Your Company Secrets Exposed:
Part One- The Problem Revealed
By Sharon Green
Every time a Microsoft Office Word, Excel or PowerPoint document is posted on your Web site, sent out as an email attachment or otherwise put into the hands of an outsider you risk exposing sensitive information about your company. Think you know what’s out there? Are you sure?
 Comments or information hidden by authors will remain in documents unless actively removed. Word, PowerPoint and Excel all have an Insert>Comment command to allow users to insert comments in a document. Those comments may not be appropriate for readers outside your company. In addition, PowerPoint presentation notes, hidden slides and Word hidden text can all contain sensitive or confidential data that is not intended for general consumption.
Local and network paths can be pulled from hyperlinks  to expose network topology and directory naming conventions.
 Information that can be used to access database files is included in the Excel database queries used to import data into Excel. It can include the path or URL to a database server, the database username and password and SQL query strings, all of which can be used to access information that is not included in the distributed document. Even with a high level of network security to prevent outside access there is still the possibility of inappropriate internal access to sensitive data.
Property metadata including the sender’s email address, user name and routing information is added to every Microsoft office document that is emailed as an attachment through Outlook. If the attachment is later posted to a Web site or forwarded the property metadata stays with it.
Customized properties created via the File>Properties>Custom command in PowerPoint, Word and Excel documents are often used as metadata in content management systems. The information in custom properties may include Client, Telephone Number, Destination, Source, Purpose, Received From, Owner, Document Number, and Division to name a few. Custom properties can be used to gain insight into content management systems and document classification.
 Statistic Properties automatically compiled in Office documents pose little security threat but document creation/revision dates and times may provide a little too much information in environments where they can be linked to time and billing.
Objects embedded in Office documents via the Insert>Object command include any “hidden” content, property metadata, local or networks links, etc. associated with the embedded object. Even if the main document is encrypted as a security precaution the embedded objects are not encrypted.
 Security protections applied in Office documents are not a guarantee of safety. Applying password or password to modify protections do not encrypt a Word or Excel file. In addition, the password required to modify a document is included as a clear text element in the file, leaving the document vulnerable to hacking. Sheet protection added to an Excel spreadsheet to prevent recipients from viewing hidden cells can be removed, thus exposing information in hidden cells.
These are only a few of the exposure risks created by publishing Office documents. The moral of the story is be aware of the exposure risks, decide what information you are willing to risk and seek out precautions to protect the rest.
# # #
|
