If you’re already concerned, we can offer you a completely free, basic report on the exposure your company has on the Darknet using this link…
People we’re speaking to such as managers, directors and c-suite in IT, Production, Operations, Finance and Company Governance are telling us the Darknet concerns them, but they don’t know enough about it to understand why.
Let’s start with a quick overview.
The Public Internet
It’s hard to remember a time when the Internet didn’t exist. That thing we all love and use, mostly without a care in the world, as an everyday part of our lives. How lost would we be without it?
The Deep Web
Not to be confused with the “dark” stuff, the Deep Web is simply websites that search engines such as Google can’t index or are blocked from indexing. You don’t need special tools to browse the Deep Web - you just need to know where to look. It’s sometimes referred to as the Hidden Web, or the Invisible Web.
What is the Darknet?
Like many things in life however, for something that’s good, there’s often a bad side as well. The Internet’s bad side is all the scamming and fraud that goes on, but there’s even worse happening on the Darknet (which hosts the dark web).
The Darknet is a lawless, wild-west-like network that sits below the Internet. People operating there are anonymous and with anonymity comes power.
Accessing the Darknet needs specialised tools, a certain amount of bravado and a lot of skills. Those going there with just the first two are fools and asking for trouble. You wouldn’t stroll out into a warzone just for a nosey - the same stands for the Darknet. If you’re tempted, just don’t.
Although almost impossible to quantify, there are many reports suggesting that the darknet, deep web and dark web are way bigger than the public Internet, which is itself, massive. Go figure.
What’s it for?
Well, all the bad stuff we prefer not to think about, including…
Child Sexual Abuse Material
Computer Crimes including illegal file sharing, hacking, fraud
Whistle blowing and news leaks
Why should I care about that?
It’s the “Computer Crimes” bit.
Most of the information we read about (almost weekly) being stolen during a data breach hack ends up for sale or distribution on the Darknet. Unfortunately, that’s more and more turning out to be business related data such as emails, passwords and sometimes Personally Identifiable Information (PII).
It’s a common (and impossible to avoid) scenario where we use the same login credentials for work (our email address) to access many outside services such as Cloud applications. Sometimes these applications will actually be authenticating our credentials against our actual company network (so we use the same password - which is awesome, right?).
The problem occurs when these external sites get breached and their data stolen. If the user database is lifted, then all our staff email addresses end up in the hands of the bad guys. So that’s their starting point.
Depending on how badly designed that site was, they might get passwords in clear text (i.e. readable to the human eye). Sometimes people use the same password everywhere, so now the bad guys have an email address and password, for one or more of your employees, which can get them access perhaps into your network and almost certainly into those employees’ email accounts. If you have a cloud environment such as Office 365, that could grant them access to things like Sharepoint, Files, Teams, CRM, ERP etc.
Even if the site kept the passwords encrypted (and even using a non-reversible encryption) it’s still possible to quickly, with minimal effort, figure out what many of these passwords are.
This is an exercise where stolen credentials from one website are then systematically used in other websites. Because people will reuse the same password, this often gets hackers access into other sites.
What should I do?
The first thing you need to know is when your employees’ credentials are being leaked. For GDPR, this is vital.
You can do this in a limited fashion (one at a time, with minimal reporting) using a free website such as Troy Hunt’s “Have I Been Pwnd”.
However, this doesn’t scale. It’s not feasible to have all your employees sign up for it and even if you do, you can’t really make them responsible for tracking where their credentials have been leaked - that’s not likely to be in their job description, or what you employed them to do.
On a commercial scale, you really need a business grade monitoring service, such as our Darknet Monitoring Service.