3 Keys to Managing Your Online Identity

By

The “Internet” – which started out as a way for universities to exchange information, and for the US military to maintain communication in the event of an attack – has grown into  a massive collection of systems which allows businesses to be open 24 hours a day  7 days a week, and 365 days a year. This is a great thing for businesses, as they can market and sell their products without the restrictions of a brick-and-mortar storefront. We have also seen rapid adoption of computer systems to replace many back-office processes. With this comes the risk of potentially leaking trade secrets, intellectual property and many other things to prying eyes.

Maintaining an Internet presence is a great thing for any organizational entity, in fact it is not just great — it is a necessity; it is equally important that companies protect and secure their data.  There is a great deal of information being leaked on a daily basis, attributed either to poorly-configured systems or to accidental information disclosure. Below are three simple ways a company can help identify their risk posture by using reconnaissance methods similar to those used by hackers.

Search Engines

Search engines are an excellent tool for helping hackers search for easy targets, or for stealing a company’s most sensitive intellectual property.  Search engines continue to be significant channels aiding hackers to find and penetrate weak systems.   Many hackers agree that, for them, reconnaissance is the foundation for effective penetration.  One could possibly use these same discovery techniques to identify the presence, and ultimately enhance the security, of his/her brand?  Sounds obvious, right?  It is amazing what type of information could be found with a few well-crafted search queries pertinent to one’s own company or organization. Remember that, once Google finds your site, it spiders, indexes and caches everything it finds.

The concept of “Google Hacking” is not new, in fact Johnny Long of hackersforcharity.org wrote “Google Hacking” back in 2007.

In order to clearly identify information being leaked, one needs to understand the advanced search operators that Google offers.  I am not going to explain each operator, or even the advanced techniques in this post; my primary aim is to raise awareness about protecting websites and web applications from leaking sensitive data.

Identify network and nodes

Part of reconnaissance is to identify systems on a network which have not been patched or are not at the latest patch level, rendering them vulnerable to exploitation.  Before doing this, a hacker will need to identify nodes that are easily reached from the Internet.  In order to ensure that an attacker is unable to easily compromise sensitive information, it is essential that a company quickly enumerate their presence in this space.  There are many ways to identify servers, pertinent software revisions and stored content by simply visiting sites such as Netcraft. It is imperative that you document every node on your network and have a process in place to apply software patches on a regular basis. There are a plethora of tools available to automate both the identification and the vulnerability remediation of nodes, as ignorance is never an acceptable excuse in the event of a data breach.

Social Media

Another mechanism used by malicious hackers to better understand the network topology, security posture, and culture surrounding a corporation’s presence is Social Media (e.g. Facebook, LinkedIn, Twitter, etc.).  One would be surprised at the sensitivity of information employees may be leaking for the world to see. I have included an example below:

Joe has been working long hours and weekends rushing to try and get the latest functionality out to the website. He knows that he has sacrificed some security to meet his deadline. He’s angry and disgruntled that he missed out on free tickets and an opportunity to attend his favorite team’s football game. He posts on his Facebook later that night how disappointed he is that he did not get to see his favorite team play. The reason being that the latest project he’s been working on had tight timelines.

He ends his post with “and I didn’t even get to implement all the security fixes and now I’ll just have to go back and implement stored procedures for all my database calls. More long late night’s ugh!

Joe’s family and friends more than likely have no idea what he is rambling on about.  Joe’s Facebook profile may not say that he works for XYZ Corp., so there are no ties back to his company…what’s the big deal?  Well, his LinkedIn profile does mention that he works for XYZ, and that he is a PHP developer for their Internet-facing content. This means that anyone who may be targeting Joe’s company can potentially link Joe to XYZ and XYZ to a site which may have vulnerable PHP content (because it was clearly a rush job).  Remember, effective hackers don’t look for just the obvious; they look for ways to correlate information which potentially identifies weaknesses.  In order to prevent this, one should regularly audit and monitor social media (and similar) sites for discussions regarding his/her corporate brand.

It is imperative, that organizations – large and small – review polices and guidelines for information protection.  They should understand the scope of information that is actually leaking out of their company.  By actively performing reconnaissance against one’s business or organization, he/she can provide extremely valuable details, essential in order to avoid data leakage.

Recon yourself regularly; you’ll be amazed what you will find.

 Dinesh Mistry is a security researcher for the InfoSec Institute and has over 16 years of experience in the IT field.




Edited by Cassandra Tucker
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More