Enterprise Oversharing: The Huge Security Risk Nobody Talks About
Vulnerable application servers aren’t the only source of juicy information about your company. Your web site and employees may be telling would-be thieves and criminals all they need to know to attack you.
The first rule for intelligence agents is pretty much the same as for “Fight Club” members: don’t talk about the job. Historically, that secrecy has extended even to close friends and family, who might never learn that mom or dad worked for a three letter agency.
In the days before social media, it was easy enough to keep those secrets and take them to the grave, if necessary. These days, however, it’s considerably harder. Intelligence officers and employees of the defense contractors that work with them are just workers in a global marketplace. Like everyone else, they need to keep a resume and make their LinkedIn profile attractive: talking up their skills and experience.
But, as this article over at ZDNet points out, those kinds of small, inadvertent disclosures can amount to a pretty serious security problem, especially as data analysis tools make it easy to aggregate and sort through huge volumes of information quickly.
According to the article, the guys over at the group Transparency Toolkit have created a database, called ICWatch, that is populated with “the public resumes of people working for intelligence contractors, the military and intelligence agencies” – around 27,000 people in all.
As the founders note: current and former intelligence industry workers frequently dot their resumes with the names of classified programs and projects they have worked on. The acronyms are like dog whistles: missed by casual observers, but noted by those with a background in intelligence.
Transparency Toolkit isn’t the first group to notice that LinkedIn profiles of former intelligence workers make note of projects that the government would rather not have mentioned. Privacy advocate Chris Soghoian, a technologist for the ACLU, made a similar observation back in 2013 that attracted media attention.
The practice has likely been going on for years. However, the leak of documents by former Booz Allen Hamilton contractor Edward Snowden exposed the names of a slew of such classified programs, providing even casual online sleuths with a key that could be used to uncover the identities of current and former intelligence workers and, not coincidentally, as-yet unidentified classified project names.
That’s the idea behind ICWatch, according to Transparency Toolkit. The group said it is releasing the resumes in searchable form “with the hopes that people can use them to better understand mass surveillance programs and research trends in the intelligence community."
If anything, the surprise is that – so long after the Snowden leaks – the practice continues to this day. But in truth, the problem of inadvertent leaks extends far beyond the military and intelligence sectors.
These days, sophisticated attackers are turning to so-called “supply chain” partners to try to sidestep security protections and gain trusted access to enterprise networks.
Cyber criminals that target point of sale vendors long ago figured out how to use a POS vendor’s “happy customers” web page to figure out which retailers to target with their attack. Data disclosed to the public via partner web sites or press releases often makes the job of tracing an otherwise obscure supply chain child’s play.
What is a company (or employee) to do? A simple first step may be to sit down and think about the kinds of sensitive information you would rather not have disclosed to the public – which includes competitors and malicious actors. Beyond your “crown jewels” like customer lists, design schematics and source code, are there project names, office locations or supplier and partner relationships you’d like to keep private?
The next step is to go online and do some hearty Google dorking and pen testing figure out if you’re already exposing that data – either through your website or other exposed assets. Or – as the Transparency Toolkit suggests – through your employees and their online activities.
At the end of the day: companies that are protective of their privacy and their business edge need to do a better job of identifying and protecting sensitive information and not fall into the trap of “oversharing” that can give would be thieves or criminals a leg up in attacking them.