Is Your Web Site a Security Risk?
by admin
Your web site is one of the first places that potential fraudsters and hackers look for information on how to harm your company. You may not realize it, but your online presence can be one of the greatest tools for exploiting the information security of your organization.
Here are just a few of the ways in which hackers are already snooping around your company and looking for a way to gain access to your most private data.
Job Posting
Job postings can be a rich source of information about your company’s security policies and IT infrastructure. A single job posting for the IT department could tell a cyber criminal what kinds of servers you’re running, and alert them to the fact that certain areas of IT are under-staffed and vulnerable.
Staff Directories
If your company lists its employee directory on your web site, a hacker could use this information to execute social networking attacks. By dialing around or sending emails, they could easily discover if any of those employees are away on vacation… and when they’ll be back in the office.
A common tactic would be to call into technical support on this person’s behalf and request a password change. Exploits executed on this account during this quiet time could go undiscovered for weeks. This leaves a lot of time to work.
Another tactic should be to call into a quiet department such as payroll. These people don’t get many sales calls, and are often very approachable and easy-to-talk-with. With a bit of flattery, these talkative people could become an important source of information about security procedures and internal IT infrastructure.
Office Locations
If your company has multiple satellite offices, a hacker could take advantage of this information to target smaller offices that may have less robust IT security. This could be used as an entry point to attack more critical systems.
If a company has 5 or 6 small satellite offices, there’s a good chance that at least one of them would have weak Wi-Fi security. Another common tactic would be to make a quick visit to the lobby – maybe to ask for directions – and “accidentally” leave USB stick behind.
Source Code
By looking at your HTML source code, a potential attacker could figure out what kind of CMS you’re using, and then perform some tests to see if all of your latest patches have been updated.
If a web site can be exploited, it can be used to distribute viruses or perform phishing attacks on other users who access services through the site.
The source code can also provide valuable information about what kinds of applications that the company is using. This includes their CRM, Email Management, Help Desk Management and Analytics systems.
WHOIS and IP Addresses
By performing a reverse-lookup on a company’s WHOIS information, you can gain a wealth of insider data. You can discover information about key IT personnel, and whether or not they outsource their IT management.
Reverse domain lookups are also great for gaining insider marketing insight such as what other sites or companies are run by the same organization, and what upcoming projects that they are planning to launch.
Social Media Profiles
Social media profiles – specifically Facebook and LinkedIn – are tremendously useful for gaining sensitive information about what’s going on inside of a company. Loose-lipped employees are frequently exposing confidential insider information through unprotected profiles.
LinkedIn profiles are also great for finding out a target’s life story, including their educational and work histories. And Facebook profiles are great for discovering answers to security questions that may be for verification or password resets.
Email addresses
Emailing the sales team can be a great way to learn about the IT systems that the company has in place. The header information contained in sales emails can tell you a lot about what kinds of email servers they’re running, what kind of antivirus they are using, and where their offices are located.
Document Header Information
Companies love to publish marketing documents in PDF, Word and PowerPoint Format. These documents often contain critical system information about operating systems, usernames, system names, fileshares and more.
Unprotected Folders
Too often, companies will use their web servers as a central repository for exchanging large files or accepting files from clients. However, the folders used for these FTP functions are usually unsecured public folders which will even appear in Google searches. If a dishonest person were to gain access to this folder, they could learn a lot about your company.
These are just a few of the first places that a hacker would look for information that could be used to exploit your IT security. A more complete list would take much more space than this article permits, and it would have to be updated constantly… and new threats are always popping up.
This is why it’s extremely important to place strict policies on the online activities of your employees, and to be very careful about what information you publish.
