Your company’s IT security is not only a matter of firewalls and security staff. You, as a non-security person can do a lot to avoid data and sensitive information leakage.
Through our security audit experience we have learned that in most companies the staff unconsciously leaves a big amount of elements that is available on the internet to anyone.
These unknown elements can be of many types, like contact details, credentials, technical information or business data. All of them are “unknown” because they are not part of any process : they have been left unconsciously and without any follow-up. Attackers are fond of this data, which they can use for technical or social engineering attacks.
How can you avoid leaking such precious information? Here are some bad habits that you should definitely get rid of.
1. Using your professional contact details for personal things
The quite recent data leakage on Ashley Madison confirmed what we already knew: many people use they professional address (email) to register on websites. Probably because some of them don’t want to receive notifications on their personal emails (and risking direct exposure with their spouse).
Websites often get hacked, which leads to information disclosure such as the entire list of users’ logins and passwords. And many people tend to use the same passwords on different websites (including professional ones) because they find it hard to remember many different passwords. So if you use your professional email and same password on different websites, your company is at risk …
But even when the password is not similar or does not get disclosed, using your professional email on a website that get hacked is dangerous. When Ashley Madison got hacked, attackers had the users’ email addresses. Then they used these addresses to send phishing emails about help from lawyers after people’s accounts had been hacked. This relevant pretext led to many people clicking on links or opening attached files … that could compromise their company’s information system.
2. Using your professional device to browse dodgy websites
Using your professional laptop or smartphone for personal things can also be dangerous.
For example, if you browse an illegal streaming website to watch films, would you know what is happening in the background inside your web browser?
Some very powerful and freely available tools help bad guys exploiting your web browser while you stay on their websites. With these tools, a part of your browsing history might be exposed, as well as your login/passwords, especially if your browser is not up-to-date.
Surfing such websites from your office is even worse because it exposes the internal network of your company (intranet applications and internal servers, amongst other).
3. Using automatic email replies with detailed information
Automatic replies are great to give an answer and avoid a huge silent if you are out of office without access to your emails.
However telling anyone about projects you are working on, and about the email address and phone number of your colleagues, is not a good habit.
Hi, I’m currently out of office and will be back on July 15th.
If you’re contacting me about Project A, then you can reach Jason Brandt on +33 (0)1 23 45 67 89 or by email at email@example.com.
This type of data is very relevant for social engineering attacks: hackers can use that kind of information to contact your colleagues and/or impersonate someone.
If you need to give information to specific folks on your projects or business, it is better to anticipate and send them an email before leaving the office for your holidays. You can also restrict these automatic replies to your contacts and internal addresses.
4. Disclosing technical information on forums or other kinds of websites
If you are a technical person, chances are that you sometimes rely on the IT community to solve some issues related to configurations or developments.
A bad way to do it is to let people know who you are (contact details such as email is sufficient to identify you) and copy/paste detailed technical information on websites such as Stackoverflow or Pastebin.
During black box security audits we often find file system information, architecture information, technologies, error logs, emails…
Attackers can also read and use these posts, so think twice before posting.
So, any of your habits that you should change? Please share this with your colleagues to increase the overall security level!