Beware Dark Web Equifax Scans
John Alford, CISSP, HCISPP, CRISC
Chief Security Officer delivering ISO27001, PCI DSS, HIPAA, GDPR, AI Governance and Cognitive Security.
A number of small and large firms are now touting 'Dark Web Scans'. However, if not done properly, these searches may actually increase your risk. When you search for anything, the contents of your search are disclosed and recorded. Even if secured in transit, the data searched for is always available to all the receivers of the searches. Concisely, searching the Dark Web exposes data to the systems searched on the Dark Web. As the media continuously reports, the Dark Web is a haven for illicit activity. It is naive to trust anything on the Dark Web. Searching for only portions of your sensitive information by a Dark Web search provider reduces the risk but vastly increases false positives greatly minimizing the value of results. A better but very expensive alternative for these Dark Web search providers is to copy everything on the Dark Web to their own full patched, hardened and otherwise secure systems. The Dark Web search provider can then search their copy of the data so that only the search provider sees what is being searched. This approach requires massive storage, processing and other overhead. Further, there are moral, ethical and perhaps legal considerations since information on the Dark Web may be counterfeit, malicious, illegal, false or stolen property. Copying all of it is incredibly risky for the Dark Web search providers. Additionally, it is difficult for you as the Client of these Dark Web search providers to validate the diligence and accuracy of their work. You essentially have to take their word for it.
Better options for most people to protect themselves from breaches like the Equifax incident are rigorous credit monitoring and possibly credit freezes. As I posted back on September 7 when the breach was announced, please be sure to closely monitor your credit and seriously consider freezing your credit reports with all three credit reporting firms as proactive steps to reduce risk of identity theft. A great article on the credit freeze process is available at https://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/. A credit freeze is a viable risk reduction method not a panacea. Rather a freeze placed with all three credit reporting agencies is a protective measure that people may wish to consider. As always, risks can only be reduced not eliminated. Awareness and monitoring are vital. A freeze helps empower people actively protect themselves. Further, massive data exposures tend to increase phishing, social media manipulation attempts, ransomware chicanery, credential theft, malware and other nefarious shenanigans. Dark Web searches if done properly and securely may have merit but please consider only highly rated and well respected firms for such searches, and thoroughly vet a Dark Web search provider and their methodology before proceeding.
Product Mgmt, AI/Mach Learning, Cyber-security, Intelligence Analytics, Risk, Compliance
7 年John, great article. Like some, I have had my credit frozen for years. In light of the most recent breach, I un-froze and then re-froze my credit with Equifax to generate a new PIN in the event that the hackers might have previously generated PINs as well. In addition, I took the time to work with my family to get each of their credit reports frozen on all three agencies. It's better to have some personal control of our credit. Again, great article.
Senior Linux Administrator
7 年Yogesh Gupta, CISSP?? CCSP
Global Expansion | Robotic Process Automation, AI & ML - Strategic Consulting | Implementation | Building Partners
7 年Interesting and strongly detailed. sharing it on my page and tweeting the link. Thanks John for sharing the article.