Integrity Blog

Open Source Information

As part of audits, risk assessments, and social engineering services, information security consultants routinely review information about companies that they will be working with. It’s good to know about each business, its history, leadership, and other facts that will help the consultants get a feel for potential risks to the organization. A great place to start to gain an understanding of the organization is its website. This is open-source information, readily available.

To the organization, the information posted on the website is meant to provide key elements of information for customers, potential customers, or persons just looking for general knowledge about the organization. Persons looking for general knowledge may be the consultants referred to above, but they could also be threat actors performing reconnaissance against the organization, gathering as much information as possible in order to later attack the business and gain unauthorized access to the business’ systems and information.

So, how much information can the threat actor gain from the website? Well, quite a bit, actually. It’s not uncommon to find out about the leadership structure through posted photographs, job titles, biographies, and contact information. This information can be used in social engineering attempts, such as through phishing emails and pretexting calls. If I were a threat actor intending to commit business email compromise and trying to get an employee to perform an unauthorized wire transfer, I would first seek information about the CEO, CFO, COO, and others who may be involved in wire transfer processes.

If intending to perform a physical penetration of a business’ facility, a threat actor may learn about physical security controls, such as cameras and security doors, by viewing photos of the exterior of the facility, or interior lobby and offices. If the website posts links to any social media accounts the company may have, that social media information may be another great source of information. In addition, company opening and closing hours can usually be found, providing the threat actor with potential times to attempt facility entry, such as by tailgating behind authorized employees.

Should you take all this information off your website? Not necessarily. Websites are meant to provide information. They are a public-facing expression of the company.

However, as with social media and business in general, manage the company’s information. Discuss in risk meetings the value gained by posting certain types of information versus the potential risks. Understand that website information can be used against the company, and put into place controls that offset the risks. Determine whether biographies about the company’s officers are really necessary, or if just a name and title would suffice. Review photos prior to posting to determine whether they may give away information about physical security controls. Finally, include your website as a review item during periodic risk discussions, evaluating whether information on the website is still necessary for the business and its operations.

White Paper - Top Security Tips
Enhancing Information Security in an Unsecure World

This paper reviews four areas of concern: Passwords, Network Considerations, Data Security and Social Engineering.

Download White Paper

Ninety-four percent of CxO’s believe it is probable their company will experience a significant cybersecurity incident in the next two years.1

As companies struggle with balancing their risk with their resources when combating cybercrimes, it is important for C-Suite executives to have a basic understanding of what threats their business will be facing. Unfortunately, just knowing of these threats will not prevent them, but strong security practices can halt attacks before it is too late.

While cybersecurity may never be core to your business, developing and preparing the people, processes, and technology is essential to mitigate and reduce the risk of cyber-attacks. Until recently, the handling of most cybersecurity risks was the responsibility of the IT Team and their technical controls. Companies that continue to rely solely on their IT Team to manage their cybersecurity are destined to fail.

Many of the greatest cybersecurity threats are the result of either malicious or unknowing people. This may include your own employees or business partners. The technical controls implemented by the IT Team can only accomplish so much. It is for this reason that the C-Suite must now be the leader in driving cybersecurity within the organization.

Fifty-one percent of CxO’s surveyed believe a one in four chance exists of a breach occurring that will have a material impact on their organization.1

The C-Suite can lead by following good security policies and procedures. Doing so sets the tone within the entire organization that cybersecurity is important and protecting the company’s data, intellectual property and customers is essential. Employees that see leaders locking their workstations, questioning suspicious e-mail, and keeping sensitive material off printers are likely to follow their example.

Successful executives who are charged with the long term growth and strategy of the company must take it even one step further. Once they have set an example themselves, they seek to raise awareness and train the entire organization so there is greater knowledge on how to reduce the likelihood of a cybersecurity incident.

This type of leadership from the C-Suite will improve the overall awareness of cybersecurity within the organization. If people are properly trained and polices are well written and followed, the IT team’s technology controls will perform as designed.

An IT Director's Guide to Communicating Security Needs with the Executive Team
Giving Security the Attention It Deserves

An IT Director's Guide to Communicating Security Needs with the Executive Team

This paper discusses effective ways to communicate security concerns and solutions to the executive team – providing talking points and suggestions.

Get the Guide Now

IT Audit

Over the years, audits have gotten a pretty bad rap. They can take a long time and seem only to point out everything you’re doing wrong, not to mention the million others things they pile on your to-do list. IT audits don’t have to be that way however, nor should they be. There are many positives that come from audits.

Here are some tips to help get the most out of your next IT audit.

Select a Qualified Auditor

You may not have the choice of whether or not to be audited, but you do get to choose who conducts the IT audit. Select a firm with experience and knowledge. Audits are a great way to learn new threats, technologies, vulnerabilities, etc., so be sure to select an auditor that is willing to help you learn. Find a firm that is quick to respond and is open for discussions and questions.

Assign an Audit-Owner

Identify an individual from your organization to lead the audit efforts. This individual should be the ”go-to” person responsible for compiling documentation, communicating with the auditor, redirecting requests and being available while the auditor is onsite. Identifying an audit-owner to track documents and requests will help the audit move along efficiently. It’s also important to remember the auditor’s progress is dependent upon the audit-owner’s responses. Make sure this individual has time dedicated to the engagement.

Be Prepared

Some auditors will request documentation prior to arriving onsite. Be prepared to provide them with as much as you can. Of course, there will be some items that must remain onsite due to availability or confidentiality; so, make sure to have those ready when the auditor arrives. Also, remember that prepping for an IT audit is an ongoing process. If you’re scrambling last minute to throw everything together, you can expect the audit to take much longer. Compile documentation and evidence throughout the year, and save it in a central location so it can easily be found.

Another part of being prepared is understanding the audit process and what to expect. Make sure the auditor has outlined a clear plan for your organization. This should include a schedule and timeline.

Ask Questions

Auditors know that most people are not IT experts. Many of you are probably Vice President or Compliance Officer or even HR manager, as well as tasked with leading IT decisions. If you don’t understand something, ask for clarification. The IT world is full of terminology that many find unfamiliar. Don’t be afraid to clarify and validate information. This will help you avoid wasting time gathering incorrect documentation.

The tips above won’t make the audit successful unless you go into the audit with an open mind and a positive, ready-to-learn attitude. Auditors don’t want to be the bad guys. Look at the audit as a way to learn new things and improve your organization.

Tips for security training
Top Tips for Developing Effective

Security Awareness and Training Programs

To implement and maintain an effective information security awareness and training program, several “best practices” and building blocks should be used.

Get These Top Tips Now

Get our blog posts delivered to your inbox: