fbpx
Boyce, VA 22620
540.850.4226
contact@db-c2.com

Dark Web Monitoring FAQ

As an expert in the Cybersecurity profession I have compiled some of the most commonly asked questions about Dark Web Monitoring along with our explanation or our recommendations:

“What does this data mean?”

Typically, this data means that an employee used their work email as a user login on a third-party website, that website got breached, and the logins and passwords of that website are now compromised. So ultimately what is compromised is their work email along with a password.

My client already has two factor authentication; why do they need this service?

    • Although most web services offer two-factor authentication or 2FA, the strength and security vary.
    • Easy for hackers to bypass weaker implementation by intercepting codes or exploiting account recovery systems.
      Most of the problems center around the fact that if you break through anything next to the 2FA login, (account-recovery process, trusted devices, or underlying carrier account) hackers are into the system anyway.
    • The weakest point for 2FA is the wireless carrier (who can be breached) and the mobile device (which can be hacked).

“That is not my current password, I don’t use it anymore.”

This report provides historical as well as live real-time data. At one point in time, there was risk associated with these credentials and there could still be. 39% of adults in the U.S. are using the same or very similar passwords for multiple online sources. These passwords (whether active or not) are being used in phishing exercises and can be very compelling.

“That email is not someone who works at my organization.”

Although most web services require two-factor authentication or 2FA, the strength and security vary.
Easy for hackers to bypass weaker implementation by intercepting codes or exploiting account recovery systems.
Most of the problems center around the fact that if you break through anything next to the 2FA login, (account-recovery process, trusted devices, or underlying carrier account) hackers are into the system anyway.

The weakest point for 2FA is the wireless carrier (who can be breached) and the mobile device (which can be hacked).
An email address that is either not a valid email within the organization, or a “fake email” (ie: j12345@organization. com) may be a signal that the cyber handler/criminal is attempting a phishing attack on the organization. This is absolutely a reason for concern, as it makes it clear there has been active attempt at attack!

Email addresses discovered in the wild may not have ever existed on the Organization’s mail server. Let’s say that these email addresses were used to create accounts on some other service and it’s that other service that is breached and the source of the Compromises. From our perspective, we can’t determine if the email addresses we find in the wild are actual email addresses and therefore we report them.
Notes or comments regarding the credential or credential owner may also appear in our findings. For example, we’ve seen phone number and gender in the password field. While such a finding may not contain a password, the presence of the personal information in the record is still a valid finding as aggregated data is used to commit identity theft and fraud.

“Why is there no password listed?”

We pull in very large data sets that include passwords. Sometimes in those data sets a variety of credentials do not include passwords, while in other cases, several categories of PII (Personally Identifiable Information) may have been exposed. (Ex. Name, DOB, Address, SSN)

Why does the PII matter in lieu of the password?

Often, the categories of PII are extremely sensitive and may include credit card information or home addresses. These can be catastrophic to the individual.

“I just don’t see the value of continuous monitoring.”

As Cybersecurity Expert, I believe continuous monitoring acts like an early warning system by helping to mitigate the effects caused by a breach. We will be here to help you in case of any breach related damage, but knowing about it early or preventing it altogether, is always a better launching point to ensure you are able to do what you do best <Insert Discipline: providing stellar legal service, keeping the community healthy, etc.>”

“What is the difference between your service and Haveibeenpwned.com?”

Haveibeenpwned (HIBP) is a free service available to anyone. It is critical to understand these two main points:

    • They DO NOT include passwords which makes it impossible to verify the data for your customers.
    • The owner of HIBP Troy Hunt publicly admits via his blog:

“It should be abundantly clear from this post, but let me explicitly state it anyway: I have no idea how many of these are legitimate, how many are partially correct and how many are outright fabricated.”

    • We can also provide PII if you require.