Monday, April 21, 2014

Treasures on the Web

The Internet is a wonderful tool to find information and learn about topics.  People share so much information about themselves on Twitter, Facebook and other social media sites.  We expect to people to let it all hang out here.  You might be amazed at how exposed many companies are.  It's likely they don't realize how much information is available to social engineers who thrive on the data.

Where is all this information?  Websites are the standard vehicle to disseminate information.  Generally these websites are well designed to provide specific information to a diverse audience in a way that most people can understand.  Generally visitors of these websites aren't going to find an employee directory or find the names of departments here.  Organizations might be surprised to find that they are emitting sensitive pieces of information in the caverns of the site.  Where?  Let me count the places... 

Many companies that are technical in nature provide technical forums where the troubleshooters of the world look for solutions to common problems.  Generally the forum moderator is a highly skilled technician who can provide answers to the answer seekers.  This person may provide his or her name when responding.  If the technician has an impressive certification, he or she might provide that number with his response to a customer's question.  Posts to online forums provide not only employee names, email addresses, corporate structure and environment and other information that allows hackers to target individuals with spear-phishing campaigns

Microsoft Office documents are a wonderful source of information.  Have you ever looked at the meta-data on a Word document?  If the document isn't cleansed, it can provide information about an organization to a knowledgeable person.  Do you know how?  Open a Word document that you created.  Click File review the information on the Info Page (generally on right hand side of the screen).  Your name should be listed as the author.  If the document was modified on another person's computer, their name will also be listed as someone who modified the document.  Now click on the option "Show All Properties" in the lower right hand corner.  You might not have a "manager" at home, but your manager's name might show up on a corporate document.  Finally, click the Open File Location -- this information might provide information about the directory structure in an organization.  Bitta bing. 

Websites that allow users to download information from their website might be exposing the type of software used at the organization.  That doesn't seem very dangerous....unless the software is outdated.  Hackers use a combination of methods to gather information.  Knowing that an organization doesn't run current software is a pretty nice clue to a hacker that he might be able to retrieve information easily.

Some organizations post sensitive information on corporate websites.  Research shows that searching for terms such as 'temp', 'data' and 'admin' provided access or data that many corporations probably didn’t think hackers would try to access.  
 
What should organizations do?  Perform a risk assessment against your “digital estate” by completing the following steps:  first, assess the Internet presence to determine the kind of information available to the public; second, cleanse meta-data from the web and patch all corporate devices; third, educate all employees about the value of the data they manage and provide clear instructions on how to protect it; and fourth, ensure corporate policies exist to minimize accidental information leaks.

Microsoft Word provides a means to cleans an Office document of personal information.  It's quick and easy.   Open an existing Word document.  Click File then select the "Check for Issues" next to  Inspect Document.  Several choices will appear.  Select "Inspect Document".  Leave all the items checked then click "Inspect".  Read the results.  You can choose to remove potentially sensitive information.  Word even allows you to reinspect the document before posting the document to assure that you aren't exposing yourself or corporate secrets.

No comments:

Post a Comment