Dr. Christine Izuakor: Welcome to the Veriato Insider, a podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, which is an award-winning employee monitoring and insider threat detection software provider. To learn more about how Veriato can help protect your company, check out veriato.com.
What role does the dark web in remote work risks
Dr. Christine Izuakor: I'm Dr. Christine Izuakor, your host for today's segment. And we're covering the role of the dark web in remote work risks. Now, there's always been a lot of ambiguity, mystery, even fear, quite honestly, around this topic for some people.
Dr. Christine Izuakor: It is also known as the cyber black market. Cybercriminals are using the dark web to traffic sensitive information, conduct illegal activities, and much more. So this, of course, impacts organizations when things happen, like you find out that your critical data is being circulated or sold on the dark web.
Dr. Christine Izuakor: The global pandemic, and this rise of remote work, have only made matters more critical, and worse in some cases. Because companies are struggling to deal with putting the right controls and measures in place to protect their data from these leaks, to begin with.
Dr. Christine Izuakor: So before we dive deeper into this topic, I'd like to welcome Michael Owens as our special guest on today's podcast. An accomplished cybersecurity professional, Michael has twenty-five years of experience within corporate, government, and military environments, focusing on cybersecurity, info-tech program building, threat intelligence, and much more.
Dr. Christine Izuakor: He holds a doctorate degree in business administration, global business, and leadership from California Intercontinental University, and a cybersecurity certification from Harvard University. Michael is currently the business information security officer at Equifax, he is also a veteran of the United States Marine Corps, a member of the World Affairs Council of Atlanta, a political partner with the Truman National Security Project, and serves on the State Advisory Committee for the US Global Leadership Coalition.
Dr. Christine Izuakor: Such an amazing lineup of experience and certifications and accolades and everything in between, which means a ton of valuable insight and experience with us today. So happy to have you here. Welcome Michael, and thanks for joining us.
Dr. Michael Owens: Thank you. Thank you so much. I appreciate it. I hate hearing my background kind of laid out like that sometimes. Like, "Who is that guy?"
Dr. Michael Owens: But, yeah, I'm happy to be here to share some of my background experiences, and things I'm finding working in the diverse spaces, particularly over these last years, right? Which has been challenging for so many people.
Dr. Michael Owens: So this opportunity to talk today is great because hopefully, we can quickly get to dive into some of that and help the listeners and viewers that are out there.
Dr. Christine Izuakor: Yeah, absolutely. I can totally relate. I feel like sometimes when you hear your bio, and all of these amazing things, it's like, "Wow, that's really me." So yeah, definitely kudos to you on that.
Dr. Christine Izuakor: I know we've talked a little bit, but is there anything else you want to add or share more about your background and your experiences in general before we dive in?
Dr. Michael Owens: You gave out some of my educational background, but I am wearing my Georgia Tech pin today, so I'll give a shout-out to the Yellow Jackets from Georgia Tech, from which I got my master's degree.
Dr. Michael Owens: And I'm a product of an HBCU. I graduated with my undergraduate degree in computer and electronic technology from North Carolina A&T State University. So go Aggies.
Dr. Christine Izuakor: Love it. Thank you for that. So yeah, once again, very pleased to have you as a part of this discussion. Let's maybe start by demystifying, even, what does the dark web mean, or what does it mean to you?
Dr. Michael Owens: Yeah, thank you. It's a great question. And demystifying is probably the best term to use for that, considering that it gets talked about a lot, and you hear about it on TV and the news, but what does it really mean?
Categorizing the 3 main areas of the Web
Dr. Michael Owens: It's really pretty simple. I'll break it in terms of, let's call it the visible web, the deep web, and then the dark web. I think there are three different areas to really talk about.
Dr. Michael Owens: So when we talk about just the regular internet, these are sites that are regular out there for whatever browser you use, whether it's Chrome or Bing, or whatever, that you could access. You type in a URL or an IP address, and you can go to those sites.
What is the Deep Web?
Dr. Michael Owens: Outside of that, the vast majority of what constitutes the internet is what's called the deep web. And this is anything that is not indexed by the major Googles of the internet, right? So, if they're not being indexed, that is the deep web.
Dr. Michael Owens: That could be anything that sits behind a paywall. Any websites that are out there, or pages that are blocked by specific membership login. Anything that's just behind a login, anything that's not indexed. Any type of blogs or anything that is out there that is not consumable just by going to the URL.
Dr. Michael Owens: All those things are considered the deep web. You can imagine there are vast untold amounts of information and pages that exist within the deep web.
What is the Dark Web?
Dr. Michael Owens: Then there is the dark web. And the dark web, or darknet, is a section or component of the deep web. This means, first of all, it's not indexed, right? So you're not going to find it on Google or Yahoo or on any type of indexing that is out there, any of the search engines.
