THE SURFACE WEB, THE DARK WEB, AND WHAT LIES BENEATH
How agents can keep their clients’ data from ending up in this ominous netherworld
How much do you know about the Dark Web? Have you even heard of it? Could any of your personal information—or worse yet, your clients’ data—have found its way into this digital black hole? Recently Rough Notes spoke with Steve Robinson, national cyber practice leader at Risk Placement Services, Inc., about an informative article he co-wrote for an in-house publication with his colleague Dean Goodwin, marketing manager at RPS Technology and Cyber. Risk Placement Services, Inc., is a national general agent/underwriting manager and wholesale broker.
Here we present Goodwin and Robinson’s original article, lightly edited for style, followed by excerpts of our interview with Robinson in which he offered guidance to help agents and brokers protect their clients’ data and keep it from ending up on the Dark Web.
The movie Jaws was, and still is, one of the scariest movies of all time. The director, Steven Spielberg, knew that we are most frightened of the unknown—the audience never sees the giant shark until the end. As the movie progresses, our mind knows there is a shark under the water; we have an idea of what he might look like and how big he is, but our imagination creates a scarier creature than the special effects crew ever could.
When we think of the Dark Web, our mind conjures a place full of frightening criminal activity. While there are literally thousands of pages full of all the bad stuff we can imagine, people also use the Dark Web simply to access the internet. In countries with government eavesdropping or where internet activity is criminalized, the Dark Web holds one main draw, which is also its greatest fault: It allows people to search the internet anonymously, meaning they also can purchase things anonymously. It has become the premier cyber black market.
On the Dark Web, URLs end in “.onion” to indicate that they are housed on the Dark Web and can be accessed by a special browser called TOR (The Onion Router). Once you enter TOR, the traffic to and from your computer is routed through multiple servers in multiple countries to preserve anonymity.
To further explore, we need to better understand the complexity of the World Wide Web as a whole. There are two distinct layers (Surface Web and Deep Web), and they are differentiated by the way in which their web pages can be accessed, viewed, and shared by users.
The Surface Web. Everyone knows about the Surface Web. When you Google for info, search for travel deals, or look for new online music, you are employing the services of search engines that crawl the Surface Web to give you a list of related sites. Currently there are about 1.5 billion registered domains on the Surface Web. The Deep Web, however, is 5,000 times larger than the Surface Web. In our daily Googling lives, we are aware of only 10% of the actual web; 90% is below the surface in the Deep Web.
The Deep Web. When you find web pages that a typical search engine can’t access, you’re using the Deep Web. This sounds intimidating, but believe it or not, you use it every day. When you search for a vacation home or compare flight prices, you’re using the Deep Web. When you log in to your email account, online bank account, or shopping account, you’re using the Deep Web. That information won’t show up on a search engine, and that’s a good thing. If someone Googled your name, you would not want your banking information or shopping wish list showing up in results. This information is meant to be private, so sensitive web pages aren’t crawled by search engines.
The Dark Web. Here is where things turn frightening. Downloading the TOR browser will take you to the deepest part of the internet. According to CSOonline.com, the kinds of sites most commonly associated with the Dark Web are marketplaces where drugs, firearms, passports, and radical religious propaganda are bought and sold with Bitcoin. In addition, sites to hire hitmen, engage in human trafficking, view underage pornography, and exchange videos that would disgust and terrify the average person are readily accessible. Edward Snowden used TOR to store the sensitive documents he stole from the National Security Agency. The Ashley Madison files also were stored on a site accessible only to TOR users. Of particular concern to businesses is access to stolen credit card numbers, corporate access credentials, and millions of files of personally identifiable information (PII) that are available for purchase on the Dark Web.
Should you explore the Dark Web to be sure your information hasn’t been comprised? In a word, no. Many service providers will monitor the web for you, or you can use services like Experian, QuickBooks, and TruthFinder to scour the Dark Web for you. The best defense, however, is a good offense. Use the info below to help protect yourself and your business.
