Protect Insider Data By Googling First, Often

In June, a security researcher searching for passwords files on the Internet stuck gold: A database file of 300,000 users of Groupon subsidiary Sosasta had inadvertently been placed on a publicly accessible online server. The company quickly took it down after being notified, but the damage was done.

Google hacking, where an attacker searches for common vulnerabilities or sensitive data, can be an extremely efficient way to find accidentally leaked insider data. Millions of records are available to anyone with the ability to create specific searches on Google and Bing and the time to cull the results for interesting data, according to Francis Brown, a managing partner at security consultancy Stach & Liu.

The incident involving Sosasta's data is not uncommon. In August, both Yale University and Purdue University notified students, faculty, and staff that a total of about 50,000 records, including Social Security numbers, had been exposed to the Internet because specific files had been publicly accessible.

"There are a number of instances where people, by accident, have found huge data exposures," Brown says.

Inadvertent misconfigurations by insiders are a common way for data to be placed online, awaiting an opportunistic attacker to find them. In its 2011 Data Breach Investigations Report, Verizon found that 83 percent of breaches were the result of opportunistic attackers, not specific targeted attacks.

Because Web searches are inexpensive, companies should be regularly searching for sensitive corporate information that insiders might have inadvertently leaked online.

"Google and Bing were nice enough to go out and index all this interesting information, so it is to your advantage to go and search out your own stuff," Brown says.

[Bringing together groups of employees in a company with internal intelligence can help detect rogue insiders earlier. See Workers, Technology Need To Team To Fight Insiders.]

Companies should also search for employee information that might have been leaked by other sites, he says. One of Brown's searches, for example, turned up a porn site that has accidentally placed its user files on the Internet, exposing names, addresses, payment details, and passwords. An employee that reuses his passwords on such insecure services could become a weak point for his employer, he says.

"I would do forensics on the account and crack passwords internally to see if they have reused it -- they probably have," Brown says. "The whole point is to make sure that an attacker can't use it to get access to resources."

Yet, while such searches are free and can be automated, culling through the results can take time, points out Dave Marcus, director of advanced research and threat intelligence for security firm McAfee, a subsidiary of Intel. Companies should make sure that their security teams are not overwhelmed by possible breach data.

"It is going to come down to how many resources a company has to devote to this; do it as often as you can," he says.

Free tools, such as OpenDLP, exist to automate the process. OpenDLP searches for data both inside and outside of a company's firewall. Stach & Liu have its own free tool, DLPDiggity, that searches for more than 100 different types of sensitive data. In many cases, the data has escaped the notice of a company's own data-loss prevention (DLP) system.

"As it stands right now, there is plenty of stuff out there on Google and Bing," says Brown. "This is a zero-dollar way to find data exposures for your company."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.