Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mosaic Theory of Information Security: For Technical Writers

13 views

Published on

In finance, a concept called mosaic theory says that non-material information in sufficient quantities can be combined to constitute useful information. Investment analysts using this principle combine non-material information to develop significant insights into companies’ upcoming results without verging into insider trading.

In other words, a lot of insignificant details, like you might include in your documentation or share to social media, can be combined to deduce significant aspects of your or your organization’s private data. In non-financial information security, a similar principle applies. Small divergences from usual patterns can, when combined together, give a competitor or potential attacker hints about your organization’s strategy, upcoming product launches, or your private personal information.

In this talk, we discuss types of information you want to avoid posting about yourself or your organization to avoid unintentional disclosures.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Mosaic Theory of Information Security: For Technical Writers

  1. 1. Mosaic Theory of Information Security For Technical Writers 1 Margaret Fero For SF Bay Chapter of the STC, November 2020
  2. 2. FIRST: Disclaimers SF Bay Chapter of the STC, November 20202 I’m not a lawyer, a financial advisor, the SEC, or in any way entitled to make expert judgements on what is or is not legal or insider trading. This whole talk is provided without warranty or guarantee. This is not legal advice. This is not financial advice. I’m going to talk about how legal and financial concepts work in a general sense based on a layperson’s understanding so we can all have a shared basis from which to discuss their applicability to information security. Do not make financial or legal decisions based on any information in this talk. Talk to actual experts if you feel inspired to make financial or legal decisions after watching this talk, do not rely on my information here. I am not an Expert on insider trading regulations, but I have enough of a general idea to use them as an allegory for a security problem.
  3. 3. "Cat on a wall" by digitaltemi is licensed under CC BY 2.03
  4. 4. 4 About Me ● Currently a Software Engineer with a focus on Security at a small startup ● Previously a Principal Technical Writer at Degreed, and overall a technical writer for over a decade, the last 6 years of it full-time ● Hold security certifications including the GSEC, GCIH, and GCIA
  5. 5. About Mosaic Theory Agenda 1 2 5 3 Some Examples, General and Specific to TechComm What To Watch Out For 4 Conclusion 5 Questions
  6. 6. About Mosaic Theory 6
  7. 7. Why mosaic theory? 7 Money Stuff by Matt Levine https://www.bloomberg.com/opinion/articles/2018-03-18/equifax-exec-sold-stock-after-hack-was-it-insider- trading
  8. 8. What’s Insider Trading? 8 https://www.investor.gov/additional-resources/general-resources/glossary/insider-trading
  9. 9. What’s Insider Trading? 9 https://www.investor.gov/additional-resources/general-resources/glossary/insider-trading
  10. 10. Every day, professional investors and research analysts work the phones to ferret out information about companies that can’t be found by simply reading news releases. 10 Andrew Ross Sorkin New York Times Dealbook Column November 29, 2010 https://dealbook.nytimes.com/2010/11/29/just-tidbits-or-material- facts-for-insider-trading/ ; "Puzzling" by byzantiumbooks is licensed under CC BY 2.0
  11. 11. ● “Material” information direct from a reputable source ● Information comes packaged together ● Information is useful alone What counts as insider trading? 11 ● “Immaterial” information from multiple sources ● You combine information to create useful packages ● Individual pieces of information are not as useful as the whole Insider Trading (Bad) Skilled Financial Analysis (Good)
  12. 12. Some Examples 12
  13. 13. Insider Trading This is bad. 13 https://www.sec.gov/news/press-release/2020-27
  14. 14. Another Example of Alleged Insider Trading This one still hasn’t gone to trial, so it may be okay, but it also sounds bad. 14 https://www.sec.gov/news/press-release/2020-228
  15. 15. Skilled Financial Analysis This is good! 15
  16. 16. To Review Insider Trading Bad. 16 Skilled Financial Analysis Good, actually!
  17. 17. 17 "Frank, September 4, 2011 - keyboard" by pat00139 is licensed under CC BY 2.0 Why should I care as a technical writer?
  18. 18. You also have information. 18 Material non- public information ● Details of unreleased features ● Internal approvals or QA processes ● Product roadmaps ● Usage data ● Company costs Immaterial or public information ● Press release archives ● Job ads ● Your company’s website ● Your colleague’s lunch preferences ● Published documentation
  19. 19. Material Information 19 This is bad to release. https://www.darkreading.com/cloud/hotelscom-and-expedia-provider-exposes-millions-of-guests-data/d/d-id/1339407
  20. 20. Immaterial Information 20 ● Travel opportunities ● Employee sabbaticals ● Employee travel ● Onsite/Offsite timing ● Food preferences ● Release schedule This is good to release! ...right?
  21. 21. What should I watch for? 21
  22. 22. 22 High-Risk Categories Job Posts & Resignations Employee Sentiment Feature Details Tooling Compliance Changes "Sharpest tool in the shed" by Lachlan is licensed under CC BY 2.0; "Slides Box Paperwork" by cdsessums is licensed under CC BY-SA 2.0; "Job Listings" by flazingo_photos is licensed under CC BY-SA 2.0; "Thumbs Up" by Learn4Life is licensed under CC BY-SA 2.0; "Project Management Plan" by perhapstoopink is licensed under CC BY 2.0
  23. 23. Disclaimer (again): 23 The tools I’m about to mention are risky because they’re useful! Banning these tools is not a good mitigation strategy. "Lego bricks" by EEPaul is licensed under CC BY 2.0
  24. 24. ● Job post contents ● Employees’ role descriptions on LinkedIn or networking sites ● Meetup membership or attendance ● Vendor forum membership ● Event or networking conversations Tooling 24
  25. 25. 25 Compliance Changes ● LinkedIn posts ● Conference attendance or course completion ● Forum posts ● Meetup membership or attendance ● Job postings ● Joining professional organizations or networks
  26. 26. 26 Job Posts & Resignations ● Your career site ● Your ATS or company LinkedIn page ● Recent alumni’s LinkedIn or social media accounts ● Your company or product blog, or individuals’ blogs ● Networking conversations
  27. 27. 27 Employee Sentiment ● Social media ● Press mentions ● Glassdoor reviews ● Networking Slacks and Discords ● Conversations on public transit (someday...) ● Conversations near your office (someday...)
  28. 28. 28 Feature Details ● “Coming Soon” listings or sections ● Company blog ● Descriptions of what individual employees are working on ● Documented defaults ● Documented settings ● Documented procedures, processes, and overrides
  29. 29. 29 Other Information You Have ● Instagram posts ● Vacation responders ● Individual Preferences
  30. 30. What Now? 30
  31. 31. Don’t despair, just be aware!"Full Rainbow at Sunrise at Columbia River in Washington" by Landscapes in The West is licensed under CC PDM 1.0
  32. 32. Thank you! Questions? @maggiefero Linkedin.com/in/margaretfero Degreed.com/maggiefero 32

×