Do you receive email invitations to participate in industry surveys, where you're invited to complete an online survey that will report industry trends, the state of industry, industry demographics, or similar findings?
Have you completed these for the report or a prize?
Have you assessed the risk such participation creates for your organization?
You oughta have a policy for this
Industry surveys are often designed with good intentions. They typically seek to help an organization understand how its policies, practices, and staffing compare to other similarly sized organizations. To make credible findings, surveys may ask for the
- size of your organization and industry segment,
- locations of your offices,
- size or composition of your network,
- security measures you have deployed (e.g., firewalls, IDS/IPS, IDM),
- size and the level of maturity of your IT or security staff,
- IT or security budget,
- services, if any, that you outsource...
Pause a moment to consider whether the responses to such questions yield intelligence that is different from the kind that a motivated attacker might attempt to gather. Is disclosing any of this information to third parties worth a report or access to a gated web site or a chance to win a chachka? (Please say no.)
A security conscious organization should require a non-disclosure for any disclosure of information of this kind. You should have a policy that explains the dangers of such disclosures.
And the dangers are?
Many surveys are conducted by reputable firms who offer assurances of confidentiality, that data will be anonymized, or that only aggregated results will be published. In a world where data protection is critical, you must also consider the risks associated with:
- sharing of your answers without your notice or consent,
- commercial use of your answers,
- data storage and retention practices and competency by the surveying organization,
- the possibility of a data breach of the surveying organization...
Look again at the kinds of data surveys seek and contemplate the risks that disclosures of these kinds pose.
Spearphishing is perhaps the greatest threat I can imagine. Consider what a marvelous phishing opportunity surveys of these kinds create:
- An attacker can register a domain name that is similar to the domain your organization uses to solicit responses.
- The attacker can visit, copy, and host an impersonation survey site for his phishing purposes.
- He can alter the survey so that organization identity or other "organizational identifying data" is collected along with the information you ask. The attacker can ask for additional infrastructure details.
- With the impersonation survey site in place, the attacker can launch a spearphishing email campaign that is convincingly similar to a legitimate survey email campaign.
- Using conventional spearphishing tactics, the attacker can target an organization with a reasonable expectation that he'll receive multiple responses from admins of all levels among the recipients he spams.
The composite picture of an organization’s security practices, network operations or infrastructure could be quite comprehensive.
Take away: eyes wide open
That IT or security staff would respond to surveys that seek detailed information security or network practices or programs is IMO a sad measure of how poorly information security is practiced. Participate in surveys if you must, but make risk-aware choices when you do.