7 hours 6 minutes
Hey, everyone, welcome back to the course in this video. We're just gonna briefly talk about some of the footprint in counter measures that we can do to help protect your organization a little better.
So what are some of those countermeasures?
Well, we can restrict social media access. So, for example, if I know that most of my employees, aside from maybe the marking team don't need to get on Facebook or Instagram or linked in, I could just block that on the devices, right? We're gonna set that policy in place. Make sure everyone signs Thea procreate, Use policy. Now, I can't stop them necessarily from doing it on their personal phones. But
I could do it. Insists on a company owned devices,
things like configuring our web servers properly. She's just going back to system hardening, right, making sure that we are setting things up properly. So we avoid any things, like anything like information leakage,
having employees, you use a fake name. So back when I was in the military and this is honestly before social media blew up a ZMA Muchas it has but one thing we did to be able to have, like for example, I had a Facebook account when it first came out because family wanted to share photos.
So I had to create a fake Facebook account with a fake name,
and that allowed me to actually be able to communicate with them with a totally fake name. So I just looked like a friend of the family, right? And so that's what we can. We can encourage their employees to dio. We can also have them do that on blog's that they're following or that they're commenting on. We could have, um, use fake names on things like forums or just made up names.
Um, it really does help, because then it's more difficult for the adversary to realize, Oh, this is
this is really, you know, Bill Gates, right? Instead of Susie Q
and being mindful of what we put in press releases. So I've seen a lot of stuff in press releases that gives me information on phone numbers, email addresses,
uh, actually in some of them that I've seen, I got I got information about actual systems in use in the organization. I'm like, Oh, my goodness. Uh, you know, just just be mindful of what you're putting out there for press releases.
Also mindful of
Hey, am I, um, I putting out their information about us getting a new funding round? And will that encourage more adversaries to come after us? Right? Because now they know we just grabbed another 50 million in and cash from investors.
So we're much more lucrative target now than we were in the past. So be very careful, mindful of what you're putting out there and things like press releases
removing any kind of sensitive information. So things like we talked about earlier employees directories, right? We talked about that earlier in the course, so things like email addresses, phone numbers, any type of sensitive post on your company's blawg.
Anything that might identify, Let's say, your security product vendor, right? You're selling some solution to same solution, for example, so you want to make sure you remove anything that might indicate vulnerabilities
in that software. Right? In that tool, that solution that you're providing any type of sense of information employees, birthdays, I I see so many organizations internally sharing. Hey, it's Jo's birthday, right? It's Roberta's birthday. It's to me, coz birthday,
that's terrible to Dio. I understand the concept behind like, Oh, we're gonna feel like a team and stuff
That's just terrible to do to people. Because now let's say I'm an internal attacker or or I've been flipped by somebody externally, I'm just gonna say, Oh, yeah, yeah. And did you know their birthdays? November 4th, right? It's bad practice to do so on on your website. In particular.
Remove any sensitive information. But also be mindful of the things internally that you're sharing.
Aziz. Well, Azaz on social media, right? A lot of employees I see out there have their birthdates on social media. They have their personal email addresses and phone number cell phone numbers on social media. So remove all that sensitive information. Assume that everything you put out there can be weaponized against you,
Anything could be weaponized against you. Assume that someone's always trying to steal it.
Yes, it sounds a little paranoid. That's really what you need to do and what you also need to encourage your employees to do because there's always somebody watching.
And with that,
if an attacker gets that information right, they could perform things like social engineering attacks. So just be mindful that you want to train your employees how to identify when someone is possibly not legit, right? Sometimes it's very difficult, but you can usually identify a lot of social engineering attacks in particular phishing emails.
So have them always verify, especially if it's financial related.
Have them always verify with someone. Contact him by phone. Say, hey, did you really sent me this email? If you can't get a hold of them, guess what? Nothing. Is that urgent? Where you need to wire $10 million in the next hour to the CEO, right at this new bank account, that doesn't make any sense. So, common sense training for your employees
and using things like encryption. Right? So encrypting that sensitive information, encrypting our passwords, encrypting data both at rest and in transit.
So a quick quiz question for you here.
Sam works a social media marketer for Google, so he should have full access to all social media sites. So kind of a trick question here,
right? Is that gonna be true or false?
Well, the answer is actually gonna be false, right?
He doesn't necessarily need all social media site access. That's why I mentioned it was a trick question here, but he does work in marketing, so we may have to give him access to Facebook. LinkedIn, Twitter, instagram, ticktock. Whatever Google is marketing on these days, we he may need that access, but he doesn't necessarily need full access,
and we probably need to have some kind of a dummy account.
The Sam uses the post that that we know it's got a strong password has got to factoring authentication in place, and that's isolated from other things, right? It's not tied to Sam's active directory account, for example, so
that's why that one's false. They're kind of a trick question, and I'm sure most people answer that right, though.
So in this video, we just talked about some of the footprint in counter measures. So again, you notice a lot of it's kind of common sense, right? Don't put your sensitive data out there. Don't leave passwords out there for someone to grab. Don't put your personal information on social media. Don't have your date of birth showing. Don't have your personal email and phone number showing on there at all, especially not your cell phone.
Don't do that. If you're on LinkedIn and you have a resume
on their take off all your contact information, because if the recruiters on LinkedIn, they could just reach out to you via the messaging. They don't need your phone number and email address. So take all that sensitive data out of there on the company website. Make sure you're moving things like employees, directories and any other sensitive information.
Again, you're just reducing your attack surface by doing these measures.