fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Over Half Of Fortune 500 Companies Are Leaving Sensitive Information Open To Reconnaissance via Document Metadata

Over Half Of Fortune 500 Companies Are Leaving Sensitive Information Open To Reconnaissance via Document Metadata

PDF files hosted by many organizations, including more than half of the companies listed on the Fortune 500, are leaking sensitive information. PDF document metadata can contain a variety of information that provides attackers with the reconnaissance details they need to execute a more targeted and sophisticated attack: employee names and positions, the software used to author the PDF file, web server version, physical location, and in some cases even employee ID numbers meant for internal use.

While most of the major PDF authoring tools allow one to turn off the recording of document metadata, it is generally on by default and most users do not manually disable it.

Document metadata provides puzzle pieces attackers seek

With the average Fortune 500 company hosting over 9,700 publicly accessible PDF and Word files, document metadata is one of the largest unprotected attack surfaces. However, the majority of these companies (51%) are not taking steps to secure this area by scrubbing these documents of metadata and configuring software to not automatically include it.

Document metadata is useful to attackers in terms of reconnaissance, as it reveals a fair amount about employee locations, personality and behavior. In some cases, it can also provide key pieces of inside information such as ID numbers. While attackers are unlikely to glean enough from document metadata alone to breach a system, these pieces of information can be invaluable in preparing more targeted types of attacks: spear phishing by email, social engineering attempts over the phone, and so on.

The report, prepared by information security firm UpGuard, uses the industry standard “MITRE ATT&CK” framework to evaluate the risk presented by document metadata. Attacks listed in the MITRE catalog generally begin with a reconnaissance phase, and the exposed metadata contains a good deal of the type of information that attackers seek as they initially evaluate a target.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

The study examined all document file types that can contain this sort of sensitive metadata, including Excel and PowerPoint files. However, it found that PDF files were by far the biggest vulnerability among Fortune 500 companies. 88.7% of the public-facing documents on company servers are PDFs, largely due to the fact that it is a read-only file format.

How attackers use public documents for reconnaissance

So what exactly is in document metadata that can be exploited? The first major point of vulnerability is the “author” field. The majority of the document metadata reviewed in the study had some sort of identifying employee information in this field, anything from the employee name to the city or business unit with an ID number or username. Security best practice is to set this field to be filled with just the company name, which most organizations are not doing.

Vulnerabilities in the author field also seem to vary by industry. Education, government and media organizations most commonly made this mistake. It was least frequently seen among travel companies and non-profit agencies.

Document metadata is also leaking information about host hardware and software that attackers conducting reconnaissance are interested in. The author field can again be a vulnerability here; over 100 of the documents reviewed had the name of the authoring software in the author field. A point of particular concern is the use of free PDF file converters, something commonly done when the premium Adobe PDF writer software is not available. These converters often insert their names into the document metadata as part of the marketing strategy. If an attacker finds an employee name and a converter that they use, that creates an opening for a malware attack based on a fake version of the employee’s favored converter.

The “creator” field is a much more common source of reconnaissance-ready information. 98% of Office documents and 75% of PDF files reviewed listed the software used to author them in this field. Some of these include the specific software version, information an attacker could leverage if there is a known exploit for that particular version.

875 of the reviewed files also listed information about the creator’s operating system, and 371 included some sort of identifiable information about the target company’s hardware. This is another area where known exploits could be leveraged after some very basic reconnaissance is conducted.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

UpGuard’s suggested action items for remediating the reconnaissance threat include ensuring that employees have access to the needed proprietary software for authoring all the types of files that the organization uses (so that questionable third-party “shadow” software tools will not be used), employee training on reviewing and scrubbing document metadata, and regular removal of old documents that are no longer necessary. Penetration tests generally do not examine these documents, so organizations should also implement a separate auditing process that focuses on reviewing metadata through the lens of potential attacker reconnaissance.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us