
State of Cybersecurity Industry Exposure at Dark Web - keydutch
https://www.immuniweb.com/blog/state-cybersecurity-dark-web-exposure.html
======
HelloThur
"97% of companies have data leaks and other security incidents exposed on the
Dark Web" \- Bold claims. Do you have any proof of this? Such as redacted
screenshots or examples of these leaks?

The article shows lots of stats, but no real evidence.

~~~
resfirestar
It looks like it’s based on looking for the companies’ domains in password and
data dumps, in which case 97% is utterly unsurprising and I bet the 3% are
just too new to have had any users in a major breach.

~~~
duxup
How exactly does that work though?

I'm not connived that every name in a data dump indicates a breach at a given
company.

My thinking:

If someone gets a hold of a huge list of usersnaems and passwords from
bobcompany.com, and then spams numerous sites with those logins to see if they
work elsewhere ... and finds that a few work on joecompany.com then puts out
that data.... joecompany.com might have their name listed somewhere in
someone's data dump, but they didn't have a breach...

~~~
resfirestar
> I'm not connived that every name in a data dump indicates a breach at a
> given company

It doesn’t, the article is marketing bullshit trying to push an dark web
monitoring service.

That’s not to say you’d never be interested in these breaches: if joecompany
has employees who reuse or iterate (Summer2020 -> Fall2020) their passwords, a
breach at bobcompany that includes joecompany employees could give an attacker
their first valid login.

~~~
tialaramex
The correct things to do about this problem don't require even knowing the
breach exists, let alone getting somebody to tell you the details though.

You need to do MFA for everything that matters. Passwords are crap, you may
not be able to mandate that your customers start caring about that (though you
should offer them better alternatives) but you can enforce it for your
employees.

Require WebAuthn everywhere. Issue employees a suitable authenticator if they
don't have one (iOS 14 will make newer iPhones a suitable device, high end
Android phones are also suitable) and avoid mechanisms to let an employee
subvert this requirement. Now you literally don't care if your employees
choose crappy passwords (which they will) because it has no security impact.

~~~
resfirestar
That’s great if you can do it, unfortunately companies with big slow IT
departments that don’t like making changes they didn’t ask for tend to see
“MFA on all remote services” as a multi year project and widespread use of
hardware tokens as impossible. For companies in that situation using something
like the HIBP domain notifications can be helpful.

When MFA is in place you still have to keep loopholes in mind, things I’ve
seen recently at various companies include a user blindly approving Duo
prompts and letting an attacker on to the VPN, a Fortinet appliance that was
supposed to be decommissioned a year ago that wasn’t, allowing an attacker to
log in with credentials stolen previously, and legacy HTTP basic auth in
Office 365, which bypasses MFA unless it’s disabled.

~~~
tialaramex
> include a user blindly approving Duo prompts

Sure, one of the reasons I specified WebAuthn is that intuitive security
properties tie up better. Users have seen keys before, if I give Bob this
Security Key, obviously Bob can unlock the same things as I could with the
Security Key. Whereas a lot of these other technologies are a bit abstract - I
should fill this six digit code into _this_ web site but not any other web
site? The phone might give me a Duo prompt out of the blue but I _shouldn 't_
say yes?

Actually WebAuthn's Security Keys have behaviour that matches people's
intuitive understanding of actual keys somewhat better than the actual keys
do. If I examine the lock I can make a key for it! If I see one key, I can use
that to make more keys that all work! These are properties of real mechanical
keys that surprise users but aren't present in WebAuthn's Security Keys.

------
bikingbismuth
Any company that is trying to sell automated dark web scraping is selling
snake oil. Many of the 'legit' places to purchase stolen data have vetting
procedures before a person is allowed to participate in (or even view) the
marketplace.

There are a few companies that have analysts that are in these marketplaces,
and they provide actionable intelligence, but they are not cheap.

~~~
bob33212
There are many CIOs at small/medium companies who don't understand any of this
and will pay because it makes them feel better.

------
ec664
While the evidence is light. Is anyone surprised if this is true? My
experience is that most cybersecurity firms are only slightly better than
other enterprises. They often have lofty standards that they themselves don't
follow.

They also have professional service arms that are similar to the rest of the
industry. Handful of senior people and an army of junior engineers that bias
towards velocity over quality (i.e. take shortcuts that can lead to data
exposure and other issues)

~~~
duxup
I know an attorney who was quite capable legally and with tech and spent his
career in both. He ended up at a legal organization that also dealt with
security.

The cybersecurity industry is absolutely full of crappy security companies
worth jack squat. The legal industry is full of Luddites.

Being capable in both areas = some serious demand / profit.

~~~
roel_v
Yeah I don't really agree. I have both software engineering and law degrees
and would love to do something on the nexus tech/law/security but there are
very few jobs where deep knowledge of several is a real plus. It's at best an
'oh that's nice' level thing. I'm open to jobs in the south of The
Netherlands, eastern Belgium or western Germany if anyone is looking :)

~~~
duxup
I think the lack of demand on an individual level is different as companies
don't value it.

But when companies need help and they look to an outside company to come in
and help, then they're willing to pay incredible amounts.

------
wp381640
It comes up with 130 high risk events for ycombinator.com [0](accounts with
plain text passwords) and 294 medium risk events (accounts with encrypted
passwords)

This feels like the sum of all the domain accounts from leaked breaches -
similar to have I been pwned

Despite what the report says - you can't actually verify the data without
signing up to their service and doing the whole sales funnel thing

[0]
[https://www.immuniweb.com/radar/?id=kKhvrIhe](https://www.immuniweb.com/radar/?id=kKhvrIhe)

------
egberts1
I ran this Immuneweb test against my personal website with no cookies, no
login, no Form nor JavaScript allowed.

Yet, I, as a “CyberSecurity firm”, have “appeared” to failed.

------
Molly555
What can I say . In general, it is not entirely clear which part of the dark
web is meant [https://utopia.fans/networks/dark-web-vs-deep-web-what-is-
ea...](https://utopia.fans/networks/dark-web-vs-deep-web-what-is-each-and-how-
do-they-work/) and what could be safe there? No matter how you look, it is
nevertheless an undetected part of the Internet, and for the most part there
are all sorts of illegal things.

------
waihtis
There are so many "numbers" reports in the cybersecurity industry without any
kind of way for validating the claims that I think all of them have equal
value - close to zero.

The only source of truth in this industry is speaking with the "frontline" and
figuring out how things really are.

------
malware7
I have asked this in several forums but didn't get any satisfactory answer.

How does one get started in dark web monitoring for intelligence, like finding
these leaked databases or confirming/denying the reports of data leak in "the
dark web".

~~~
ramimac
Are you asking from a career or technical perspective?

This report isn't particularly technically complex, a majority of this sort of
leaked data is widely available on clearweb forums. The minority requires
building relationships and/or paying and/or developing a reputation that gets
you access to more exclusive forums or circles. You then have to regularly
crawl those forums, and avoid identification of your crawlers (as the more
exclusive forums/site watch out for that sort of activity pattern). Then you
just index the data and can perform searches or analysis.

[https://scylla.sh/](https://scylla.sh/) is a free example covering just
breach data.

From a career perspective, this is a subset of threat intelligence. The more
interesting companies in this space often are leveraging military-style HumInt
to gain access to these marketplaces and data, and often have leadership from
that sort of military or government background. Most folks I'd assume are just
standard engineers however, as a majority of the work is probably not specific
to "dark web monitoring for intelligence."