Dr. Michael Owens: However, it differs from just regular information that's on the deep web, in that it's encrypted. And then you have to actually access it by a specialized browser. The most common one is Tor, T-O-R.
Dr. Michael Owens: So it's basically a smaller subset of the deep web, where different types of information are out there. I mean, I'm not going to say it's all nefarious, because it isn't, but I wouldn't be honest if I said that the majority of it out there is probably illicit in nature. We'll talk about that in a bit.
Dr. Michael Owens: But just to set the context, right? I mean, I try to view it in three big buckets of what the internet is. That part of the internet which is visible, which we go to every day, all of our news sites or sports sites, all that type of stuff.
Dr. Michael Owens: Then there's the deep web, where you could imagine customer information may be emergency medical records, maybe specifics about company information, sitting behind firewalls and user logins could be. And then there is the dark web, where it's not indexed, and it is accessed only by certain types of encrypted browsers. And the data there is encrypted.
Dr. Michael Owens: So, the technology behind, dig a little bit into the techie part of it, it is by nature built to be obscure. It is built to be hidden. The key to the dark web is that it's anonymous.
Dr. Michael Owens: Therefore, when we talk about types of information that exists out there, hide behind the fact that the deep web itself is meant to be nothing more than a series of links that you have to go through, or proxy servers, that basically help to anonymize the actual person that's out there.
Dr. Michael Owens: I think, interestingly enough, the dark web itself can be traced back to the US military. The US military, looking at the Tor network, and the beginnings of it was developed back in the mid-nineties by mathematicians and scientists at the US Naval Research Facility that wanted a way to protect US intelligence.
Dr. Michael Owens: So what has turned out to be, potentially still using those ways. And again, we can talk about this in a bit, but everything that goes on in the dark web or the darknet isn't nefarious, isn't criminal activity. There are some positive uses for it as well.
Dr. Christine Izuakor: Awesome. Thanks for the very digestible rundown. I like that you put it into the three different buckets because that makes it super clear for people.
Dr. Christine Izuakor: So expanding on that, what threats does the dark web impose on businesses? And how has that evolved, if at all, in your opinion, as more people work remotely?
Dr. Michael Owens: Sure. There was a lot in that question. What does it pose to business? Well, I think the first thing that is clear, is that there is information about company secrets. Whether it's the secret sauce of Coca-Cola, or whether it's just sales records. It could be customer files.
Dr. Michael Owens: It could be all types of information, again, that exists out in this part of the internet to where it's untrackable, it's untraceable. And the illicit part we talked about earlier, is the fact that people use this company information to buy, sell, and trade-off.
Dr. Michael Owens: We're not going to get into the mechanics of that, but the bottom line is, is the risk for businesses. Because any information that's out there that's stolen now, and we know that millions and millions upon records have been stolen. Billions of records have been stolen. At any point in time, these records could turn up on the dark web for sale or for trade.
Dr. Michael Owens: We know it happens. It happens very often. And the more and more breaches that occur, whatever reasons they occur, and data exfiltration from different companies, the vast majority of this information finds its way onto the dark web. Where then your company could be susceptible to various different types of attack, or attacks on your customers, or identity theft-type activities that could occur.
Dr. Michael Owens: Making it even more dangerous the second time around. Because now you think it's kind of like the keys to the castle. Someone's already broke in, they've stolen your stuff, and now they're selling your wares without you knowing about it. So this type of information makes it very dangerous for businesses, again, to have their information out there where they may not even know it's available for sale.
Dr. Michael Owens: And how has it kind of changed with the world moving, I guess because of COVID, to a remote world? I simply say that it's really on the front ends where we see the biggest impact. Which is, with everyone working remotely now, a lot of companies have struggled to kind of get their arms around all their remote workers that are now working at home.
Dr. Michael Owens: It's much easier to kind of control and protect what you have, or your crown jewels, if you will if everyone's on the inside of the moot behind the castle walls. It's easier to contain that. But you take all the village people and you put them out there in the village again, and they're not protected.
Threat vectors have evolved due to remote workers
Dr. Michael Owens: It basically means that there are a lot more endpoints that are out there that are not as protected as before. This means many more threat vectors are out there for attackers to be able to gain access to company information, that could then take that information back to the dark web to again, put it back out there for sale or for trade.
Dr. Christine Izuakor: Yeah, absolutely. You touched on this idea of having your village or your people behind the moats or within this kind of protected perimeter, to now releasing them out into the village. And I think that's a good segue into the topic of insider threat.
Dr. Christine Izuakor: What specific role, if any, do you think insider threats play in the implications or the consequences of the dark web and its use in enterprises?
