BSI Espion examines growing trend of Dark Web monitoring for leaked corporate data

BSI Espion believes the growth of legitimate service providers who trawl the hidden web for leaked corporate data further illustrates the complex and perplexing information security challenges organisations can face in today’s world. 

The Dark Web (which is part of the Deep Web) is a portion of the Internet that’s intentionally hidden from search engines, uses masked IP addresses and is accessible only with a special web browser. Often, this is where threat actors buy and sell leaked and hacked data (such as credit card numbers, e-mail address lists, social security numbers, health records and more) for hidden services, Dark Web markets, paste sites and password-protected criminal forums.

There’s another breed of anonymous Internet user operating on the Dark Web. ‘Data hoarders’ are collectors, copiers and archivers of breached data. LeakedSource, Vigilante.pw and Leakbase are examples of websites that host mountain-sized repositories of databases which the general public can search. Those behind these hacker ‘data dump’ sites also leverage new and traditional media in order to publicise their high-profile spoils.

It was Leakbase who recently announced the 2012 Dropbox breachhaving obtained a copy of the stolen accounts containing e-mail addresses and hashed passwords belonging to 68 million users. The Yahoo cyber attack2, which supposedly went undetected for over 18 months, was uncovered while the company was investigating a separate claim by a hacker named Peace that 200 million stolen users’ details were being touted on the Dark Web.

These sites pose an additional danger as, unfortunately, many individuals have the same username and passwords for multiple online accounts. Hackers can take and use these login details for ‘credential stuffing’ (where software is deployed to gain access to customer accounts). This is exactly how hackers recently accessed O2 customer accounts, taking usernames and passwords first stolen from gaming website XSplit3.

Countering this risk, organisations can now enlist a reputable threat intelligence firm to monitor obscure regions of the web for traces of their corporate data. Terbium Labs, Mark Monitor, Global Velocity Inc, ID Agent and FireEye iSIGHT are among the players in this growing domain. These providers offer near real-time alerts that enable security teams to quickly identify and analyse, take security measures and, hopefully, limit damage. If an attack has already occurred, this intelligence can help organisations assess the breach and evoke their Incident Response Plan.

Proliferation of regulation and legislation

The proliferation of regulation and legislation, stakeholder demand for greater security assurances and increased cyber risk means that corporate information requires consistent protection. While monitoring the Dark Web for leaked or hacked corporate data can provide the situation awareness necessary to help limit the impact of a breach, BSI Espion advocates that organisations adopt Best Practice for data protection. Often, this begins with a robust and optimised Information Security Management System (ISMS) that includes DLP measures such as pen tests to evaluate the security of IT infrastructure.

Stephen O’Boyle, head of professional services at BSI Espion, explained: “The prospect of a so-called breach monitoring site notifying the public about their latest windfall, and it’s your organisation’s data, is certainly alarming for those charged with corporate governance. A quick glance at Leakbase’s Twitter account shows this is precisely what happened to Yahoo, Experian and Dropbox. While companies are right to review the risks and consider new ways in which to safeguard their reputation, we feel the new EU General Data Protection Regulation (GDPR) will be the key change agent and improvement driver of information resilience.” 

The GDPR impacts all EU Member States. Businesses are already beginning to assess the changing landscape where citizens will have stronger control of their data (and where their privacy remains protected). Among the new rules, organisations will be required to notify their national authority within 72 hours after a breach (where there’s a significant risk to data subjects) and possible breach fines/sanctions of up to 4% of global annual turnover. With such high stakes for non-compliance, businesses are advised to start preparing now for the changes ahead.

O’Boyle concluded: “Nowadays, organisations must make information security a front and centre business issue. Senior management should carefully listen to and support their information security teams in order to implement a strong ISMS system. Protecting and defending corporate data is absolutely essential when it comes to reducing risks and ensuring business continuity. This requires investment in the operational effectiveness of all the identified controls, such as people, process and technology.”

References

1https://blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/

https://twitter.com/LeakbasePW

2https://investor.yahoo.net/releasedetail.cfm?releaseid=990570

http://thehackernews.com/2016/08/hack-yahoo-account.html

3http://www.bbc.com/news/technology-36764548

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts