BSI Espion believes the growth of legitimate service providers who trawl the hidden web for leaked corporate data further illustrates the complex and perplexing information security challenges organisations can face in today’s world.
The Dark Web (which is part of the Deep Web) is a portion of the Internet that’s intentionally hidden from search engines, uses masked IP addresses and is accessible only with a special web browser. Often, this is where threat actors buy and sell leaked and hacked data (such as credit card numbers, e-mail address lists, social security numbers, health records and more) for hidden services, Dark Web markets, paste sites and password-protected criminal forums.
There’s another breed of anonymous Internet user operating on the Dark Web. ‘Data hoarders’ are collectors, copiers and archivers of breached data. LeakedSource, Vigilante.pw and Leakbase are examples of websites that host mountain-sized repositories of databases which the general public can search. Those behind these hacker ‘data dump’ sites also leverage new and traditional media in order to publicise their high-profile spoils.
It was Leakbase who recently announced the 2012 Dropbox breach1 having obtained a copy of the stolen accounts containing e-mail addresses and hashed passwords belonging to 68 million users. The Yahoo cyber attack2, which supposedly went undetected for over 18 months, was uncovered while the company was investigating a separate claim by a hacker named Peace that 200 million stolen users’ details were being touted on the Dark Web.
These sites pose an additional danger as, unfortunately, many individuals have the same username and passwords for multiple online accounts. Hackers can take and use these login details for ‘credential stuffing’ (where software is deployed to gain access to customer accounts). This is exactly how hackers recently accessed O2 customer accounts, taking usernames and passwords first stolen from gaming website XSplit3.
Countering this risk, organisations can now enlist a reputable threat intelligence firm to monitor obscure regions of the web for traces of their corporate data. Terbium Labs, Mark Monitor, Global Velocity Inc, ID Agent and FireEye iSIGHT are among the players in this growing domain. These providers offer near real-time alerts that enable security teams to quickly identify and analyse, take security measures and, hopefully, limit damage. If an attack has already occurred, this intelligence can help organisations assess the breach and evoke their Incident Response Plan.
Proliferation of regulation and legislation
The proliferation of regulation and legislation, stakeholder demand for greater security assurances and increased cyber risk means that corporate information requires consistent protection. While monitoring the Dark Web for leaked or hacked corporate data can provide the situation awareness necessary to help limit the impact of a breach, BSI Espion advocates that organisations adopt Best Practice for data protection. Often, this begins with a robust and optimised Information Security Management System (ISMS) that includes DLP measures such as pen tests to evaluate the security of IT infrastructure.
Stephen O’Boyle, head of professional services at BSI Espion, explained: “The prospect of a so-called breach monitoring site notifying the public about their latest windfall, and it’s your organisation’s data, is certainly alarming for those charged with corporate governance. A quick glance at Leakbase’s Twitter account shows this is precisely what happened to Yahoo, Experian and Dropbox. While companies are right to review the risks and consider new ways in which to safeguard their reputation, we feel the new EU General Data Protection Regulation (GDPR) will be the key change agent and improvement driver of information resilience.”
The GDPR impacts all EU Member States. Businesses are already beginning to assess the changing landscape where citizens will have stronger control of their data (and where their privacy remains protected). Among the new rules, organisations will be required to notify their national authority within 72 hours after a breach (where there’s a significant risk to data subjects) and possible breach fines/sanctions of up to 4% of global annual turnover. With such high stakes for non-compliance, businesses are advised to start preparing now for the changes ahead.
O’Boyle concluded: “Nowadays, organisations must make information security a front and centre business issue. Senior management should carefully listen to and support their information security teams in order to implement a strong ISMS system. Protecting and defending corporate data is absolutely essential when it comes to reducing risks and ensuring business continuity. This requires investment in the operational effectiveness of all the identified controls, such as people, process and technology.”