If your personal data is found on the Dark Web, can it be removed?

December 13th, 2017

Once the data is posted for sale within the Dark Web, it is quickly copied and distributed (re-sold or traded) to a large number of cyber criminals, within a short period of time. It is generally implausible to remove data that has been disseminated within the Dark Web.

Are there any special credentials needed to investigate the Dark Web?

December 13th, 2017

You do not need special permission to access the deep or Dark Web. However, accessing the deep or Dark Web requires the use of a “TOR” browser and should only be done using a VPN/ encrypted tunnel. In general, we advise against attempting to access the Dark Web.

Is it safe to say Cloud storage is a serious concern for data breach? With most of our software tools moving to Cloud hosting, does this create more risk for my company’s IP?

December 13th, 2017

There can be as much risk to your data within a Cloud environment as there is when it resides locally within your own servers. When researching Cloud providers and data centers, make sure you understand their compliance and certification with the security standards and protocols that impact your industry.

Any “Best Practices” for individual users or Corporate IT on frequency of password change or actually changing your personal or professional email?

December 13th, 2017

Please refer to the National Institute of Standards and Technology’s (NIST) Special Publication 800-63B Digital Identity. A link to SP800-63B can be found here: https://pages.nist.gov/800-63-3/sp800-63b.html

The password identified does not meet our network criteria. Why should we care about this?

December 13th, 2017

Employees often recycle passwords throughout their work and personal networks. If your internal requirement is to have a capital letter and special character, it’s common practice for employees to use a password they are familiar with, and add a capital letter and exclamation mark.

I see fake emails (false positives). Why is this important?

December 13th, 2017

Fake email accounts are routinely created by employees as a “throw away” when wanting to gain access to a system or piece of data. However, fake email accounts are frequently created to facilitate well-crafted social engineering and/or phishing attacks.

Some of this data is old and includes employees that are no longer working for us. Doesn’t this mean we are not at risk?

December 13th, 2017

While employees may have moved on from your organization, their company issued credentials can still be active and valid within the 3rd party systems they used while employed. In many cases, the 3rd party systems or databases that have been compromised have been in existence for 10+ years holding millions of “zombie” accounts that can be used to exploit an organization.

What does it mean when a password has a long series of random numbers and letters?

December 13th, 2017

This means the password was published as “hashed” (still encrypted). Hundreds of encryption dictionaries are readily available on the Web, and it’s not uncommon for these passwords to be “cracked” or decrypted and available on multiple 3rd party websites.