Is it marketing or a data leak?

📅 November 03, 2020

⏱️2 min read

Your company's data is all over the internet... is that marketing? Or is it a data leak? I wasn't sure 🤔 so I asked...

Embedded content: https://youtu.be/LuutiWgnnmI

Here is a lightly edited version of what Jason said.

Joe Pindar: It's interesting that you bring up marketing. Because one of the things that I've heard when we look at some of the kind of data breaches that happen - they seem to come from these aggregation companies. Who are looking to enrich emails and just put all of your business data together... There's a relatively simple argument to say: Well, we call this marketing. Why is that a data leak? Why does it matter if all of our accounts team and all of our HR team have their profiles and everything about them online? Isn't that a good thing? Because that shows, we're a transparent organization.

Jason Hart: It's a good thing. And again, just like information security, cybersecurity, it's the cost of doing business. You need to be seen to be out there, but let's think like a bad guy, okay? The more a bad guy can understand about an organization, and in the olden days, going back in the early nineties, we used to call this footprinting. We used to go out, and we would footprint an organization. We would find out as much as we could. We'll go and do dumpster diving, you know, go through their bins. We'll go online. We look at newspapers, to find out what the news was. Or look at press releases about an organization. We would establish as much information, knowledge, intelligence, about that organization. Be it what they were doing, what the people were doing, hobbies, interests, and that's called, we call it the concept of footprinting.

And in today's world, to footprint an organization, instead of taking three or four weeks, or even months, it takes seconds; if you know what you're doing. The ability to footprint an organization has never been so easy, and that takes us on to the enumeration.

To your point, all of those email addresses out there about an organization, people doing marketing campaigns etc. People having social profiles - it allows and enables the footprinting to be very simple and easy. Which, in turn, allows the hacker or the attacker, threat actor, to enumerate which person is highly visible and vulnerable.

As a hacker, I have all of these profiles, I can start digging into the detail. What are their hobbies? Their interests? What trends are going on in that organization? So I have a bucket of data (the footprint data). Then I have a more detailed bucket of enumeration linked to the footprint. With those two buckets now, I can clearly articulate a unique attack. Say a spear phish to a bunch of individuals. And the probability and the likelihood of them going - Oh, that resonates - increases. "That's exactly what we were talking about in the past marketing campaign." or "That's exactly on cue with the messaging that we're going to market with." or " Yes, that is the football team that I support." And suddenly, you've got these two buckets being aggregated together in an automated way, which allows the attacker to spread attacks wider - with a larger net. And we're gonna see more of this.