It’s no surprise that businesses often make basic mistakes when it comes to cybersecurity. Whether it’s using “password” as a password, not having a firewall set up, forgetting to run security updates on the operating system, giving employees too much access to critical data -- the list goes on and on.
But there’s another mistake companies often make, simply because they don’t even know it’s a threat at all: exposing sensitive information to Google “dorking.”
Google dorking, or Google hacking, is one way malicious hackers can gain access to valuable information about a company. It involves using advanced commands in Google to find specific data sets that companies, as well as government agencies, have unwittingly made accessible by storing them on public-facing web servers.
These files aren’t easily found by the average person, however, anyone who knows how to perform a specialized web search can retrieve them in a matter of minutes. The type of information exposed to this type of search can include user logins and passwords, email lists, employer identification numbers (EIN), bank accounts, software settings, etc.
Exposing this information is dangerous, because it can pave the way for phishing email attacks, network breaches, financial fraud and much more. In fact, many sophisticated phishing campaigns rely on this type of open-source intelligence to create customized, highly convincing emails for targeted employees and executives. The threat is so severe the Department of Homeland Security issued an alert last year to law enforcement and public safety agencies, warning them about the potential risk of data breaches specifically due to Google dorking.
So, how does a company become vulnerable to this threat?
It essentially boils down to having sensitive files stored on a public web server, but that can happen in a few different ways.
First, a company could be storing this data on its own web architecture to make it easy to access or share these files within the company, as well as with its clients or vendors. However, the reverse is also true -- a company’s clients or vendors could upload its information to share or access more easily. There’s also the risk that executives or employees will store company files on third party sites with weak security. Lastly, federal, state and local government agencies routinely collect corporate data like tax IDs, which are often stored online in spreadsheet files.
Because a company’s private data is often housed by multiple parties, it’s impossible to eliminate this risk entirely. However, businesses can take a number of steps to significantly lower the damage potential.
1. Remove all sensitive information.
Every business should start by asking itself two key questions: which information is too valuable or risky to disclose to the public, and does any of that data really have to be stored through its website (i.e., on a public web server)?
Examples may include personnel files, customer profiles, financial records, etc. Sensitive files like this should never be stored through the website unless it’s absolutely essential for business operations. It's far safer to store them separately on a private, encrypted server.
2. Protect data that can’t be moved.
If a company has to keep sensitive data on its website, there are two ways it can protect it: encrypt it (require a login and passcode to access the data) and make sure the site is configured with robots.txt files to block web crawlers like Googlebot from indexing the data in public searches.
This, however, is a less secure solution than the one mentioned in No. 1, so think carefully about the risks versus benefits before going ahead.
3. Check the company’s online footprint.
Do a routine check to see if the company has critical data exposed on the web.
Here’s a simple way to do this: (a) Go to Google.com, (b) type in “site:COMPANY.COM filetype:xls”; (c) see if this pulls up any sensitive information; and (d) repeat the same command for DOC, PDF, PPT and other file types the company in question may use.
4. Remediate exposed data.
If private corporate information is found to be accessible on the web, use Google’s Webmaster tools to remove it from the cache.
However, if third parties are responsible for the accidental disclosure, notify them immediately and request the information be pulled from the Internet, servers and Google’s cache.