Dr. Michael Owens: Sure. Insider threat, I think has evolved a bit over the years from just being disgruntled employees, I think is what we've usually thought about that, to now where a lot of insider threat is not malicious at all. It is through social engineering and people being traded.
Dr. Michael Owens: To use kind of another analogy is that, if I can trick you into giving me the keys to the castle, I no longer have to storm the drawbridge, right? I no longer have to bust down the walls. If you can just kind of give me the key, and I can roll the moat door down, and then we're all in. And that is what's happening with the insider threat, is that so much of it is not malicious anymore.
Dr. Michael Owens: I've been directly involved in helping to set up internal threat heuristic behavioral analysis type of cybersecurity programs, to be able to tell if someone is not necessarily acting in a nefarious way, or they could be disgruntled employees. It could be mainly employees who are giving away this information without knowing it.
Dr. Michael Owens: Or it could be, which is probably the most novel one now, kind of more the spy thriller type series, is that you have people that are being compromised, right? Those are literally being blackmailed. That type of insider threat, to where they're almost being used as an asset.
Dr. Michael Owens: And all of that has tied directly back to the dark web. Whether it is the fact that they have this information that's been available on the dark web, that a would-be attacker would buy. Now they have information about specific, sensitive information about your employees that they can then use to launch specific social engineering attacks. That is obviously one way.
Dr. Michael Owens: The other way is that they could use them through phishing attacks. The same type of information that they may gather, but use a spear-phishing attack to be able to garner certain information of them.
Dr. Michael Owens: And then the last one, which I mentioned before, is about kind of turning an asset or reaching out to someone and blackmailing them because of specific information they may have found about an employee. That may even have nothing to do with the employer, but because they may have found some information out about a particular executive at a company. Just being very hypothetic about the scenario, but I want to put it out there so people understand.
Dr. Michael Owens: If there is certain information swirling around on the dark web about a particular executive at a company, that information could then be purchased by an attacker. And then that executive could be approached directly, let's say for instance, and then coerced into, or blackmailed into turning over the intellectual property of a company so that they're not extorted, or certain information they may have found from the dark web has gotten exposed.
Dr. Michael Owens: So there are multiple different ways that corporations have to be careful and cognizant of what's going on on the dark web and what's out there. Because there are specific implications.
Dr. Michael Owens: And now I think we're also starting to see even ransomware starting to turn itself into an insider threat type activity. Where certain information is being held, being ransomed, and if certain IP or company secrets are handed over, they'll go back and they will decrypt the information that's been encrypted by the ransomware attack.
Dr. Michael Owens: Just a couple, there may be more out there. But just some good concrete-type examples of what could happen, and why this insider threat could be implicated directly by what's happening on the dark web.
Dr. Christine Izuakor: Yeah. And that's a good point. I think, just to touch on the last one on ransomware, a lot of people tend to look at ransomware as like, people are just asking for Bitcoin and all of that. But this play on asking for IP in exchange, or asking for sensitive information is definitely an interesting angle.
Dr. Christine Izuakor: So we've talked a lot about some of the challenges and the implications, but what can companies do about it? How can companies respond and reduce the impacts of this growing risk around the dark web in their organizations?
Dr. Michael Owens: Yeah. So the first thing I'd say is, if you don't have a strong culture within your organization around security, start building it now. Culture is really the very first thing that I like to dive into in assessing kind of what the security culture looks like.
Dr. Michael Owens: And basically, by that, I mean how people judge their level of responsibility when it comes to securing the organization and their assets, right? I still think far too many companies look at security as IT's problem, or enterprise risk, or just the global security department's problem. But really it's everyone's problem.
Dr. Michael Owens: That's really worth focusing on first and foremost, just to understand that building a good culture. And then secondly is cyber hygiene. Are you doing the basics, the X's and O's, the blocking and tackling, when it comes to cybersecurity.
Dr. Michael Owens: That includes patching. That includes ensuring that you have policies that you not only have documented, but people are actually adhering to. Password rotations. All those types of, I think, bread and butter type things.
Dr. Michael Owens: From there, I think, and it ties into a previous question, but dealing with a remote workforce, makes me think about DLP solutions and data loss prevention. Ensuring that you have solid protections in place to ensure that... It's kind of direct and indirect.
Dr. Michael Owens: So directly, want to make sure that people are doing the things they need to do, that we're making sure that we're preventing all of the attacks that could possibly happen. Second thing is, if there is an attack that is successful, what do we do to ensure that it's not as impactful as it potentially could be?
Dr. Michael Owens: I mentioned DLP, right? So both from a social engineering aspect insider threat, as well as external, having a good DLP solution in place, making sure that you are at least able to monitor and/or block printer ports, thumb drives, USB connections. All those types of things where someone may exfiltrate data from off of your server or off of your desktop or tablet. I think that's a very important thing that we have to do.