Assume you will be breached. Sooner or later hackers will try to attack you. In the past, hackers used to target large enterprises. While that is still the case, today small and medium-sized companies and even individuals are considered lucrative and easier targets. If you prepare for a data breach, you can create more effective safeguards to make your data harder to interpret.
Have a plan. If your data ends up on the Dark Web, you need to plan to minimize the negative consequences. Evaluate particular risks to your business and create a step-by-step plan that includes an updated and robust cyber liability policy. The very act of obtaining coverage, and the resources a policy like this will provide, are invaluable. Otherwise, when a breach happens you will lose valuable time trying to figure out your next step.
If you simply cannot help yourself and you must download the TOR browser “just to see what this is all about,” please know that although your internet service provider and the government might not be able to view your activity when you are on the TOR network, they do know you are on the network. In fact, according to the international newspaper The Guardian, the U.S. Supreme Court ruled that simply using TOR was sufficient probable cause for law enforcement to search and seize any computer around the world, including yours. Please surf safely!
Helping Agents Prepare and Protect:
Q&A with Rough Notes
RN: Insurance agencies store a large amount of personally identifiable information on their servers. How would you characterize agency owners’ level of awareness of the Dark Web?
Robinson: For most agency owners, I think the Dark Web is essentially a mythical place. Maybe they’ve heard of it, but most owners have very little knowledge of its capabilities and the influence it has on cyber-crime activities. We hear a lot of commercials on radio and TV about the Dark Web, and the general understanding seems to be “that’s where the bad guys are; I don’t know a lot about it, but I want to stay away from it.”
RN: How could an agency’s data end up on the Dark Web?
Robinson: The Dark Web is a virtual marketplace for buying and selling data that’s been obtained illegally or data that’s been obtained legally but published illegally. An employee who has access credentials may have ill intent and may post the agency’s data on the Dark Web where the business of monetizing stolen data is transacted.
RN: What specific steps can an agency owner take to protect its data and prevent it from ending up on the Dark Web?
Robinson: While there is no such thing as absolute certainty, we offer ten steps to help owners safeguard their data.
Security starts at the top—the agency owner has to be a part of the process and ensure that data security is a priority.
Make sure you partner with a competent IT security firm to help you set an information security strategy, implement it, and assemble your internal response team. We rightfully spend so much time, energy, money, and resources on risk management in other areas—physical security of our buildings, severe weather preparation and training, sexual harassment and other employment-related issues. IT security must enjoy the same level of importance organizationally, in terms of both time and money invested.
From an IT/operations perspective, the ten steps include:
- Patching system. Be sure to have one automated to keep your applications protected and up-to-date.
- Firewalls. Ensure that they are installed at all ingress/egress points.
- Email security. Identify emails from outside the organization, use dual factor authentication for remote access, and don’t assume email is confidential.
- Web browsing security. Blacklist sites that should not be accessed; block categories related to gambling, hacking, illegal downloads, malware, phishing attacks, potentially harmful domains; establish social media rules.
- Control administrative rights. Remove admin rights to all standard user accounts, discontinue access for terminated employees, and remember that no one should log in to the system with elevated permissions to check email or browse the web, as this could leave the door wide open to the most sensitive areas of your network.
- Password management. Require eight or more characters; create strong passwords and change them frequently; change all default passwords, including those for routers, firewalls, computers, phones/voicemail, IoT devices, and so on.
- Backups. These should be located off-site and segregated from your network; be sure to test them regularly! Don’t be reliant on a single vendor. If you host all of your data in the cloud, have a backup plan. What if your backup data is compromised?
- Vulnerability scanning and third-party penetration testing. These should go beyond the free, publicly available, nonintrusive scans. This is a deeper dive that should involve testing by various means, including social engineering that brings into play the human element (not just network-related pen testing).
- Inventory management. Perform checks regularly of all hardware, software, and mobile device management.
- Personnel training. Incorpo-rate phishing simulations (both for money and for network credentials); email etiquette (encryption, etc.); social media do’s and don’ts; basic data hygiene, and physical premises security of IT assets.
For more information:
Risk Placement Services, Inc.