Story image

Enterprise security: The hidden perils of ‘unguarded talk’

30 Aug 2017

The saying ‘loose lips sink ships’ was first coined by the American War department as part of their security drive during the war.

Yes, users are the weakest link in security and we’ve heard many different examples, from falling victim to phishing attacks to leaving laptops on a bus. But some users will share information that seems innocuous, yet can be used by attackers in social engineering attacks, which are easier, lower risk and less costly than many technical exploits.

Let’s look at some of the most common examples of not-so-obvious information sharing.

Out-of-office notifications

A standard workplace procedure to inform clients, customers and prospects of your whereabouts can also be used by cyber criminals to gain the confidence of another employee to share important information. The attacker, posing as a co-worker, could convince another employee (indicated in the out-of-office email) that they are under a deadline to complete a report that needs information before the vacationing employee returns.

So how should businesses manage this? Well, from a policy perspective, consider allowing out-of-office notifications only for internal employees. The policy may need to be more specific to only those employees with access to sensitive information, while employees in other departments, such as sales or direct customer interaction roles, are not restricted.

Social Media

We put a lot of personal information up on these platforms, simply because the profile template asks us for it. What we tend to forget is that our personal information is often publicly accessible, so your role, job title, company history and skills are out there in cyber space available for anyone and everyone to view.

This information may not be confidential from a corporate perspective, but it is a gold mine of information for con artists. Like the out-of-office notifications, this information can contribute to a social engineering attack that establishes credibility for the attacker to gain access to a user’s circle of trust.

While the social media hype is unlikely to die down and it is also near impossible to control what your employees are doing on social media, there are privacy settings that can help limit information sharing. If your organisation has a social media team, work with them on setting policies and educating your employees on the potential risks.

Sharing with press and vendors

Many enterprises have policies against sharing specific security controls and policies outside of the company.

But for public moments during filming or demonstrations, there can be instances when information is inadvertently leaked e.g. exposing WiFi credentials and even user names and passwords.

Security professionals are probably not going to be on the invitation list for external media events but they can provide training to communication staff on what to look out for to protect information, especially in the background of publicly available materials.

Counter-intelligence operations

While honeypots have been around as a distraction to attackers for many years, providing attractive but fabricated information, the next generation of technologies are more sophisticated. They keep attackers engaged with automated reactions that allow the security team to ascertain the real objectives and methods of attack. This provides information that can be used to adapt defences such as addressing vulnerabilities, creating blacklists, or even identifying an insider threat.

These are just a handful of ways in which you or your employees can potentially share sensitive information.    

Implementing enterprise security solutions can be complex. Within security, one can touch on identity access, governance, security management and much more, but don’t overlook the everyday sharing of information by users. An identity-centric approach needs to drive any enterprise security solution. 

Attackers are looking for soft targets, and old-fashioned confidence schemes married to easily-accessible information can make their lives plain sailing.

Article by Peter Fuller, country general manager, Australia and New Zealand, Micro Focus.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.