how big is your shadow?
DESCRIPTION
Launch night presentation from Digital Shadows at London's Innovation Warehouse, August 3rd 2011. Digital Shadows protects organisations from targeted attacks by reducing their exposure to hostile reconnaissance.TRANSCRIPT
How big is your shadow?
03 August 2011
The Innovation Warehouse, London
TM
Agenda
• Introductions• What is a digital shadow?• What are the implications?• How do you regain control?• Q&A
Q: What is a digital shadow?
For an organisation this may include:
• Technical information e.g.– Server names– Server locations– Software versions
• Organisation information e.g.– Locations– Organisation structure– Security practices
• Personal information e.g.– Employee movements– Friends– Interests
A: The trail left by an entity's interactions with the Internet
A real example of a digital shadow
This visualisation was produced by one of the visualisation tools we use
Each node represents a data item discoverable from the Internet about an organisation
“Sharing is growing at an exponential rate”
Mark Zuckerberg, CEO, FacebookJuly 2011
•Over 30 billion pieces of content (links, notes, photos, etc.) are shared on Facebook per month [source mashable]
And it’s not just Facebook…
Sources used for information sharing online
It’s definitely not just Facebook…
Source: theconversationprism.com
The evolving Internet is a real force for good
• We can collaborate and self-organise for the common good
– Haiti Earthquake Response – Open Streetmap critical in co-ordinating the relief effort
– Arab Spring use of social media has been a factor to the social revolution in the middle east
• We can share knowledge and experiences in ways hitherto impossible
• We are fully in favour of the social web!
Some interesting statistics
• Our own research indicates 72% of employees divulge information online that could be used in a targeted attack
Accepted a Facebook friend request from 'Freddi the frog'
Disclose their friends list
Reveal educational establishments
Reveal their employer
Disclose their interests
Disclose their location
Have never checked their Facebook privacy settings
0% 20% 40% 60% 80% 100%
41%
95%
58%
42%
35%
19%
65%
How people use Facebook
Sources: Sophos, Max Planck Institute, Facebook
Hostile reconnaissance
• 90% of the time a hacker spends is conducting reconnaissance. (CEH)
• 200% increase in targeted attacks (Cisco 2011)
The risks Misadventure Attackers’ objective
Helpdesk coercion Accidental leaks Defacement
‘Spear phishing’ Privacy gap on social media
DDoS
Impersonation and Infiltration
Lack of acceptable use policy
Network compromise
Domain squatting Overshare Data leakage
Procedure compromise
False sense of security
Fraud
The risks are evolving with the Internet…
Risk area: hackers tools and techniques
• 1623 Google Search Terms used to Identify:– sensitive documents, – accidental leaks, – misconfigured software and much much more…– Enabled by tools
• Footprinting security research tools (example Paterva Maltego)
• APIs – attackers use for data mining the social web
• Specialist search engines now available for vulnerability scanning
Risk area: social engineering/coercion
I seem to have forgotten my password! I need to get to my files right now!
Hello IT.. Have you tried turning it off and on
again?
Certainly, I need you to answer a
few security questions first.
OK, fire away!
OK Mr Rhenholm, What’s your Telephone Extension
Sure, that’s 98-1234Ahem, well that’s.. 1st April 1970
Date of Birth?Name of line manager?
That would be Renholm Snr.Thank you! Good Bye!
Thank you Sir, your password is reset. It’s
£Wednesday1970
Risk Area: social engineering/coercion
1. Extension on a leaked telephone list2. LinkedIn provided line manager details3. Ancestry.co.uk provided a birthdate for Mr Manager of East
Croydon
•Attacker later looked at the ‘technical shadow’ to locate a remote email access point for Reynholm industries•Also once the password format is known, it’s much easier to brute force for other users
Risk area: a targeted ‘spear phishing’ attack
“The first thing actors like those behind [the attack on RSA] do is seek publicly available information about specific employees – social media sites are always a favorite…You don't bother to just simply hack the organisation and its infrastructure; you focus much more of your attention on hacking the employees“The RSA blog
Example: Tibetan human rights group attack
Source: infowar-monitor.net
Organisation information- Already obtained?
Personal information- Already obtained?
Technical information- Link would have collected the technical shadow: MS Office, Flash, Adobe Acrobat, browser etc.- Near-guarantees the success of a future attack
We need a solution...
So what should be done to address these risks?
Aarrgh ! Aaah !
Continue existing security programmes
Five practical steps
1 Continue existing security programmes ✔Monitor your shadow2
Clean up your shadow4
Set helpful guidelines3
Know your foe5
Continue existing security programmes
Five practical steps
1 Continue existing security programmes ✔Monitor your shadow2
Clean up your shadow4
Set helpful guidelines3
Know your foe5
Publisher Company Employee Friendly 3rd Party Neutral 3rd Party Hostile3rd Party
Remedy Easy – Just remove it Polite observation
Polite observation Formal communication
Legal action / Drown Out
Cost Free £ £ ££ £££
Our specialist services
Risk Assessment
Monitor your shadow
Set helpful guidelines
Clean up your shadow
Know your foe
1 2 3
4
5
VIP Protect
Organisation Monitoring
A typical engagement
Conclusion
• Your digital shadow is not benign• We can help you regain control• This is a job for specialists
TM
Protecting organisations from hostile reconnaissance and targeted cyber attacks
Digital Shadows Ltd
145 -157 St John Street
London
EC1V 4PY
United Kingdom
+44 (0)208 123 7894
Digital Shadows Ltd is registered in England and Wales under No: 7637356.Registered office: 53 Gildredge Road, Eastbourne, East Sussex, BN21 4SF
TM
Copyright 2011 Digital Shadows Ltd. ALL RIGHTS RESERVED.