Story image

Enterprise security: The hidden perils of ‘unguarded talk’

30 Aug 2017

The saying ‘loose lips sink ships’ was first coined by the American War department as part of their security drive during the war.

Yes, users are the weakest link in security and we’ve heard many different examples, from falling victim to phishing attacks to leaving laptops on a bus. But some users will share information that seems innocuous, yet can be used by attackers in social engineering attacks, which are easier, lower risk and less costly than many technical exploits.

Let’s look at some of the most common examples of not-so-obvious information sharing.

Out-of-office notifications

A standard workplace procedure to inform clients, customers and prospects of your whereabouts can also be used by cyber criminals to gain the confidence of another employee to share important information. The attacker, posing as a co-worker, could convince another employee (indicated in the out-of-office email) that they are under a deadline to complete a report that needs information before the vacationing employee returns.

So how should businesses manage this? Well, from a policy perspective, consider allowing out-of-office notifications only for internal employees. The policy may need to be more specific to only those employees with access to sensitive information, while employees in other departments, such as sales or direct customer interaction roles, are not restricted.

Social Media

We put a lot of personal information up on these platforms, simply because the profile template asks us for it. What we tend to forget is that our personal information is often publicly accessible, so your role, job title, company history and skills are out there in cyber space available for anyone and everyone to view.

This information may not be confidential from a corporate perspective, but it is a gold mine of information for con artists. Like the out-of-office notifications, this information can contribute to a social engineering attack that establishes credibility for the attacker to gain access to a user’s circle of trust.

While the social media hype is unlikely to die down and it is also near impossible to control what your employees are doing on social media, there are privacy settings that can help limit information sharing. If your organisation has a social media team, work with them on setting policies and educating your employees on the potential risks.

Sharing with press and vendors

Many enterprises have policies against sharing specific security controls and policies outside of the company.

But for public moments during filming or demonstrations, there can be instances when information is inadvertently leaked e.g. exposing WiFi credentials and even user names and passwords.

Security professionals are probably not going to be on the invitation list for external media events but they can provide training to communication staff on what to look out for to protect information, especially in the background of publicly available materials.

Counter-intelligence operations

While honeypots have been around as a distraction to attackers for many years, providing attractive but fabricated information, the next generation of technologies are more sophisticated. They keep attackers engaged with automated reactions that allow the security team to ascertain the real objectives and methods of attack. This provides information that can be used to adapt defences such as addressing vulnerabilities, creating blacklists, or even identifying an insider threat.

These are just a handful of ways in which you or your employees can potentially share sensitive information.    

Implementing enterprise security solutions can be complex. Within security, one can touch on identity access, governance, security management and much more, but don’t overlook the everyday sharing of information by users. An identity-centric approach needs to drive any enterprise security solution. 

Attackers are looking for soft targets, and old-fashioned confidence schemes married to easily-accessible information can make their lives plain sailing.

Article by Peter Fuller, country general manager, Australia and New Zealand, Micro Focus.

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.