Some organizations realize their customers data has value beyond accounting, and that enterprise vulnerabilities attracting hackers are not always based on IT shortcomings. Those that fail to recognize their responsibility to secure the information they retain are likely to find out just how far others are willing to go to steal it.
According to Verizon’s 2015 Data Breach Investigations Report over 700 million personal records were compromised in 2015. They estimate the total loss to the victim organizations at $400 million.
Leaky Job Portals
It’s extremely likely that Human Resources is advertising for skills relevant to the organization’s infrastructure. Large organizations have a mix of technologies they use, but a job posting can serve as a confirmation for hardware and software platforms. Sometimes you can even pull the specific version out of a post.
Public Data Sources
Build a database of information about the target. Is there a public or government database somewhere that hosts tax documents? Is there a news article covering a past breach that leaks security details about how the last hacker did it? Did your chief of security give an interview and share details about their remediation plan? Did a vendor contract (perhaps a security vendor) go sour and result in court precedings?
Who’s the Boss?
Is their Chief Information Security Officer, and the people they’ve surrounded themselves with, based on politics or security architecture? What kind of conferences do they attend? Are they giving talks and have they attracted any kind of following in their domain? The kind of leadership they demonstrate in an organization reveals the organization’s internal philosophy on security.
The Friend of My Enemy
Who are their strategic business partners? Maybe it’s easier to get inside an organization through one of the hundreds of agreements an organization may have with other companies or vendors. Many industries are indebted to proprietary software that they have no control over. Some markets are dominated by one or two software companies that supply the majority of software across the industry. They have no peer oversight and a flaw in one organization is likely a flaw across many organizations. Enterprise vulnerabilities that attract hackers are not limited to technology. Often the organization itself is revealing information that could save hours or days or research by itself.