Many old-style marketing people believe that capturing your contact information is the first step in making a sale. But any capture of your personal information is also leaking critical security information about your organisation, technology and personnel that is good for hacking reconnaissance.
The badge scan at a conference, a whitepaper downloads that require company details and your contact information, a business card in the jar for a draw to a prize – all of these methods capture personal and identifiable information about your IT Infrastructure and Applications that are perfect for an attack.
Phases of hacking
The first activity is planning an attack on IT infrastructure or applications is to perform reconnaissance. For a technology attack you need to know what networking hardware is in use such as proxies, firewalls and switches, or determine what applications are in use. For a social attack, you need the names of people, the organisation structure. You can scan from the Internet and get lucky but a more determined attack will look for unconventional vectors or attack.
When you sign up for a whitepaper, you are leaking information that is forms part of the landscape. Every badge scan means personal and corporate information is being handed to dozens of companies who can profile you and your employer. For example, a badge scan at an Oracle or Cisco conference is strong indicator of technology and software in your organisation.
How Does It Work
Lets say you are interested in Brand-B firewalls, and sign up for a whitepaper. As an attacker, I could assume that your existing firewalls are insecure and need replacing and that you are likely have Brand-B firewalls in the future
Now that I have your email address or other social network details, I can start searching online forums and name to see if you have asked any questions on a specific technology. This could provide valuable information about the applications and technology you are using.
For example, asking a question like “What is your opinion of Brand-B firewalls compared to Brand-A firewalls ?” would suggest that you are using Brand-A and considering switching to Brand-B. I have a initial attack vector on your company.
Making a sales request for MDM software suggest you may not have a MDM suite deployed today. Could be worth checking out your mobile technology for data attack.
Is This Data Secure and Big Data
The collection and storage of this marketing data is not handled securely. The systems that hold and store those details are not subject to legal protection under privacy laws. Companies that collect the data are not required to encrypt, restrict access or perform any form of security. Theft of this data is trivial and almost certainly unnoticed by any participant.
In fact, the data is commonly stored in spreadsheets and widely distributed by unencrypted email by people who have little or no security awareness or data security capability.
Its important to remember that Big Data systems are able to form connections with other data. For example, you can readily obtain large databases from recent hacking events, including health data, and start correlating the data to build a more complete picture of individuals and their employers.
The EtherealMind View
Giving away personal and corporate information is much more significant than just being pointlessly harassed by vendor sales people, you are also leaking valuable security details about your IT systems. Its about leaking security data that could be used to build good intelligence about your company and makes security weaknesses easier to discover.
If you must sign up for white papers, use a false name and details and a specific email account on Yahoo or Google for the purpose.
There are many false name generators on the Internet but use a secure VM before accessing them. Many are honeypots for government or criminal gangs (which are hard to tell apart these days since they use the same methods).