What is the Email Exposure Check Pro (EEC Pro)?
Email Exposure Checks (EEC Pro) are special searches done by KnowBe4 to help organizations understand what kind of information is publicly-available about their users. The information we gather is scraped from social media sites, past data breaches, documents and files posted on the web, and more.
Once this information about your users is available on the internet and the bad guys have obtained it, your users and your organization are vulnerable to an attack. It is vital you train all of your users with security awareness training, teach them to change their passwords regularly and use smart password practices, and enable two-factor authentication whenever possible.
We believe knowledge is power, and by using the EEC Pro, you can better understand the attack surface of your organization.
You can sign up for an EEC Pro analysis here.
JUMP TO:
What does the EEC Pro search for?
Analyzing your results
Risk distribution explanation
What is a data breach?
How does KnowBe4 get data breach information?
What should I do with this information?
How do I notify users that their information was compromised in a breach?
What if the users on the report are not actual users at my organization?
How can I remove publicly-available information from the internet?
What Does the EEC Pro Search For?
The EEC Pro searches the web for any information it can find about your users. The search includes:
- DATA BREACHES, to see if your users have been exposed in past data breaches.
- The report also includes the category of information that was exposed in those data breaches, such as usernames, passwords, and other sensitive information.
- Publicly-available FORUMS and ARCHIVES, as well as publicly-available FILES and DOCUMENTS, including PDF, DOC, DOCX, XML, HTML, RTF, ODT, and Pages file types.
- An excessive amount of available user or organization information online can be used by attackers to help identify your organizational structure for targeted social engineering or phishing attacks.
- SOCIAL MEDIA, to see what information your users are making available to potential attackers through their social media presence.
- Users who post detailed information on social media may be more likely to receive highly-targeted social engineering (or spear-phishing) attacks. The availability of this information increases the likelihood a cybercriminal will be able to craft a very personalized attack.
The EEC Pro analysis will be delivered to you via email and will include an attached PDF report as well as a website where you can view further information.
If you haven't tried the EEC Pro yet and would like to, you can sign up here.
Analyzing Your Results
The PDF report you will receive via email will contain a summary of the data that was gathered about your users. For additional information and details on what type of information was found, you'll want to visit the website included in your EEC Pro email. Click the "Click here to view EEC Pro results" link within the email you received to do so.
Your PDF and website report will include:
- Your organization's Exposure Factor
- The Exposure Factor is the percentage of how many of your users were found to be exposed online versus the number of employees you have.
- The number of Unique Breaches your users were found in
- See below for additional information about where we obtain our data breach information.
- The number of user Identities found
- This is based on the social media presence we found for your users.
- The number of user Emails discovered
- This is the total number of email addresses at your organization that the EEC Pro gathered.
- A "Risk Distribution" pie chart displaying how many of your users were deemed to be Very High Risk, High Risk, or Medium Risk
- For an explanation of the levels of risk indicated, see our Risk Distribution Explanation section below.
How do you calculate the Exposure Factor?
The calculation is equal to:
The number of emails found + the number of identities found divided by the number of users in your organization.
On the website report, each of the entries may be clicked to drop-down additional information about that particular entry. For example, on VERY HIGH RISK user entries, you'll be able to see details on the breach that user was found to be a part of.
On the website report, you can also download a CSV report of your analysis or delete your report.
Risk Distribution Explanation
Users are placed in a single Risk Distribution group based on how much data was gathered. A description of each is below.
- VERY HIGH RISK
- Users were found in publicly-available breaches that contain either cleartext passwords or password hashes. Credential information such as this makes these users prime targets for attackers who may be able to use this data to gain unauthorized access to systems. The breach may also contain sensitive personal information that can be used for social engineering.
- HIGH RISK
- Results were found in publicly-available breaches that could contain sensitive personal information. This information can be used to create a sophisticated social engineering attack against individuals or an organization.
- MEDIUM RISK
What is a data breach?
A breach occurs when a hacker illegally gathers private data from a system or network, typically by exploiting an existing software vulnerability. There have been monumental data breaches in the recent past, exposing millions (or more) of user accounts and details, credit card numbers, and other sensitive or private information.
How does KnowBe4 get data breach information?
