Failure to strip data leaves large business vulnerable to cyber-attacks
Research suggests that large businesses are vulnerable to cyber-attacks due to the lack of action to strip data from their online files.
As they update and maintain their websites, this data is added when employees upload images and documents. The researchers found that user names and employee IDs were attached to the uploaded files.
Security firm Glasswall, who carried out the survey, said that attackers could use this data to launch an attack on the business, with banks and government departments among those found to be leaking data.
“This is really low-hanging fruit,” said Lewis Henderson, a vice-president at Glasswall.
In order to compile the data, Mr Henderson spent days gathering data from websites, sampling pictures, spreadsheets and PDFs.
“This was all done from a single IP [internet protocol] address and in broad daylight,” he said.
Mr Henderson found that a large number of files contained metadata that gave out key information about the creators of the file and which machine and software they used. It was found that 99 per cent of one document type contained this data.
He added that, in some cases, he was able to find user names with internal IDs and in one particularly worrying case was able to find a detailed guide to a remote login procedure.
“We did what a malicious actor would do,” he said, “which is intelligence gathering on a large scale.”
The information discovered in these files would, according to Mr Henderson, enable attackers to use social media to relate the names to real people. This would then mean that attackers can send emails to specific individuals.
“The more information you have the more you can customise the package sent to targets,” he said.
“Organisations are always surprised when they get hit by targeted attacks they always ask how they found out all that information.”
“All of them will probably have a policy that says this should not happen,” he added. “But although there’s a policy, there’s not necessarily the due diligence and process to do it.”
Rick Holland, vice-president of strategy at security firm Digital Shadows, said that the methods used in the research were remarkably similar to the way in which an attacker would compile data.
“Anyone doing a targeted attack is going to look at all the documents in a firm’s public footprint,” he said.