Last updated at Tue, 24 May 2022 17:54:38 GMT
A lot has been said about the term “digital footprint.” The term relates to all of the digital bread crumbs left by an individual or a company across the public web. Have you ever uploaded a resume to a site? Posted your birthday photos to Facebook? Published an article? Built a new website? Added a new DevOps server? Each of these actions amounts to your digital footprint.
For companies, the task of monitoring and tracking their digital footprint can be burdensome. A company is the sum of its employees, and each worker has their own digital footprint. Using these digital breadcrumbs and connecting the dots between all of these publicly available details can significantly widen the attack surface of a company. Here is how hackers use publicly available employee data to illegally access company systems.
What are digital breadcrumbs?
The number of online public digital actions per person over the years can reach into the millions. Depending on the individual’s age, these digital actions could have been performed years ago, when cybersecurity awareness was virtually non-existent.
Consider the following information:
- 45% of people disclose their birthday on social media
- 29% share their phone number online
- 20% share their home address
- 14% mention their mother’s maiden name
- 7% post their Social Security number (!)
Each of these details on their own pose some security risk, but combining information on an individual, like their birthday, mother’s maiden name or middle name, home address (current or past), and cross-referencing this data with numerous apps and services that offer individuals’ public data on the Internet allows a threat actor to create a very accurate profile for that person. This profile, combined with Dark Web resources, enables a hacker to impersonate the individual and obtain their identity.
For example, knowing a person’s middle name, birth year, and place of birth will be enough to locate and buy their SSN number on the Dark Web. With that information, a threat actor can access corporate systems and divisions that request a SSN number for identification.
Managing corporate digital footprints
Just like individuals should be mindful of managing their digital footprints, companies need processes and tools in place to manage theirs. A big company has numerous web outlets, social media accounts, servers, IP ranges, ASNs, databases, repositories, cloud storage servers, and other Internet-facing assets. And these are just the resources that the security and/or IT department typically know about.
There are usually many more assets that the company doesn’t know about, like ad-hoc sites and services, temporary QA environments (which too often stay permanent), and all types of Internet-facing services.
Like we said earlier, a company is the sum of its employees. Even though some people may try to separate their personal and professional “digital lives,” all of this information contributes to their digital footprint and therefore can be leveraged as an attack vector against the company. It’s easy to assume that someone will target the CEO of a company, but sometimes it’s easier to target the CEO’s personal assistant.
Consider the following scenario
A hacker uses LinkedIn to identify a company’s developers. Further research on these developers reveals their company email addresses (through SEO tools, or even through an open source article one of them published). This helps the hacker learn the naming convention of the company’s email systems (e.g. Firstname+Lastname, First letter of first name+Lastname@example.com etc.).
A user’s password can be discovered in several ways, for example, through brute force, researching leaked credentials on the Dark Web (if the hacker is really lucky), or other leaked passwords of that employee, which they are likely to re-use for the company server. If none of those tactics work, the hacker may look for some other employee leaked passwords, giving the hacker a clue to password length and complexity policies of the company, helping narrow down the scope of the brute-force attack.
As you can see, the breadcrumbs people leave on the Internet make it easy for hackers to bypass security systems. And although companies continue to force stricter security policies every year, the human factor is very difficult to strengthen through policy. Companies need to find ways to monitor and reduce their digital footprint so hackers have less information they can leverage to break into corporate systems.
Conclusion and recommendations
Managing your company’s and employees’ digital footprints is a never-ending battle. New content and web tools are constantly released, and you want your team to have the opportunity to take advantage of these new resources. However, increased web usage leads to larger footprints and more breadcrumbs, which make it easier for hackers to find key information to access your systems. Cleaning up your digital trail is a necessary practice in today’s world, and CISOs and security teams must invest in the right tools and processes to stop attacks before they are launched.