Tag Archives: Security

Building Cyber Resilience: Enterprise Architecture and ArchiMate for Strategic Security

14 Tuesday Oct 2025

Posted by in ArchiMate, Enterprise Architecture, Security

Leave a comment

Tags

, , , , , ,

The Boardroom Imperative

The NCSC Annual Review 2025 serves as a powerful reminder that cyber risk is no longer confined to the IT department. Instead, it has become a critical issue that demands attention at the highest levels of leadership. The NCSC report emphatically urges decision-makers to “open your eyes to the imminent risk to your economic security.” It makes clear that cyber incidents have the potential to disrupt essential operations, inflict lasting reputational damage and result in significant financial and legal repercussions.

In an environment where threats are ever-present and the risk of future threatsis growing rapidly, true organisational resilience depends on strategic foresight, thorough preparation and the capacity to recover effectively from attacks.

The pressing question then, is how organisations can translate these warnings and insights into practical action. A compelling solution lies in the adoption of robust Enterprise Architecture practices. Specifically the use of ArchiMate enables organisations to systematically document their enterprise landscape and the relationships between systems, providing the clarity needed to strengthen resilience.

Enterprise Architecture: A Blueprint for Cyber Resilience

The NCSC report makes it clear: cyber security is now critical to business longevity and success. It is not just about technology anymore. It is about understanding how your organisation operates, how systems interact and where vulnerabilities lie. The report calls for all business leaders to take responsibility for their organisation’s cyber resilience, moving beyond technical silos to a holistic, strategic approach.

Enterprise Architecture provides the blueprint for this approach. It helps organisations map out their business processes, applications, data and technology infrastructure. By visualising these elements and their interconnections, leaders can take meaningful steps towards resilience.

Key Benefits of Enterprise Architecture for Cyber Resilience

  • Identify critical assets and dependencies
  • Assess risk exposure across the enterprise
  • Plan for continuity and rapid recovery
  • Communicate cyber risk in business terms

ArchiMate: Documenting the Enterprise

ArchiMate is an open and widely adopted modelling language specifically designed for enterprise architecture. It allows organisations to create clear and consistent diagrams that illustrate how business processes, application landscapes, and technology layers align and interact with one another.

Using ArchiMate, organisations can achieve several key objectives:

Model business processes and their supporting systems – Providing a structured view of how core operations are underpinned by technology.

Map data flows and integrations between applications – Offering clarity on how information moves throughout the organisation and where potential integration points or vulnerabilities may exist.

Visualise technology infrastructure and network boundaries – Enabling a comprehensive understanding of the technology landscape and its security perimeters.

Document relationships and dependencies between systems – Ensuring that all critical interconnections and dependencies are recorded, which is essential for risk assessment and resilience planning.

This approach is particularly important in the context of cyber resilience. The NCSC report underscores that attackers often exploit the complexity and interconnectedness of systems. Without a clear understanding of how systems depend on and relate to each other, organisations risk overlooking critical vulnerabilities or being unable to recover swiftly from security incidents.

Source of diagram: https://www.opengroup.org/archimate%C2%AE-forum-0

The Importance of Documenting Relationships

The NCSC Annual Review emphasises that resilience extends beyond mere prevention; it encompasses an organisation’s capacity to continue operating and to recover effectively after a disruptive incident. One crucial aspect of building such resilience is the thorough documentation of relationships between systems. This practice serves several essential purposes:

Risk Assessment – A clear understanding of how systems depend on one another is fundamental for identifying single points of failure as well as recognising where cascading impacts may arise. By mapping out these dependencies, organisations can better anticipate and manage risks that might jeopardise operational continuity.

Incident Response – In the event of a cyberattack or other disruptive incident, having documented knowledge of system interconnections allows for quicker isolation and containment of threats. This, in turn, enables a more efficient recovery process, minimising downtime and damage.

Compliance and Governance – With regulatory bodies increasingly demanding proof of robust cyber risk management, having comprehensive documentation of system architecture provides the necessary assurance. It demonstrates a proactive approach to governance and supports compliance with industry standards.

Continuous Improvement – The technology landscape and threat environment are constantly evolving. Maintaining up-to-date architecture documentation ensures that organisations remain agile, capable of adapting to new risks, and able to reinforce their defences as needed.

Identification of Organisational and Technical Debt – Documenting relationships also helps in pinpointing areas of organisational and technical debt. This awareness is vital for planning improvements and ensuring that legacy issues do not compromise cyber resilience.

Practical Steps for Enhancing Cyber Resilience

The following practical steps outline how to leverage enterprise architecture tools and the ArchiMate framework to strengthen your organisation’s defences:

Utilise Enterprise Architects and Tooling – A good Enterprise Architect understands how to get the best out of modelling a business and systems. Use Enterprise Architecture tools such as ArchiMate to streamline the process of mapping and documenting your organisation’s systems and their interconnections.

