The harsh reality for most cybersecurity professionals is that even the best cyber defenses still contain the element of human error. Despite the best intentions of IT departments and cybersecurity professionals, hackers still find ways to breach and penetrate defenses. And by conducting reconnaissance, cybercriminals can pinpoint which individuals might be the weakest link in the chain.
This means that any good cyber defense strategy will take human attack vectors into account. This could be an IT manager getting a phishing email to obtain passwords, social engineering attacks and even theft of physical key cards or access controls. These attacks are typically well-scouted and researched to ensure the mission goes off without a hitch.
As such, any examination of a system’s attack surface must include human error vectors alongside potential holes or errors in software application code that could create paths leading hackers in, and your confidential data out.
Seemingly innocuous internet forum posts and inquiries made by employees can provide a rich dataset for hackers to mine for attack vectors. Search engines are also a valuable tool for hackers, who can sometimes obtain business emails and phone numbers to probe. Google’s perpetually growing indexes and archives can and are exploited by those with darker intentions, easily querying for vulnerabilities in web applications.
Here a few pieces of information hackers can easily locate and examine to spawn attack surface strategies against your company:
1. Private Information in the Public Domain
Hackers can launch social engineering attacks given excessive personal information contained within archived news articles or domain registrations. You’ll want to make sure no unwanted email addresses come up in Google, and make sure those accessible to the public have adequate anti-malware detection software. Hackers will even seek to engineer an attack using your info@ or help@ email addresses, so make sure you have the proper IT infrastructure in place to spot frauds.
2. Too Much Information on Social Media
Our societal predilection to over-share to the anonymous internet can come back to haunt us if we vent about frustrations at home, or at work, or specifically at the problems currently vexing your company’s system. IT employees often post on public boards, soliciting feedback on technical issues or system errors, giving ripe opportunity for hackers to deduce weak spots in the system.
3. Caught in the Web Crawler’s Trap
Along with your blog post of Grandma’s “secret” cookie recipe, search engines capture and forever remember and redistribute all manner of information. SQL, syntax and a variety of other error pages are ensnared and cached by the web spider as well, potentially used to ID security issues on target systems.
Armed with this freely given information, hackers can then move on to service fingerprinting and port scanning to further identify the attack surface, usually employing automated scans for a first pass attempt. With sufficient, accurate knowledge collected from their reconnaissance, a hacker could then initiate a successful manual attack on the targeted server.