KnowBe4 partners with HaveIBeenPwned.com to search past breaches and determine what user accounts in your organization may have been compromised. HaveIBeenPwned is a well-respected online resource which specializes in allowing users to search for their email address to see if their information has been made available in past data breaches.
What should I do with the information in the EEC?
The EEC can empower you with the knowledge you need to strengthen the cybersecurity of your organization. An excess of user information on the internet will leave both your users and your organization vulnerable to a cyber attack. For suggestions on what to tell your users if you choose to notify them of a breach, see How do I notify users that their information was compromised in a breach? below.
Therefore, it is vital you do all of the following steps to protect your organization: You'll want to 1) train your users, 2) have high-risk users change their passwords, and 3) have high-risk users enable two-factor authentication.
1) Train Your Users
The emails reported in the EEC are all possible high-risk phishing targets. Anything we’re returning to you in the EEC is publicly-available, meaning programs written to scrape email addresses or information will be able to gather this information as well. You should enroll your high-risk phishing targets in security awareness training and phishing campaigns immediately to ensure they have the skills they need to become a strong human firewall for your organization. We can help with this!
You could even craft specially-targeted phishing emails that reflect the breach your users were a part of. We have a built-in phishing template category for this purpose, the Data Breach category. See: How to Use the Data Breach Category
2) Password Changes
If you find users have been part of data breaches (with their email addresses identified in the EEC Pro report's "very high risk" or "high risk" categories) you can contact them privately and let them know, in case they are still using the same passwords from when the data breach occurred. Many users also use the same password on multiple websites, so they should consider changing their password for all accounts where they've used the same password.
3) Two-Factor Authentication
In addition to having your high-risk users change their passwords, they should also enable two-factor or multifactor authentication on accounts whenever possible, requiring a second authentication step (such as entering a code they've received in an SMS text) before being able to log in. This provides another layer of security to prevent the bad guys from accessing their private information.
How do I notify users that their information was compromised in a breach?
If one or more of your users was found to be compromised in a breach, you may want to reach out to them and let them know. We recommend that you tell them to update their passwords and to set up two-factor or multi-factor authentication for their various online accounts. Below is a template you can use as a starting base for when you'd like to notify users of a breach. Make sure you read through the template and change any variables before you send it to your user.
Hello [name],
We have discovered that some of your information was exposed in a data breach. A data breach is when secure information is taken from a trusted environment without permission. This does not mean that your data or identity was compromised, only that it is accessible to people who may want to use it for their own interests. However, you can take steps to lessen the damage and keep your data safe.
At a minimum, we strongly recommend changing your passwords for your various online accounts immediately. You may also want to look into two-factor or multi-factor authentication such as [insert recommendation] or even a password manager such as [insert recommendation] for an extra layer of security.
Please be aware that when your information is part of a data breach, cybercriminals may use this information to trick you as part of a targeted phishing attack. These attacks are only successful if we fall for them. Stay alert and be cautious.
What if the users or emails listed on the report are not actual users or email addresses at my organization?
You may find that the users that are showing up are no longer employed at the organization or that the email addresses found are not valid email addresses for your domain (For example, expired email addresses, incorrect email addresses, or commonly, publicly-available email addresses such as “employment@yourdomain.com” or “support@yourdomain.com”). This is normal for many organizations.
Because the EEC Pro is a web crawler and does not interpret the data it gathers, you may occasionally see inapplicable entries depending on where the data was acquired.
If you'd like, you can choose to use one of these old or invalid email addresses as a “honeypot” email address, letting you analyze what types of malicious emails may be coming into your organization. This can help you stay aware of the types of attacks or phishing emails your users may be receiving at your other, valid email addresses.
How can I remove publicly-available information from the internet?
You may find that some of the information we’re returning has originated from your own organization’s website. If you wish, you can remove this information yourself--however, this is entirely your decision.
If external sites are posting data about your users and you'd like to have it removed, we recommend you contact the site owners of those external sites. If you cannot get these emails removed, then you now know which emails you need to be aware of that will be high-risk phishing targets. You could perhaps deactivate these addresses or notify the users of those addresses that they may be subject to an increased amount of phishing and email-based attacks.
If you find that your users are exposing too much data about themselves on social media, you can enroll them in specialized security awareness training so they can understand the need to be protective of their personal information online.
Comments
0 comments
Article is closed for comments.