Story image

Enterprise security: The hidden perils of ‘unguarded talk’

30 Aug 2017

The saying ‘loose lips sink ships’ was first coined by the American War department as part of their security drive during the war.

Yes, users are the weakest link in security and we’ve heard many different examples, from falling victim to phishing attacks to leaving laptops on a bus. But some users will share information that seems innocuous, yet can be used by attackers in social engineering attacks, which are easier, lower risk and less costly than many technical exploits.

Let’s look at some of the most common examples of not-so-obvious information sharing.

Out-of-office notifications

A standard workplace procedure to inform clients, customers and prospects of your whereabouts can also be used by cyber criminals to gain the confidence of another employee to share important information. The attacker, posing as a co-worker, could convince another employee (indicated in the out-of-office email) that they are under a deadline to complete a report that needs information before the vacationing employee returns.

So how should businesses manage this? Well, from a policy perspective, consider allowing out-of-office notifications only for internal employees. The policy may need to be more specific to only those employees with access to sensitive information, while employees in other departments, such as sales or direct customer interaction roles, are not restricted.

Social Media

We put a lot of personal information up on these platforms, simply because the profile template asks us for it. What we tend to forget is that our personal information is often publicly accessible, so your role, job title, company history and skills are out there in cyber space available for anyone and everyone to view.

This information may not be confidential from a corporate perspective, but it is a gold mine of information for con artists. Like the out-of-office notifications, this information can contribute to a social engineering attack that establishes credibility for the attacker to gain access to a user’s circle of trust.

While the social media hype is unlikely to die down and it is also near impossible to control what your employees are doing on social media, there are privacy settings that can help limit information sharing. If your organisation has a social media team, work with them on setting policies and educating your employees on the potential risks.

Sharing with press and vendors

Many enterprises have policies against sharing specific security controls and policies outside of the company.

But for public moments during filming or demonstrations, there can be instances when information is inadvertently leaked e.g. exposing WiFi credentials and even user names and passwords.

Security professionals are probably not going to be on the invitation list for external media events but they can provide training to communication staff on what to look out for to protect information, especially in the background of publicly available materials.

Counter-intelligence operations

While honeypots have been around as a distraction to attackers for many years, providing attractive but fabricated information, the next generation of technologies are more sophisticated. They keep attackers engaged with automated reactions that allow the security team to ascertain the real objectives and methods of attack. This provides information that can be used to adapt defences such as addressing vulnerabilities, creating blacklists, or even identifying an insider threat.

These are just a handful of ways in which you or your employees can potentially share sensitive information.    

Implementing enterprise security solutions can be complex. Within security, one can touch on identity access, governance, security management and much more, but don’t overlook the everyday sharing of information by users. An identity-centric approach needs to drive any enterprise security solution. 

Attackers are looking for soft targets, and old-fashioned confidence schemes married to easily-accessible information can make their lives plain sailing.

Article by Peter Fuller, country general manager, Australia and New Zealand, Micro Focus.

How Virtustream enabled FMC to modernise its global IT operations
As a result of transforming its IT operations, migrating mission-critical applications to the cloud and implementing a new SAP S/4HANA environment, FMC expects to realise significant cost and time savings. 
Microsoft Teams’ eight new and upcoming features
After taking Best in Show at Enterprise Connect, Microsoft Teams will be seeing eight new capabilities over 2019.
Brennan IT namedrops new clients for its MSP services
CEO Stephen Sims says enterprises have been underserviced by Tier-1 service providers for too long.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
How the right ECM system empowers key business areas
"The right enterprise content management system supports collaboration and co-authoring aspects of content management, including visibility for all parties associated with key assets.”
Queensland Govt backs safety-tech firm to tune of $1m
“The safety software market is booming, thanks to our customers realising its value in the precarious world we live in,'' says Karen Cantwell.
Google certifies Panasonic rugged devices for enterprise
The Toughbook T1 and N1 handhelds meet all requirements for Google’s rugged Android certification.