In this article, I would like to talk about information that needs to be protected from attackers planning to harm your business. Please note that we will not be talking about the technical part of companies’ operations, but about social engineering aimed at the vulnerabilities of your employees.
We added a free for public use “CHECKLIST FOR CHECKING THE INFORMATION SECURITY OF ORGANIZATIONS”. We hope that this checklist and the information in this article will add peace of mind and information security to your organization.
You can read the checklist at the end of the article.
More often than not, email is the main entry point into the secrets of your company and its personal staff. Every official company website contains contact information that includes an email address with the company domain. For example, email@example.com or firstname.lastname@example.org.
This is consistent with business ethics, but in today’s Internet there are a huge number of tools (e.g. Google Dorks, phonebook.cz, hunter.io etc) that, using the domain, collect other addresses that the organization may not have wanted to publish to the general public. This might reveal something like email@example.com, firstname.lastname@example.org, SolyuVseSekretyKontory@nameoforganization.com.
The mere presence of a work e-mail not only gives the opportunity to establish direct contact with the employee bypassing the public relations department, but also allows colleagues to misuse it, namely to register accounts in social networks, order deliveries and so on, so on, so on. All of this subsequently gets ducked. With such email addresses, we can find a lot of interesting personal information that is useful for hackers and cyber blackmailers.
Employee photos on the company website
Yes, photos on a company’s website can help find your employees’ social media accounts. In most cases, this information has no commercial value, but it is a great opportunity to gather information about an employee’s private life, which can result in such a well-built social engineering campaign that the attacker will not even notice the catch.
By the way, there are quite a few tools for searching social media accounts by face. For example, FindClone, SearchForFace, and even simple google.pictures.
In reality, photos and public activity are not as critical vulnerabilities as personal data that can be gleaned from email addresses. To exclude a company’s public activity is to cut off 80% of marketing. Some things are worth publicizing and some are not.
An example of a social engineering attack would be a text like this: “Good afternoon, I saw you at the conference “Legends of SOC — 2023”. We liked your presentation very much. We would like to propose cooperation. Terms and conditions and a detailed offer are in the attachment”. Agree, tempting! Especially if your company slightly underpays a sysadmin, and he is in search of a more favorable offer. There is a high probability that even an experienced IT specialist will first open the attachment and only then think about it.
Files on the company website
You may think that you have hidden all the unnecessary files, but Google search robots have indexed everything carefully. It is very easy to check this. For example, your website is: rogaikopyta.site. Type in the search bar google: filetype: (here without a space file format — pdf, doc, docx, xls, txt) site:rogaikopyta.site. Next, we check that nothing unnecessary is suddenly not in the public domain.
There are a number of documents that a legal entity cannot not publish, but what is not included in this list, it is better to clean, because unnecessary information about your employees, counterparties, financial assets — all this is excellent food for a potential attack.
We also want to pay attention to which employees pose the greatest threat to the information security of companies.
Most information security studies indicate that the weakest link in security measures is the employees, as they are the ones who have full access to all the resources and documents of the organizations.
New IT employee
A new IT employee can inadvertently cause huge damage to a company’s security. Today, hackers are using more and more sophisticated methods to infiltrate internal company resources, such as social engineering. A newly hired IT employee is unfamiliar with the protocols and processes responsible for the secure transfer of files over a network, and is therefore an extremely attractive target for cybercriminals looking to gain full access to corporate information.
In many companies, system administrators handle the main information security issues. A sysadmin doesn’t just handle the technical aspects, but has a huge responsibility for the tangible and intangible assets and reputation of the organization. Moreover, he knows almost everything about the company, has access to all confidential data, so under certain circumstances he can be subjected to pressure from cybercriminals.
Rather oddly, a company’s CEO is actually often a huge threat to the company’s information security. According to the Ponemon Institute, more than half of the leaks involving employees are caused by top management. Such losses are clear proof that hackers see not only middle managers but also top management as their targets. Executive assistants are also the carriers of very valuable corporate information. They have access to all credentials, passwords, financial reports and internal documentation. This is what makes them a particularly attractive target for hackers.
If your organization needs a complex, multi-stage security system, be prepared to partner with a variety of service providers from this field. Remember, however, that an external security consultant brought in to determine the current level of security and set goals for the organization’s IS direction has full access to all internal company resources and sensitive data, which hackers are well aware of.
Large companies often utilize multiple external vendors at once. Daily hacker attacks confirm that once vendors gain access to a company’s internal systems and networks, those systems and networks are particularly vulnerable to cyber threats. To protect themselves, companies must give vendors limited, controlled access.
A fatal mistake many companies make is neglecting to close access to internal resources and networks to former employees. By making this mistake, organizations become even more susceptible to cyberattacks. The only true solution is to immediately delete all accounts of employees who are no longer with the company. Moreover, former employees can easily take databases of potential and current customers and other confidential information with them and put it freely available online.
Temporary employment is a very common phenomenon, especially in the service and sales industry. The IT sector is no exception, as very often employees are needed here on a temporary basis to help close some tasks. These employees are given access to various corporate portals and systems where the company’s most important information and data is stored. Moreover, temporary employees are given the use of corporate laptops, tablets and smartphones. This is why these employees should be considered full-fledged in the organization and protected from information security threats. I would like to finish this article with a quote from Bruce Schneier: “In terms of security, the mathematical apparatus is flawless, computers are vulnerable, networks are lousy, and people are disgusting.”
Remember that it is employees and their negligence towards security measures that pose a huge threat to a company’s IT security.
ADDITIONAL INFORMATION THAT MAY HELP YOU.