Helping hackers or why you shouldn’t publish your organization chartTravis N.
Organizations love to share information about themselves. Accomplishments, awards, and including who works there – especially high profile employees like executives, vice presidents, senior managers, and occasionally team members. Did you know by publishing information on your corporate website, you’re making it easier to attack your business? In this article, we will show how you increase your attack surface by making it easier for hackers to impersonate key employees.
Hacking the company… with help
When hackers look to attack a company, you might think they show up out of the blue. This is not true. Hackers do their homework and find out everything about your organization. They probe public records such as state Secretary of State registrations, your social media, and search engines. This process is called reconnaissance or recon, which is preliminary surveying or research. Companies today are tough to break into, but that doesn’t mean attackers don’t get the upper hand.
Not all recon is malicious, however. Pretend you work in sales and have a meeting with a prospect. Instead of waiting for them to provide answers to questions, you search them online instead. You find the number of office locations, who is in charge of each location and their contacts. You also find out they’re using a competitor’s product since their CIO wrote a testimonial for the competitor’s website. When the meeting comes up, you impress the prospect and show them how superior your product is over the competitor and you don’t even mention them by name. By the end of the call, you have a quote request and feel confident about closing the sale.
Attackers follow the same game plan. Instead of trying to make a sale, they look to steal information worth money on the black market or money directly. When companies make more information about themselves public than they should, it carries an inherent risk. If direct email addresses are published, attackers know how you format your emails – such as email@example.com or firstname.lastname@example.org, or email@example.com – who works at what position, who works in key departments, and even what software products you use which they might have a security vulnerability for.
Organization charts should be confidential
You wouldn’t publish schematics for your latest and greatest product online, would you? You might as well hand your competitor the plans and have them make a better version of your product. Organization charts and the details about your company should be kept internal only. Attackers can use this information to perform spear phishing attacks. Spear phishing is when an attacker specifically targets an individual. An example would be a malicious Word document that installs malware is delivered directly to the CEO.
Likewise, it makes it easier for attackers to send fraudulent email messages that appear to come from someone within your organization to gain more trust. When an attacker makes an email look like it came from your company is known as email spoofing. A common example of this is an attacker will spoof the CEO’s email and will email the company’s comptroller instructions to make a wire transfer. If you think this scam couldn’t work, you might be surprised to learn that the FBI has said it’s a $12 billion scam.
Email was never designed for security. Over the last few years, new technologies have been added to help companies protect themselves from different types of attacks. We recommend setting up an SPF record, enabling DKIM, and configuring DMARC DNS records. Contact us if you don’t know how to do this and we’ll provide free assistance. Companies that use Office 365 or Microsoft Exchange can also enable rules to insert a warning message at the top of possibly spoofed emails. We can also provide assistance for this as well.
In addition, conduct regular security training with your employees. Make sure they know to never open attachments from senders they weren’t expecting attachments from. If the comptroller receives an urgent wire request through email from the CEO, they should immediately contact the CEO by phone or in person to verify the request verbally. Also, refrain from leaking out the structure of your company. Never post direct emails for anyone at your company; instead all forms of contact on your website should link to a generic email address or contact form. When on LinkedIn, your employees should be encuraged to not disclose their job title and company in their headline and keep the privacy settings adjusted.
By being alert and vigilant, your employees can defend your company from financial fraud and attacks.