Each week it seems there’s another scare story about the information that can be found for sale on the dark web. We all know that drugs, weapons, fraudulent identification cards and hacked bank details find their way there, and right at the end of last year a group of researchers discovered a 41-gigabyte file containing a staggering 1.4 billion username and password combinations for sale. However, the recent revelation that infants’ social security numbers – used by criminals to apply for government benefits or take out mortgages – are now cropping up for purchase will raise the dark web’s profile even further.
When an organisation is hacked, the dark web is often where the stolen customer data or other information ends up. On the dark web, websites are not indexed by search engines and can only be accessed if you know the site address, effectively hiding them and providing a secretive canopy beneath which criminal activity can flourish.
With its easy access to sensitive information and illegal activities, the notion of the dark web can be chilling – and the increasing public awareness of the dark web is broadly to be welcomed.
The risk, however, is that the focus on the dark web obscures a place that is potentially more dangerous and much more significant in scale. While businesses and the media fret over what’s for sale in the internet’s shadiest corners, many thousands of public-facing sites exist where data can be easily uploaded and shared, offering a vast treasure-trove of sensitive information to prospective hackers. This can be labelled the ‘bright web’, and it’s something that business need to get a better handle on.
The Netskope Threat Research Labs team carried out a research project to find areas of the internet where it’s easy to upload and share sensitive data. Most of you reading this will be aware that many of these sites exist, but it’s shocking how simple it is to do significant damage and how widespread a problem this is.
Creating a scenario that involved sharing sensitive information, the Netskope team produced a piece of data that was representative of what was stolen during the recent Equifax breach. This data contained a fictitious customer record with personal information that included name, address, phone number, email and social security number, as well as a couple of credit card numbers, which is appropriate given how often they’re sold on the dark web. This sensitive information was then packaged in three different formats – PDF, JPEG, and .pptx – for maximum possible reach.
Slide-sharing services, which are a popular way to upload and share presentations, are one of the most vulnerable gateways and part of the bright web. However, these services also make it easy to share publicly and a simple Google search can reveal unexpected and frightening results. For example, if you search for “Prezi” and “QBR” you will find all the public-facing QBR (quarterly business review) presentations that are hosted on Prezi. Take just a quick glance at a few of them and you’ll find revenue numbers, customer names and business plans – data that is sensitive and obviously not intended to be shared publicly.
Cloud storage services such as Dropbox, Box and Zippyshare also make it easy to upload and share data publicly. Google Drive even has an option that allows uploaded data to be indexed by search engines. This presents a hugely risky scenario where any data can be easily leaked to the masses by simply uploading it and clicking on a button.
The enterprise needs eyes
It is difficult to be certain on how widespread an issue this is. The sample size for Netskope’s research included the top services in the cloud storage and collaboration categories, in addition to a handful of slide-sharing tools in the personal cloud app category. More than 10 per cent (1,240) of cloud services available online allow the easy uploading and sharing of data by signing up without a credit card.
This may be fine for data that’s meant to be public, but the likes of business plans, customer information and anything confidential could easily get in the wrong hands if uploaded in this way. Google Drive is the only mainstream cloud storage service that enables users to bypass cloud storage security control by supporting the ability to share data publicly and have it indexed by search engines.
On average, an enterprise has more than 1,000 cloud services in use and more than 95 per cent of those are business-led, with the remaining 5 per cent being IT-led. Lines of business rely on these cloud services to move quickly, innovate and be more productive. A comprehensive cloud security strategy should include a focus on securing IT-led cloud services like Office 365, in addition to safely enabling the bright web with granular access control and Cloud DLP that can be applied to the thousands of cloud services that make up the bright web.
The media and public eye may be more on the dark web and the trade in sensitive data, but these kinds of cloud services have much greater potential to put all of our personal and sensitive information at risk. In today’s cloud and web-first world where we live and work online, and want to both collaborate freely and move more data to the cloud, it’s vital that we secure the tools we use and make sure we don’t create a bright web that’s a gift for hackers.
Bob Gilbert, VP Product Marketing and Chief Evangelist, Netskope
Image source: Shutterstock/Sergey Nivens