Chapter 6. Limiting Information Disclosure

There is no reason to give away information for free. This includes the system's name and its function and the company's name . Those who are authenticated to use the system know this information and those who are not don't need to know. Information may be the hacker's goal or it may be the means to the end. In any case, information is the hacker's most powerful tool. The hacker will want information on the kind of system, the applications that run on it, the users who use it, and the company that owns it. Every piece of information is just one more piece of the puzzle that must be solved for the hacker to achieve his goal.

Information systems can disclose a great deal of information if they are not appropriately administered. They are often built for maximum convenience and usability, not to prevent disclosing information without appropriate authentication. Disclosed information can be used to determine how to compromise the system. Databases of known vulnerabilities and software to exploit them are widely available and knowledge of the type of systems and the version of software can be used to attack the system.

Disclosure of information about users can aid in the process of password guessing or social engineering. Disclosed personal information can lead to personal security risks to the user and legal liability to the organization.