The saying ‘loose lips sink ships’ was first coined by the American War department as part of their security drive during the war.
Yes, users are the weakest link in security and we’ve heard many different examples, from falling victim to phishing attacks to leaving laptops on a bus. But some users will share information that seems innocuous, yet can be used by attackers in social engineering attacks, which are easier, lower risk and less costly than many technical exploits.
Let’s look at some of the most common examples of not-so-obvious information sharing.
A standard workplace procedure to inform clients, customers and prospects of your whereabouts can also be used by cyber criminals to gain the confidence of another employee to share important information. The attacker, posing as a co-worker, could convince another employee (indicated in the out-of-office email) that they are under a deadline to complete a report that needs information before the vacationing employee returns.
So how should businesses manage this? Well, from a policy perspective, consider allowing out-of-office notifications only for internal employees. The policy may need to be more specific to only those employees with access to sensitive information, while employees in other departments, such as sales or direct customer interaction roles, are not restricted.
We put a lot of personal information up on these platforms, simply because the profile template asks us for it. What we tend to forget is that our personal information is often publicly accessible, so your role, job title, company history and skills are out there in cyber space available for anyone and everyone to view.
This information may not be confidential from a corporate perspective, but it is a gold mine of information for con artists. Like the out-of-office notifications, this information can contribute to a social engineering attack that establishes credibility for the attacker to gain access to a user’s circle of trust.
While the social media hype is unlikely to die down and it is also near impossible to control what your employees are doing on social media, there are privacy settings that can help limit information sharing. If your organisation has a social media team, work with them on setting policies and educating your employees on the potential risks.
Sharing with press and vendors
Many enterprises have policies against sharing specific security controls and policies outside of the company.
But for public moments during filming or demonstrations, there can be instances when information is inadvertently leaked e.g. exposing WiFi credentials and even user names and passwords.
Security professionals are probably not going to be on the invitation list for external media events but they can provide training to communication staff on what to look out for to protect information, especially in the background of publicly available materials.
While honeypots have been around as a distraction to attackers for many years, providing attractive but fabricated information, the next generation of technologies are more sophisticated. They keep attackers engaged with automated reactions that allow the security team to ascertain the real objectives and methods of attack. This provides information that can be used to adapt defences such as addressing vulnerabilities, creating blacklists, or even identifying an insider threat.
These are just a handful of ways in which you or your employees can potentially share sensitive information.
Implementing enterprise security solutions can be complex. Within security, one can touch on identity access, governance, security management and much more, but don’t overlook the everyday sharing of information by users. An identity-centric approach needs to drive any enterprise security solution.
Attackers are looking for soft targets, and old-fashioned confidence schemes married to easily-accessible information can make their lives plain sailing.
Article by Peter Fuller, country general manager, Australia and New Zealand, Micro Focus.