Organizations should beware search engine data

Google search enables hackers and industry competitors to gather information for targeted attacks, so companies should regulate employee sharing online and usage of free services.
Written by Ellyne Phneah, Contributor

Corporate information leak on search engines give hackers the avenue to gather information and plan targeted attacks, and industry competitors an edge over them, security watchers warn and advice that organizations regulate employees' sharing of information and patrol brand information available online, but keep their focus on network security.

Last month, Babak Pasdar, CEO of security firm Bat Blue Networks noted that Google search engine is a security threat to organizations as hackers use Google search to gather information in their targets.

According to Pasdar, Google works on the premise of identifying unique individuals, building profiles of them based on information available such as their age, sex, interests and organization and tracking users through fresh, new information such as geo-location and emails. The company then analyzes the data and presents it either in the form of directly referenceable data or indirect data, such as browsing behavior.

Such information leaks could also be the result of Android users who sync their contacts, calendar, task list and other personal information to Google servers, and those who make use of Google's free services such as Gmail, Joseph Steinberg, CEO of Green Armor added, noting that Google is "a lot more than a search engine" possessing the capabilities to gather information.

In the age of targeted attacks, search engines have become a tool for hackers to find, gather and collate individual pieces of information, Jonathan Andresen, Asia-Pacific vice president of marketing at Blue Coat, observed. As such, they pose a security risk since large companies will certainly have data which can be searched for on Google or any other search engines, he remarked.

This information may not be significant on its own but when put together, provides an extensive overview of an organization's vulnerabilities, he explained, Andresen warned. A prime example of cybercriminals connecting and using information from incremental data leakage from multiple sources occurred earlier this week, when a former Gizmodo employee's Google, Twitter and Apple accounts were compromised in an hour, he cited.

It could get easier for cybercriminals with Google's efforts to improve search results. Earlier this year, Amit Singhal, senior vice president and Google Fellow revealed that the company is taking baby step on unveiling semantic search, or delivering search results based on a true understanding on its data.

Steinberg added such sensitive corporate information could also end up in the hands of a competitor--such as the scheduling information related to meetings and their scheduled attendees synced to Google servers from Android smartphones that would be of use to Google or people working at Google.

A significant amount of "insider information" regarding potential mergers, acquisitions and other stock-price impacting activities can be obtained by looking at relevant people's schedules, Steinberg explained.

"Google's assurance that it will not look at the data may not necessarily be enforceable, especially if a court order was ever issued to reveal the data," he warned.

Regulate data outflow, be proactive about information out there
Companies should regulate their employees' usage of free online services and what information they share online, including not only data that will be "Google searchable", Steinberg noted.

Android smartphones often sync with Google servers, and iPhone users' data get streamed to Apple's iCloud servers, so the policies must be extended to smartphones and cloud storage servers, he added.

It is also critical for companies to be aware of what kind of data that is available on search engines, which will help them gain visibility of potential threats allowing them to tailor their security measures accordingly, Andresen noted.

Some services, such as MarkMonitor, BrandProtect and Cyveillance, have their own bots or crawlers can search the Web to see what information is available on the brand and companies can use it to see what kind of information are out there, Rick Holland, security and risk senior analyst at Forrester Research suggested. They can also have their pen testing service provider build a Google search assessment, he added.

Focus more on network security
Although search engines used by attacks to gather information, companies should not spend a significant amount of effort trying to secure the data indexed by the various search engines, Holland remarked. They should focus their limited resources instead on ensuring they have the ability to quickly detect and respond to attacks, he advised.

"Attackers are always going to have innovative ways to gather information on their targets and break into networks. The latter can be prevented but not the former," he said. "Targeted attacks aren't going to stop because you make their jobs more difficult."

Google declined to comment when asked how their search data is stored and what measures are taken to protect sensitive data from being gathered by cybercriminals for targeted attacks.

Editorial standards