You may be sharing too much information and not even know it
Today’s threat actors make use of a variety of information to tailor their attacks against organizations and individuals. By collecting this information, they remove tools from their toolkits and steps from their playbooks that won’t apply, thus speeding up their attack and increasing the likelihood of a successful exploit. The more you can prevent a threat actor from discerning this information, the more steps they have to take and the harder you make it for them to succeed. Remember, every step taken against a target has the potential for discovery. By forcing them to take those extra steps, you are reinforcing your ability to detect them early.
Part 1 — The Physical World
Protecting physical assets is frequently under-valued by today’s enterprises. Money is spent on access control and surveillance, but much less is spent on controlling the information published to the public internet. Threat actors glean valuable information from pictures of buildings from Google Street View, satellite imagery, marketing materials, and even social media posts. They don’t even have to leave their desk to prepare for a physical breach attempt.
Google Street View, satellite imagery, and marketing material often show valuable photos of properties belonging to the target. These photos may contain valuable information to a threat actor such as:
- External doors — These could help identify less secure ways into the building such as maintenance doors, loading docks, or even roof access.
- Access card readers — Knowing what the card readers look like could tell a threat actor exactly what kind of access card to be prepared to clone or even result in known vulnerabilities.
- Surveillance cameras — Seeing the location of external surveillance cameras could show blind spots in the perimeter security.
- Additional locations/branch offices — If access to the internal computer network is the goal, often times a threat actor will attempt to compromise a branch office. These offices frequently are less secure than the main office but still have a direct network connection into the main corporate network.
In addition to photos of the exterior of a corporation’s physical assets, marketing material and social media posts often reveal details of the interior of the buildings and possibly even more valuable information such as:
- Photos of employees — Frequently employees are photographed either for official marketing purposes or in corporate event situations. A threat actor may specifically seek out these photos looking for pictures of the corporate badge. This will furnish them with all the requisite information to manufacture their very own company badge and appear to be an employee.
- Internal office layout — Office tours, interviews, and even social photos that may show windows to the outdoors could give away information as to what floor that picture was taken, what side of the building, and other layout details that could help a threat actor model the building. This could increase the speed of the attack.
- Sensitive information — It is not uncommon for a photo to be taken without regard to what it may be capturing in the background. This could be notes hanging on the wall, a visible Windows desktop with an open document, or even post-it notes of passwords on monitors or under keyboards (yeah, we know, that never happens). This happens on social media posts, media interviews, and even sometimes in corporate marketing materials
I tried to locate sufficiently anonymous photos of the above examples, but our legal team would likely not appreciate it.
Everybody has to be extra careful about the level of information available to anyone with the motivation to take a hard look. In today’s threat landscape, it has become increasingly important to be diligent about ensuring that all photos or other information posted don’t inadvertently reveal details not explicitly intended. This isn’t only true for organizations. It’s also true for individuals.
If you’re interested in a personal example of how a social media post can lead to a threat actor finding out your physical home address, take a look at The Cyber Mentor’s YouTube video. He specifically waited until the social media influencer in question no longer lived at this address before posting this video.
Stay tuned for part 2 of this series, where we will focus on information disclosure in the virtual world!
Contact us via the methods below if you’d like to learn more about how to properly protect your information! We’d be happy to discuss further/answer any questions.
Contact Us
