Information Posted Online Can Be a Stepping Stone for a Breach.
As part of our commitment to staying on the forefront of cybersecurity, CyberMSI will be writing a series of threat vector blogs, starting with publicly available information. Posting too much information about your organization on the internet and social media can provide malicious actors with the information need to gain access to your systems.
In this blog, we will go over examples of organizations oversharing information and how that information can act as a threat vector. We will also discuss ways to potentially mitigate these issues so that your organization can manage the risk associated with this threat vector.
Organization Website
Many organizations have a lot of pride in their accomplishments and the quality of their leadership. This is healthy, but it may also lead to a sizable amount of information being exposed to the public. Information about executives and other organizations that you work with can be used as material for a spear phishing campaign.
There are also other sections of the website that a malicious actor can use to learn more about your organization. They may be able to learn more about your IT and cybersecurity strategies than you would want them to by looking through overly detailed pages, including the about us pages or even the company blog.
You can mitigate this cybersecurity risk by having a security professional, preferably someone with red team experience, who can go through the website to see if they can find any information that might reveal easier approaches when attempting to infiltrate your organization.
Organization Social Media
The team that runs an organization’s social media typically only has a minimal amount of training with information security. There is a very high chance that while announcing something like a new initiative, they could release information that could lead to new opportunities for social engineering or give details about IT infrastructure that could be used in the future.
The mitigation for this threat vector is to have someone with a significant amount of security experience join the team to provide subject matter expertise to the rest of the team.
Employee Personal Social Media
Employees’ social media activities are a very common problem both for reputation and security reasons. Employees are entrusted with sensitive information so that they can do their job, but they may not have the training or sometimes the appropriate judgement to keep some of that information off their social media presence.
This can especially be an issue for organization members with access to more information or that have more influence than the average employee. A CFO who does not know any better could post all kinds of information that could potentially give a malicious actor several new angles of approach.
The mitigation for this threat vector is to add stipulations in the NDA that your organization members sign that have stricter restrictions for social media. Some organizations may even require their employees to change profiles on their social media like Facebook to “private” just so they cannot accidentally post something publicly that could be compromising.
Third-Party Partners Oversharing
When working with a third-party partner, a trust relationship needs to be formed and maintained. Otherwise there is no way of telling if they will overshare company’s information with the employees or even the public. All the same public information threat vectors that apply to your organization also apply to third-party partners as well.
The mitigation for this threat vector is to have a well-written NDA signed and to monitor the security standards of the third-party organization. Compliance standards like SOC2 are also used when third-party partners are working together to make sure that information security is being maintained while third parties work with your information.
Information Left in Your DMZ
Many organizations have a DMZ that they use so that people outside their organization can interact with internal resources made available to them via the DMZ. The only issue is that some careless IT admins running the infrastructure can leave sensitive information in the DMZ. This can include information about the internal network and potentially stored credentials for admin accounts used during routine maintenance tasks.
The mitigation for this threat vector is to have security administrators follow procedures for securely maintaining DMZ infrastructure. If malicious actors can find information in publicly available infrastructure, it is important to make sure that nothing that can be used in an attack can be found there.
Customer Facing Apps
Some organizations have customer facing apps that customers can use to interact with their organization. This is another public area that malicious actors can potentially use to gather more information about your organization. They can look around the app for any useful information related to the organization and even potentially try exploiting the app to see if they can get more information out of it than intended.
The mitigation for this threat vector is to have a secure development lifecycle implemented in the organization when creating or updating customer facing apps. It may also be a good idea to have someone with red team experience interact with a customer facing app from the outside to see if it can be used to discover more about the organization.
We will continue to share best practices and lessons learned in future posts in the Threat Vectors series. Controlling information coming out of the organization is an important part of the risk management process.
In closing, consider these three questions when mitigating the publicly available information threat vector in your organization:
- Are there any procedures in place to guide what kind of information is allowed in public-facing IT apps or services?
- Do we have anyone reviewing the information that the organization and its employees are putting out online?
- Are the non-disclosure agreements (NDAs) that we are using able to prevent employees and third-party partners from disclosing sensitive information publicly?