How Businesses Can Protect Themselves Against the Dark Web

    [fa icon="clock-o"] 1/26/2018 [fa icon="user"] Garett Chipman [fa icon="folder-open'] Network Security

    how-to-protect-against-dark-web

    Understanding the dark web and the danger it poses to your business is crucial.

    While most of us are familiar with the “surface web” like Google, Facebook, Amazon, and the countless other user-friendly, legitimate websites and search engines that most of us use every day, the internet is a much larger place than most people realize. Below the surface lies the “deep web” and within it, the dark web.

    Within these hidden realms lie severe threats to your data, your clients' personally identifiable information (PII), and your company's intellectual property.

    Threats coming from the dark web have pushed many companies to re-evaluate their data privacy and network security policies and procedures. Many people realize that strengthening their security posture before they experience a breach or data leak is essential to the health of their business.

    The cost of a serious breach can damage or destroy a company’s finances and reputation, so it is critical to evaluate how your organization can protect itself before important information is leaked on the dark web.

    What is the Dark Web?

    The surface web or the internet that the majority of us use contains all of the sites that are searchable through standard browsers like Google, Bing, and others.

    Below the surface lies the deep web, which according to some estimates, contains nearly 90% of the data on the internet.

    The deep web itself is not nefarious; it merely includes sites and pages that are hidden from view and cannot be crawled by search engines. Legitimate data rests here and can only be accessed if you know the URL or if you have a password to access it. The deep web contains tons of data, from financial and medical records to information that can only be accessed by authorized users.

    Within the deep web lies another hidden layer of the internet known as the dark web or darknet.

    The dark web is comprised of private, encrypted networks that cannot be found by the surface-web search engines and can’t be accessed by traditional browsers. Most sites on the darknet require the use of special software to access them.

    The most popular software package is Tor (named initially The Onion Router), which uses a network of relays to provide a high level of anonymity and secrecy for its users. Other popular software that enables access to the dark web is I2P and Freenet.

    Once you have accessed it, there are specialized browsers (specifically DuckDuckGo and a dark web version of Firefox) that allow you to search for sites on the dark web. It is within the depths of the dark web that cybercriminals sell, and trade stolen information like social security numbers, personally identifying information, stolen credit cards, illegally-obtained intellectual property, and other valuable data.

    Also, the majority of crippling denial-of-service (DDoS) attacks are launched from within the dark web, intentionally paralyzing your business’ network by overloading it with data.

    In 2017, businesses reported an increase in DDoS attacks that were principally used as “smokescreens” to overwhelm IT, staff, while the attackers stole sensitive company data through virtual “backdoors.”

    5-ways-protect-dark-web

    Five Ways to Protect Your Business from the Dark Web

    To protect your company and your clients from threats on the dark web, here are five tips that should help you strengthen your security posture.

    Tip #1 – Assume that your company is a target.

    Far too many businesses fall victim to a data breach by assuming that hostile actors are not interested in them. If your company has a customer, client, or patient information, you are a target. If you store information about yourself and your employees, you’re a target.

    The data that every business collects and stores are valuable to cybercriminals, and companies of any size or industry are likely to encounter an attack of some kind sooner rather than later.

    Tip #2 – Implement robust firewalls and layer your defenses.

    Make sure your network is protected by secure firewalls that prevent unauthorized network access while facilitating outward communication. We want to protect our users wherever they go. You may wish to consider a managed firewall service that will act as an extension of your own internal IT staff and can provide device monitoring, intrusion prevention, and other valuable security services.

    By installing firewalls and making sure your network is segmented correctly, you may be able to prevent outward attacks by hostile actors and can prevent them from moving laterally throughout your network if they can get in.

    Tip #3 – Change your passwords.

    Often the most straightforward security protocols are the ones that are most frequently overlooked. Make sure to change all of your passwords on all of your business’ devices regularly to prevent compromising your network’s security.

    It's important to make sure you are using complex passwords. When creating a password, incorporate a phrase instead of using your birth date or your dog's name. And, keep it within 8-10 characters. 

    Here's a great example of a complex password using a phrase:

    Phrase - Homer Simpson drools over strawberry frosted donuts at work!

    Password - HSdosfdaw!

    Also, don't use the same password for more than one website. Keep it to one password per website. 

    Tip #4 – Back up your data regularly.

    You should make sure to schedule regular backups to the cloud or to an external hard drive to ensure that all of your critical data is stored safely and can be recovered quickly in the event of an attack. This step is essential in case a user is compromised and their email gets hijacked. 

    It is recommended that you schedule incremental backups every night, and a complete backup of your servers each week. Make sure that your cloud accounts or devices are not connected to the computers and network that you are trying to back up!

    Tip #5 – Educate your employees on proper “cyber-hygiene.”

    The most robust firewalls and most extensive network monitoring are useless if your employees do not practice proper cyber-hygiene (also known as Security Awareness Training (SAT)). Employees who click on harmful links, fall for phishing attacks, or use weak passwords can allow cybercriminals to gain a foothold in your network quickly.

    Make sure to educate your team on the importance of safe browsing, email alertness, and secure password security. Consider switching from passwords to “pass-phrases” that are easy to remember and are harder for hackers to obtain or guess.

    Restrict employee access to only allow them to browse company-authorized, “safe” websites. Train your team to recognize and report suspicious emails by issuing routine “phishing tests” to hone their skills and threat-awareness.

    At TVG Consulting, we provide SAT for our ongoing monthly clients that sends phishing emails throughout the month to see if anyone clicks, then we provide videos on the most common security threats and how to avoid them in the future. We also offer a free audit to see if you're patched. 

    By implementing these security best-practices, you can rest easier knowing that everyone at all levels of your organization is working together to protect your valuable data.

    The Dark Web is Here. Are You Ready?

    The FBI reports that financial losses from cybercrime exceeded $1.3 billion dollars in 2016 alone. Ransomware, phishing, and business email compromise (BEC) attacks are only increasing in size, scope, and frequency. Are your security protocols strong enough to withstand an attack?

    By understanding what it is and why it is a threat to your business, you can take the necessary steps to strengthen your company’s security posture and prevent your data from making its way to the dark web. If you're looking to protect your business from the dark web, contact us for a custom quote for your business. 

    data-security-guide