This week is the first week of National Cyber Security Awareness Month (NCSAM), which runs from October 1 to October 31. Throughout the month, Digital Shadows will be releasing a series of blogs that will cover important topics that aim to increase your cyber awareness. This first week we will start with simple, but often forgotten topics that will help you “be cyber smart”. Being cyber smart is more than simply patching vulnerabilities, using strong passwords, and your usual cyber security best practices. It is also about the little things. In this blog, we will discuss the importance of protecting your digital shadow and how you can improve your cyber hygiene by managing your digital exposure.
What is a digital shadow?
Your digital footprint refers to every piece of information about you that is stored on the web and internet of things (IoT) devices. While much of this has a positive impact, a subset of this information leaves you exposed–we call this your digital shadow.
This can include your name, email address, physical address, phone number, family members, social media profiles, messages, and more. The longer you use IoT devices and navigate through the web, the larger your digital shadow becomes. Unlike your physical shadow, your digital shadow only grows, and once it has grown, it is difficult to make it shrink. As they say, once something is on the internet, it is there forever.
Your digital shadow grows from information that you post in public websites, such as Twitter and Facebook, accounts that you create, sites that you visit, messages that you exchange on the internet, and third-party services that you sign up for. It is easy for individuals to lose track of just how much of their personal information they have exposed to the internet.
Your digital shadow includes a lot of information about you, but how could it be used against you or your organization? While data you expose about yourself on social media platforms, blogs, and other public sites may appear to be trivial, it is this exact information that threat actors often look for when preparing to conduct cyber attacks. Every attack begins with passive reconnaissance. The more information a threat actor can gather on a company and its employees, the more likely it is that their attacks will be successful.
Attackers make use of your digital shadow
Most individuals would be surprised by just how much data can be obtained on them via some simple Google searches and open source tools. A single email address or phone number may be enough information for someone to find out where you live, who your family members are, where you work, and what your hobbies are. These traces of information left behind on the internet can allow a stranger to gain a good understanding of you without ever meeting you.
Now imagine you are a threat actor. Targeting an organization and infiltrating their security defenses is a tough task. Instead of exploiting vulnerabilities and breaking down technical protections to gain initial access, you can simply target the weakest link – the people. Social engineering is the “art” of manipulating people, and many threat actors rely on social engineering techniques as an initial access vector to organizations. The more a threat actor knows about an employee, the more targeted that social engineering attacks can become, and the more likely it is that they will be successful.
Alternatively, a threat actor can use information they learn about you to target your organization. Here is an example of what that might look like:
- A threat actor uses open-source tools to find the personal and work email addresses of an employee in a large organization.
- The threat actor finds that the personal email address has been exposed in data breaches.
- The actor attempts to use this exposed password on accounts and services using the employee’s work email address.
- The password exposed just turned out to be the same password that this person uses for all their corporate accounts.
- The actor gains unauthorized access to internal resources, if multifactor authentication is not enabled.
A threat actor may also use information they learned about you to answer account recovery questions and take over your accounts, or to impersonate you in further social engineering attacks.
Controlling your shadow
How big is my shadow?
The first step in managing your digital shadow is to assess just how far it stretches. A lot of your personal information can be discovered via the use of open-source intelligence (OSINT) tools, which are tools designed to extract information from public sources. OSINT tools allow analysts to take one piece of information, such as an email address, and link that one piece of information to other attributes related to you. For example, an email address may be connected to multiple social media accounts, domains, and services you signed up for. Besides email addresses, people often use the same or similar usernames across different services. Conducting an assessment of your digital shadow will allow you to see what a threat actor would view if they were targeting you.
Identify your risks
The second step would be identifying the risks associated with the level of exposure identified. You may ask yourself – What could a malicious threat actor do with this information? Being aware of the risks will allow you to identify potential avenues of attack and to also be prepared for threats in case they become a reality. These risks should be prioritized, and a realistic action plan should be formed. Not all information needs to be private, and you may need to accept some degree of risk.
The third step is to take action. Make social media accounts private where appropriate, delete posts that expose personal information about you, request for your data to be taken down from
eople searching websites such as RocketReach, Intelius, Pipl, and similar places, change the passwords of email addresses exposed in data breaches (check HaveIBeenPwned.com), and remove any other identifying information where it is possible. In some cases, it is not possible for you to take down information from the web, and data may still be accessible in internet archives. However, taking steps to minimize your exposure will help to significantly reduce the risks of successful attacks.
Be a hard target
The fourth and last step is to make yourself a difficult target. The best way to limit your digital shadow is to make it hard for anyone to find it in the first place. Blend in with the crowd. For example, if you have a name that is shared by multiple individuals, do not share your location, education, picture, or last name on your personal profiles. It is likely that a threat actor will not collect your data if they cannot verify it belongs to you. Use phone services such as Google Voice to sign up for accounts instead of your real phone number, use different names for profiles that don’t need to be associated with you, and avoid reusing the same usernames and passwords between different accounts. Make threat actors second guess themselves, and be cautious about where you share your personal information. If all roads lead to a dead end, then a threat actor will likely give up on you and attempt to find an easier target.
It is a team effort
Sometimes your exposure is not due to your lack of due diligence in protecting yourself, but rather, it is caused by the open nature of others. For example, you may have your Facebook locked down, post set to stay private, no public friends, or personal information, but if your partner or friend has public pictures of you, public friends, and shares your phone number or email address to their friends on public social media sites, then you are equally exposed. The same ideology applies to companies. It is not enough for one person to follow the rules and protect their exposure, security requires a collective effort.
Given the uncontrollable growth of your digital shadow, managing it can be a cumbersome task. However, by working together as a team with your friends, family, and coworkers, and encouraging each other to take small steps to manage their digital exposure, a lot of progress can be made. Your shadow may never disappear, but taking these small steps may be enough to save your organization from a significant cyber attack.
For additional tips in managing your digital shadow and digital risk, see how Digital Shadows SearchLight can work for you! You can take SearchLight for a 7-day test drive to understand your exposure, or contact us to set up a demo so that we can understand how to make intelligence work for you.