Dinesh Mistry is currently in his 2nd year as a full time Security Professional. He will be writing a column for resources.infosecinstitute.com and will be focusing on introductory topics, eventually moving towards more advanced technical techniques.

*********************************************

The “Internet” – which started out as a way for universities to exchange information, and for the US military to maintain communication in the event of an attack – has grown into  a massive collection of systems which allows businesses to be open 24 hours a day  7 days a week, and 365 days a year. This is a great thing for businesses, as they can market and sell their products without the restrictions of a brick-and-mortar storefront. We have also seen rapid adoption of computer systems to replace many back-office processes. With this comes the risk of potentially leaking trade secrets, intellectual property and many other things to prying eyes.

Maintaining an Internet presence is a great thing for any organizational entity, in fact it is not just great — it is a necessity; it is equally important that companies protect and secure their data.  There is a great deal of information being leaked on a daily basis, attributed either to poorly-configured systems or to accidental information disclosure. Below are three simple ways a company can help identify their risk posture by using reconnaissance methods similar to those used by hackers.

Search Engines

Search engines are an excellent tool for helping hackers search for easy targets, or for stealing a company’s most sensitive intellectual property.  Search engines continue to be significant channels aiding hackers to find and penetrate weak systems.   Many hackers agree that, for them, reconnaissance is the foundation for effective penetration.  One could possibly use these same discovery techniques to identify the presence, and ultimately enhance the security, of his/her brand?  Sounds obvious, right?  It is amazing what type of information could be found with a few well-crafted search queries pertinent to one’s own company or organization. Remember that, once Google finds your site, it spiders, indexes and caches everything it finds.

The concept of “Google Hacking” is not new; in fact Johnny Long of hackersforcharity.org wrote “Google Hacking” back in 2007.

In order to clearly identify information being leaked, one needs to understand the advanced search operators that Google offers.  I am not going to explain each operator, or even the advanced techniques in this post; my primary aim is to raise awareness about protecting websites and web applications from leaking sensitive data.

Identify network and nodes

Part of reconnaissance is to identify systems on a network which have not been patched or are not at the latest patch level, rendering them vulnerable to exploitation.  Before doing this, a hacker will need to identify nodes that are easily reached from the Internet.  In order to ensure that an attacker is unable to easily compromise sensitive information, it is essential that a company quickly enumerate their presence in this space.  There are many ways to identify servers, pertinent software revisions and stored content by simply visiting sites such as Netcraft. It is imperative that you document every node on your network and have a process in place to apply software patches on a regular basis. There are a plethora of tools available to automate both the identification and the vulnerability remediation of nodes, as ignorance is never an acceptable excuse in the event of a data breach.

Social Media

Another mechanism used by malicious hackers to better understand the network topology, security posture, and culture surrounding a corporation’s presence is Social Media (e.g. Facebook, LinkedIn, Twitter, etc.).  One would be surprised at the sensitivity of information employees may be leaking for the world to see. I have included an example below:

Joe has been working long hours and weekends rushing to try and get the latest functionality out to the website. He knows that he has sacrificed some security to meet his deadline. He’s angry and disgruntled that he missed out on free tickets and an opportunity to attend his favorite team’s football game. He posts on his Facebook later that night how disappointed he is that he did not get to see his favorite team play. The reason being that the latest project he’s been working on had tight timelines.

He ends his post with “and I didn’t even get to implement all the security fixes and now I’ll just have to go back and implement stored procedures for all my database calls. More long late night’s uhg!

Joe’s family and friends more than likely have no idea what he is rambling on about.  Joe’s Facebook profile may not say that he works for XYZ Corp., so there are no ties back to his company…what’s the big deal?  Well, his LinkedIn profile does mention that he works for XYZ, and that he is a PHP developer for their Internet-facing content. This means that anyone who may be targeting Joe’s company can potentially link Joe to XYZ and XYZ to a site which may have vulnerable PHP content (because it was clearly a rush job).  Remember, effective hackers don’t look for just the obvious; they look for ways to correlate information which potentially identifies weaknesses.  In order to prevent this, one should regularly audit and monitor social media (and similar) sites for discussions regarding his/her corporate brand.

It is imperative, that organizations – large and small – review polices and guidelines for information protection.  They should understand the scope of information that is actually leaking out of their company.  By actively performing reconnaissance against one’s business or organization, he/she can provide extremely valuable details, essential in order to avoid data leakage.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Recon yourself regularly; you’ll be amazed what you will find.