Dr. Michael Owens: Segregation of duties, as well as segregation within your computing environment. Making sure that you're separating your development environment from your QA, from your production environment.
Dr. Michael Owens: So that way when, again, when attackers... We've got to play this from a standpoint that once they get in, right? It's not a matter of if anymore, we're looking at when they do.
Dr. Michael Owens: So when they do, we're looking at mitigating that as much as possible, ensuring that again, going back and touching on our social engineering aspect. That if you target an analyst, they only have access to gain what an analyst can access. If you target, a C-level executive, they probably shouldn't have access to your GitHub repository, so that's still going to be safe.
Dr. Michael Owens: However, if you don't have those types of segregations in place, and you just have an environment where everyone has access to everything, that is going to be a really serious problem to have.
Dr. Michael Owens: I know I'm talking about a lot of issues that don't directly relate to the dark web, but what our goal should be is to ensure that we stop things from getting on the dark web, to begin with. If we can do that, we've met the vast majority of the challenges there.
Dr. Michael Owens: Once your information is on the dark web... I implore a lot of companies out there to either use a service or have an internal red team or someone that's actively on the dark web, looking for your URLs. For your C-level employees. For looking at anything that would tie back to your organization.
Dr. Michael Owens: Because the better off you know about what's out there, the better off you can protect yourself about immediate threats that are there.
Dr. Christine Izuakor: Yeah, absolutely. Such a good coverage and lineup of different recommendations. Everything from culture, which is again, one of my favorite topics. Because I think it's one of the most critical. Without culture, none of the other items will work, no matter how hard you try.
Dr. Christine Izuakor: But yeah, taking that layered approach and covering all of that ground is super important. As we wrap up, are there any final thoughts that you want to add?
Dr. Michael Owens: I mean, I think I'll just mention something that you and I chatted about earlier, which was just to stay vigilant. Because the attack landscapes are always changing, [inaudible 00:21:29] vectors are constantly multiplying.
Dr. Michael Owens: I think it's a constant effort to ensure that what we're doing in the [inaudible 00:21:37] security space is protecting key data, and people's information, and our corporate assets. And we're charged with that. I think, touching back on culture again, can't be understated. So I'm happy you brought that up. But we have to follow it up with direct action.
Dr. Michael Owens: So, again, I just want to make sure that everyone takes the time to understand that security is everyone's issue. The dark web is a scary place, but it's real. It's not some nebulous mystical thing. It's kind of like the cloud, right? It's someone else's servers, somewhere else. It's still a real thing.
Dr. Michael Owens: We could still protect information. Nothing's going to find its way into the dark web magically, right? I mean, there's a vulnerability, there's a hole, there's a gap that's somewhere that's being exploited, that's going to allow that information to get out there.
Dr. Michael Owens: So the more vigilant we are on the front end, and having the defense in layers, and doing the things that we need to do, we can stop information from getting out there on the dark web.
Dr. Michael Owens: And I think the last thing I'll say, just to turn the page in this a little bit, because I mentioned this at the beginning, is that everything on the dark web is not completely doom and gloom. We can speak about this specifically from a US perspective, but there's plenty of places around the world where the internet is not as available and free as it is here in the US.
Dr. Michael Owens: Some people have had to use the dark web, and the anonymity that it possesses, to be able to assemble, to be able to talk about human rights and to explore different atrocities that may be going on in different parts of the world.
Dr. Michael Owens: So sometimes in certain areas where they don't have necessarily freedoms, the dark web can be a place where the information can be used for good. And is necessary, because certain regimes or certain areas will not allow them to use the internet for a lot of things that we use it for in the overall good every day.
Dr. Michael Owens: I want to make it clear that the dark web isn't all doom and gloom, there are some positive reasons for it. And again, it was created by our own military as a place to be able to communicate with a higher level of security. So we want to keep that in mind as well.
Dr. Christine Izuakor: Yeah, absolutely. Really good point on the good and bad, or however you want to frame that up. But there are definitely two sides to this thing.
Dr. Christine Izuakor: Thank you so much for sharing your insight. That concludes the Veriato Insider podcast for this week. This podcast is brought to you by Veriato, which is an award-winning cybersecurity company.
Dr. Christine Izuakor: Their solutions are anchored around four core areas of cybersecurity protection. Including employee monitoring and web filtering, insider threat detection, employee investigations, and ransomware support. To learn more about how Veriato can help protect your company, check out veriato.com. Thanks, Michael, for joining us.
Dr. Michael Owens: Thank you. It was a pleasure being on.
Dr. Christine Izuakor: Of course. And thanks to all of our listeners for tuning in. I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up, and it has been our pleasure to share these insights with you. So until next time, stay safe and secure, insiders.