One of the best online resources for cyber criminals is Google. While businesses seek to utilize their company website, Facebook, Twitter, LinkedIn, and the like for marketing and recruitment purposes, they are unintentionally leaking information that can be useful to cyber criminals. At the same time, their employees are also guilty of both disclosing more details about their job duties as well as connecting to and friending people based on invites without any due diligence.
For businesses, below are some typical areas where internal information is disclosed:
Press Releases: Expanding your business? Offering a new product? That is great and something to brag about. But pick and choose what details you make public. Let's say you are offering a new product or service, and you bought a new piece of equipment to provide it, or have a new vendor to help you support it. If possible, don't name business partners or describe any new additions of equipment by name. While these details don't sound like anything of importance, internal details can be used in spear-phishing to gain the trust of your employees. Let's say you name your new business supplier (XYZ Corp) in your press release. A few weeks later an e-mail is sent to your accountant that appears to be from XYZ Corp saying they just changed banks and to use the below banking information to pay future invoices. You figure out that it was a phishing e-mail when XYZ Corp starts calling you because of all the unpaid invoices, and now you are out the money.
Job Postings: One of my pet peeves is all of the information you can glean from an organization's job postings. An example is if your company is hiring a Database Administrator, you don't have to say in the posting "Must be experienced with MS SQL Server 2008 R2 Express" This tells the public what version of your database you are running, and what security issues you may be vulnerable to. Simply saying "Must be experienced with MS SQL Server" will suffice.
Vendor Endorsements: I never give public vendor recommendations (posted on the vendor's website). Why? Because I don't want anyone knowing too much about the inner workings of my business, such as my vendors. The reason being is that a cyber criminal can use that relationship to try to spear phish either company. Also, this may not be something you want your competitors to know about either. If you have a really good vendor relationship and they want a recommendation, offer to give one-off personal recommendations. Just don't put it out on the web for the world to see.
Website Contacts: If possible (granted it is a must for some industries), do not have a directory of your employee's names and contact information on your company website. This is a treasure trove for cyber criminals for both phishing e-mails as well as scam phone calls. Use generic contact e-mails in your Contact US sections such as sales@xyzcorp.com, or even better is a contact form that does not disclose company e-mail addresses.
Tips for your employees:
Social Media: Encourage your employees to leave their job duties generic when updating their LinkedIn profile or online resumes. If you are an Accountant for a business, that is great. You don't have to put on LinkedIn that you handle all of the business's banking, send wire transfers, or are familiar with Wells Fargo's business banking portal. This is way too much information to be giving out to potential cyber criminals and can be utilized in a Business Email Compromise (BEC) or spear -phishing attack. Save the details for the resume you submit to a potential employer. The one you publicly post should be a summary.
Technology questions using company e-mail address: Technology folks will often visit tech blogs and websites soliciting information and knowledge regarding a problem they are trying to resolve. This is all well and good, but sometimes they post detailed questions that disclose the names/versions of systems and applications using their company e-mail address, and therefore identifying the organization with the problem. Information about current IT issues (whether security related or not) should not be publicly disclosed. It's not something you want hackers to see, and it doesn't look good to current or future customers to see.
Be Secure!
@tjmprofessional
No comments:
Post a Comment