By Ghonche Alavi
This article originally appeared in the March 2020 issue of Crisis Response magazine.
We have all heard anecdotal stories from the dark web highlighting the unsupervised horrors and goings on that are not subjected to any legal oversight. We tend to consider the dark web to be the most threatening place on the Internet. However, most people do not actually spend any time on the dark web, as they can neither access it nor know the first thing about navigating it. The surface web is where we all spend the majority of our time online and is, in fact, where we are most vulnerable.
Information is readily available on the surface web
The surface web is a great source of quick information for our review and use. This allows us to be more efficient and, at times, more effective in the workplace. For instance, maybe you have a meeting set up with a potential new client—one of the first things you are likely to do is check their profile on LinkedIn. Much of the information you might want to know ahead of your initial meeting is consolidated in one place: how long they have been at the company; whether or not they are a key decision-maker in the company; what relevant qualifications they have; and so on.
Just as you have been able to source the primary school this potential new client attended in the early nineties, anyone can just as easily end up with this type of personal information about you, your friends, and your family. More concerning still is the convergence between physical and information security, which means that your digital footprint, or digital shadow, can be used to gain intelligence on your daily routines. It can be used to threaten you physically.
How social media, websites and apps can add to the risk
As social media platforms continue to thrive, we are bombarded with trivial posts that reveal increasing amounts of information, as much about our own friends and family as about our acquaintances and colleagues. It is all the ammunition needed for opportunist criminals to successfully target their next victim.
The attack surface has expanded as we share personal data online, on websites, platforms and applications. Just think about the number of connected devices we use on a regular basis, such as Fitbits connected to our mobile phones or computers. These are all considered fair game by hackers and criminal syndicates, and your personal and private information can be used to exploit you.
Security threats are shifting to the digital domain
Traditionally, security concerns have been limited to physical security. However, today, when it comes to managing threats, having a high-performance alarm system and a capable team that responds quickly to incidents will protect you physically, but will not be able to do anything about cybercrime. Known security breaches are shifting to the digital domain, which is laced with a number of nuanced threats.
In this increasingly interconnected world, many people are able and keen to share information in real time. It is ideal for connecting and bringing people together, but it also poses a significant threat to physical and online security.
We are sharing information without even realizing it
In addition to the information we willingly share online, there are many personal details that we are also inadvertently sharing. Applications with lengthy terms and conditions and excessive technical and legal jargon are often overlooked, and we give little thought to how the data provided to these apps are, in turn, shared with third-party providers.
More importantly, we question even less how the providers of the apps secure and store the data that we have consented to sharing with them. What security configurations are in place to harden networks from intrusion by hackers? And do we care enough to stop sharing personal information in exchange for accessibility and convenience?
High-net-worth individuals and company executives are particularly vulnerable to online threats because they are appealing targets. It is no wonder that cyber criminals leverage their online vulnerability, using accessibility to their friends and family to further their goals.
Family members may be putting you and others at risk
For less sophisticated criminals, all it takes is a casual perusal online and suddenly there is valuable information to be leveraged. For a more sophisticated black-hat hacker during the reconnaissance phase, it often becomes clear very quickly that while the targets themselves may maintain a discreet online presence, family members and their extended social circles are not so discreet.
Which schools are the children enrolled at? Where does their spouse go for a morning jog? How frequently do they travel abroad? It is information like this that is often easily accessible in the early stages of reconnaissance. The individual simply has to find one weakness in their target’s network; one family member or friend who has lax security controls on social media and who tends to overshare, and they are in.
Small bits of information can leave your family exposed
While for family members, particularly younger ones, it may not be clear why so much caution should be applied when sharing information online, there are some real, tangible threats that could leave the whole family much more exposed. Small snippets of information come together and very quickly the criminal has substantial intel to act on.
This can be used to plan for a wide range of crimes, from virtual kidnapping to burglary or from doxing (short for “dropping docs,” this involves breaching personal data and publishing it online with malicious intent) to mugging. Children can even become victims of cyber harassment and groomed to reveal even more sensitive information that can later be used against the family.
These crimes are financially motivated, but can have far-reaching consequences, including posing a genuine physical threat, as well as having the potential to cause significant reputational damage.
As we have established, the threats are real, and we may have painted a gloomy picture, but there are steps you can take to protect yourself.
Here are the 10 cybersecurity tips on how to protect your family’s privacy online:
1. Speak with family and close ones to agree on the level of information you are comfortable with sharing online. Make sure everyone understands the risks of oversharing.
2. Avoid qualifying the nature of your relationship with others online, for example, family members or significant others.
3. Enable multi-factor authentication when possible.
4. Review all apps on your devices and ask yourself: Do you use it? Do you need it? Are you sharing the right amount of information on it? Remove unused applications on devices.
5. Avoid public WiFi when possible and when absolutely necessary, use a secure licensed virtual private network (VPN) and disable automatic WiFi and Bluetooth connection.
6. Do not open emails and attachments that you were not expecting.
7. Do not use the same username and password combination across apps.
8. Avoid using the same username on different apps to make it harder to identify you between apps.
9. Disable automatic location sharing, especially when taking photos, to avoid geolocation being identified in the metadata.
10. If you really want to post pictures of your holiday or where you are eating breakfast, for example, do so on your return and not in real time.
For more on protecting yourself, your family or your organization, visit our security consulting page.
Ghonche Alavi is a Senior Information Security Consultant at NYA, a GardaWorld company. She is a Certified Digital Forensics Examiner (CDFE) and an Ethical Hacker. Working alongside NYA’s wider consulting and response teams, Ghonche supports clients before, during and after cyber incidents, working closely with forensic examiners and the crisis management team.