Honeytoken - Like a trip wire, seems valuable but isn't
Fake admin login info in plain text
White on white text
Crawler traps (be mindful of SEO)
Be careful of accessability!
How to hide emails, employee lists and other info
Email
Image of email or @ symbol
Replace mailto with script or use code to disguise the email
Bonus: if you use an email only scripts/bots can read, it becomes a honeytrap!
Write out email - Username AT myURL DOT com
CAPTCHA before email is given
Contact form to request an email rather than posting the email publicly
Keep in mind, anything you do that is abnormal can be difficult for accessible websites and software
Company wide Name Policies
Server names such as email03 easy to guess other 2 email servers even if some are "hidden"
Are the policies posted online?
Do they follow an obvious naming scheme? If yes, do you publish your employee list?
Email address - Example Jane Doe Jane@company.com jdoe@comapny.com jane.doe@company.com are all very common policies and easy to guess (and generate with a short command) with an employee list
Consider using generic emails CEO@acmecorp.com​
Job descriptions, do you list the products you use?
Do you list your AV and networking needs in your job postings? If yes it's easy to guess your setup
DNS
Split DNS for public and private access
Public should only show public facing servers
Private should show ONLY what's in network
Disable Zone transfers - Zone transfer means you replicate the DNS database across a set of DNS servers. BIG NO NO to allow this
How to secure the wetware (people)
Social engineering
Do you have training to prevent social engineering?
Are your employees aware this is a concern?
Role Play to show what it looks like and how to prevent it
Security procedures and policies
Are you employees aware of the policies?
Are they following the policies?
If they aren't, why not? Is it a you problem? Or a them problem?
As a company you shouldn't use PII as authentication
Mother's maiden name isn't good proof you are you
Knowledge Based Answers are not good proof of ID,, think of all the social media quizzes "10 things you should know about me!" and how many answers are posted publicly.
Mission critical systems should have extra layers of protection
Think about doing air locked systems for the most sensitive of data
Do you educate your employees on what is public about them regularly?
Do they google themselves? Do you have google alerts set up? What does your employee education system look like?
In depth: Phishing/Vishing/smishing Training
Phishing training
Show sample phishing emails
Phishing email campaign with an invite for more training
Spoofed email addresses
Dangerous links, shortened links and attachments
Vishing
Vishing training for all employees with publicly search able numbers or those that interact with the public regularly (help desk, sales)
Threats or coercive language is common
The IRS will SUE YOU if you don't respond right now with this information
Time Pressures are common
Please I really need this by 4pm today or I will be fired (call is placed at 3:50)
Calls before long weekends, or when people are about to get off work and just want to go home
Reduce your Digital footprint tips
What are your employees saying about the company online? Even on private social media? What are they sharing about themselves? Do you have a policy on info sharing and IP?
Are you deleting old info? Old social media? Old job postings? What has been archived(If anything)?
Following breadcrumbs - Are you linked to old accounts? How much public data is available about your employees? Are they aware of what's available?
System Hardening
Ports - What's open? Is that still needed?
Services - What's running? Is that still needed? Can you get rid of it? Any extras on the system is one more potential vulnerability for a hacker to find
Patch Management - What is your update cycle? Patch cycle? How often do you audit your systems?
Security checkups - Examples like Lynis for Linux
Firewalls
Firewalls are used to direct traffic
The default options are accept, deny (drop no response) or redirect
Packet inspection vs Deep packet inspection
Policies and Procedures
Security Audits - Frequent security audits to make sure everything is still in date and valid. For example, if you haven't had a winXP machine in 10yrs do you still need them running? Are they controlling anything?
Devices - Are you keeping a running log of changes to the infrastructure and devices
Devices - BYOD? Are there rules such as lockers for all devices before getting on the campus?
Passwords - What's your password policy? What about shared passwords? Who holds master passwords? How do you backup the passwords? Who updates the backups?
Is your plan and backup and backup of the backup a single person? What if any one or two aren't in? Then what?
Suggested Activities and Discussion Topics:
As pairs, discuss 1 thing that wasn't already mentioned on how to hide info, hide email addresses, or a trap you think is valuable for a company to have set up. Be ready to share
Now that you know about digital footprints. What's yours? What can you find about yourself online? What alerts do you have set up? Remember to do more then just google your name, think of all the things you learned in OSINT and apply them here
Would you like to see some more classes?
Click here