance, a concept called mosaic theory says that non-material information in sufficient quantities can be combined to constitute useful information. Investment analysts using this principle combine non-material information to develop significant insights into companies’ upcoming results without verging into insider trading.
In other words, a lot of insignificant details, like you might post to social media, can be combined to deduce significant aspects of your or your organization’s private data. In non-financial information security, a similar principle applies. Small divergences from usual patterns can, when combined together, give a competitor or potential attacker hints about your organization’s strategy, upcoming product launches, or your private personal information.
In this talk, we discuss types of information you want to avoid posting about yourself or watch out for in your organization’s social media postings to avoid unintentional disclosures.
Mosaic Theory of Information Security — As presented at Abstractions II
1. Mosaic Theory of Information Security
Margaret Fero
Technical Writer | Degreed
Maggie@degreed.com
Abstractions II - 20191
2. FIRST: Disclaimers
2
I’m not a lawyer, a financial advisor, the SEC, or in any way entitled to make expert judgements on what is or is not legal
or insider trading. This whole talk is provided without warranty or guarantee. This is not legal advice. This is not financial
advice.
I’m going to talk about how legal and financial concepts work in a general sense based on a layperson’s understanding so
we can all have a shared basis from which to discuss their applicability to information security. Do not make financial or
legal decisions based on any information in this talk. Talk to actual experts if you feel inspired to make financial or legal
decisions after watching this talk, do not rely on my information here.
I am not an Expert on insider trading regulations, but I have enough of a general idea to use them as an allegory for a
security problem.
3.
4. Agenda
Agenda Slide
"Pomposa Abbey" by Verity Cridland is licensed under CC BY 2.04
About Mosaic Theory
Some Examples
What To Watch Out For
Conclusion
5. Why mosaic theory?
Money Stuff by Matt
Levine
https://www.bloomberg.com/opinion/articles/2018-03-18/equifax-exec-sold-stock-after-hack-was-it-insider-trading5
6. Every day, professional investors and
research analysts work the phones to
ferret out information about companies
that can’t be found by simply reading
news releases.
Andrew Ross Sorkin
New York Times Dealbook Column
November 29, 2010
https://dealbook.nytimes.com/2010/11/29/just-tidbits-or-material-facts-for-insider-trading/ ;
"Puzzling" by byzantiumbooks is licensed under CC BY 2.0
6
7. What counts as insider trading?
Insider
Trading
(Bad)
• “Material” information direct from a
reputable source
• Information comes packaged together
• Information is useful alone
Skilled
Financial
Analysis
(Good)
• “Immaterial” information from multiple
sources
• You combine information to create
useful packages
• Individual pieces of information are not
as useful as the whole
7
11. Why should I care as a
technologist?
"Frank, September 4, 2011 - keyboard" by pat00139 is licensed under CC BY 2.0
12. You also have information.
Material
non-public
information
• Usernames and passwords
• Users’ PII
• Details of unreleased features
Immaterial
or public
information
• Press releases
• Job ads
• Group pictures from an onsite
12
13. Material Information
This is bad to release.
https://www.darkreading.com/cloud/moviepass-leaves-credit-card-numbers-personal-data-exposed-online/d/d-id/133559413
14. Immaterial Information
This is good to release!
…Right?
14
• Travel opportunities
• Employee sabbaticals
• Employee travel (blog breaks, etc)
• Onsite timing
16. Trends.
Expressed
interest in M&A
"attention" is licensed under CC0 1.0 ; "Penknife_Swiss-Army-Knife__51220" by Public Domain Photos is licensed under CC BY 2.0 ; Lever Logo is owned by
Lever; ":)" by gfairchild is licensed under CC BY 2.0
16
Mentions of
Tooling
Job Posts &
Resignations
Employee
Sentiment
17. Disclaimer (again):
The tools I’m about to
mention are risky
because they’re useful!
Banning these tools is
not a good mitigation
strategy.
"Lego bricks" by EEPaul is licensed under CC BY 2.017
18. Expressed Interest in
M&A
18
• LinkedIn posts
• Conference attendance or course completion
• Forum posts
• Meetup membership or attendance
• Job postings
19. Mentions of Tooling
19
• Job post contents
• Employees’ role descriptions on LinkedIn or networking sites
• Meetup membership or attendance
• Vendor forum membership
20. Job Posts &
Resignations
20
• Your career site
• Your ATS or LinkedIn
• Recent alumni’s LinkedIn or social media
• Your blog
21. Employee Sentiment
21
• Social media
• Press mentions
• Conversations on public transit
• Conversations near your office
22. Other Information To
Watch
22
• Instagram posts
• LinkedIn group membership
• Meetup and conference attendance
• Vacation responders
24. Don’t despair, just be aware!
"Full Rainbow at Sunrise at Columbia River in Washington" by Landscapes in The West is licensed under CC PDM 1.0
25. Thank you!
@maggiefero
You can ask questions in the hallway now, or on Twitter later!
Maggie@degreed.com
Degreed.com/maggiefero
Linkedin.com/in/margaretfero
25
Editor's Notes
Specifically, Matt Levine’s March 2018 column “Deductive Reasoning or Insider Trading? It's a Tough Call”, which referenced the mosaic theory. That was the first time I’d encountered the term, but I dove down a learning rabbit hole from there.
A research analyst told a trader he was going to change the ratings for certain stocks. This was material, because it was a single piece of information that would by itself cause the market to move, and it was provided by a known insider to a direct contact (removing the risk of guesses based on agglomerated immaterial information).
This held that immaterial information was tipped to analysts, who were able to combine it with public financial disclosures and other materials to form a basis for trading. This case also did involve some insider trading resulting from a subsequent leak, but it was not all insider trading.
“After working with Hussein to review sample datasets, TechCrunch reports exposed records contain sufficient information to commit credit card fraud. In a sample of 1,000 records, more than half had a MoviePass member card number, balance, and expiration. The server also contained records of failed login attempts. None of the data on the server was encrypted.”
I love an analogy from Sarah Harvey, a security/privacy engineer at Square, who compares data to lego bricks. You can put them together to build cool things with them, but if you don’t clean them up they hurt A LOT to step on. It’s easier to avoid stepping on one if you have an idea of where they all are, and I’m hoping everyone takes away an idea that these might be places your organization has piles of stray lego.