Start with a Baseline – Begin by creating a high-level overview of your organisation’s business processes, applications, and underlying technology. This baseline serves as the foundation for understanding how different elements interact and where vulnerabilities may exist.

Identify Relationships – Carefully document all integrations, data flows, and dependencies within your system architecture. Paying particular attention to legacy systems and third-party connections, as these often present unique risks and challenges.

Assess and Prioritise – Use your architectural model to pinpoint critical assets. This enables you to prioritise resilience measures, ensuring that essential systems receive appropriate attention and protection.

Communicate – Share your documented architecture with key stakeholders, including board members, IT teams, and external partners. Clear communication ensures all parties are aware of the risks involved and the responsibilities required to mitigate them.

Review Regularly – Continuously update your system documentation to reflect changes in technology, emerging threats, and lessons learned from past incidents. Regular reviews ensure that your organisation remains prepared to adapt to an evolving threat landscape.

Keep a copy offline – Keep a copy of your models so that you can access them when you cant access you systems.

Further Reading / Sources

The Role of Enterprise Architecture in Fostering Innovation

Key Steps for a Successful Migration to Post-Quantum Cryptography

20 Thursday Mar 2025

Posted by in Quantum, Security

Leave a comment

Tags

, , , , , ,

With quantum computing progressing, transitioning to post-quantum cryptography (PQC) is crucial. Quantum computers threaten current cryptographic systems by efficiently solving complex mathematical problems used in asymmetric Public Key Cryptography (PKC).

Post-Quantum Cryptography (PQC), or quantum-resistant cryptography, develops algorithms secure against quantum computer attacks, which uses problems quantum computers can’t solve efficiently.

The NCSC (National Cyber Security Centre) has released the “Timelines for migration to post-quantum cryptography” today (20/03/25), detailing steps organisations need to take to protect against Post Quantum Cryptography (PQC).

The national migration to PQC is a major technological shift that will take years and it is important that organisations start now. The NCSC provides guidance on early-stage migration activities and sets timelines for UK industry, government, and regulators. These timelines apply to all organisations, especially large ones, critical infrastructure operators, and those with custom IT systems.

Key Milestones

As highlighted in the report the key milestones are:

  • By 2028: Define migration goals, conduct a full discovery exercise, and build an initial migration plan.
  • By 2031: Carry out early, high-priority PQC migration activities and refine the migration plan.
  • By 2035: Complete the migration to PQC for all systems, services, and products.

Migration Strategy Selection

Organisations have several options for migration detailed in the report.

  • In-place migration: Replacing vulnerable PKC components with PQC equivalents.
  • Re-platform: Switching to a new or upgraded platform that supports PQC.
  • Retire the service: Setting a future date for withdrawal.
  • Tolerate the risk: Continuing to operate without mitigation.

What to do next?

The report highlights a series of steps you should take next with an expectation of 2-3 years timeline to migrate to PQC.

Given the intricacies involved in PQC migration, looking at external help should be considered through a company/consultancy with expertise in cryptographic assessments and migration strategies. They can provide invaluable support in several key areas:

  1. Comprehensive Assessment: Conducting a detailed discovery and assessment of your current cryptographic infrastructure, identifying vulnerabilities and dependencies that need to be addressed.
  2. Tailored Migration Plan: Develop a customised migration plan that aligns with your organisation’s specific needs and regulatory requirements. This plan will include timelines, resource allocation, and risk management strategies.
  3. Expert Recommendations: Leveraging deep knowledge of cryptographic technologies, can recommend the most suitable PQC algorithms and protocols for your systems. Provide guidance on integrating these new technologies without disrupting your existing operations.
  4. Ongoing Support: Throughout the migration process, offering continuous support, ensuring that your transition to PQC is seamless and that any issues are promptly addressed.

Are you considering PQC migration yet?

Further Reading

NCSC Report: Timelines for migration to post-quantum cryptography

Delving into the Digital Pantry: Another cookie in the jar

04 Thursday Jan 2024

Posted by in Security, Tools

Leave a comment

Tags

,

A year ago I wrote about the hidden cost of reading articles and visiting websites. Cookies were created in 1994 by Lou Montulli who was a web browser programmer at Netscape Communications at the time. Cookies are an important part of a site being able to provide information and help track a user with purchasing items and store items in their basket. They also help provide marketing revenue for sites and clicks to products based on a users usage habits.

However 30 years on from the first cookie, is our relationship with cookies becoming more strained? 2024 will see more developments with cookies and API’s as a replacement and this year will see more developments in this area.

I regularly clear out my cookies via an automated task, I get the inevitable popup and text, asking me to accept cookies to proceed to the site I am on. Sites can create and track their own cookies, and some use third party tools and services to provide cookies and manage them.

Visiting a site I get a popup asking me to share access to my device and data allowing 1550 other companies to store and access cookies on my browser. This is isn’t really something I want to do and dont really have anything to do with the site I am visiting. Only the ability to Accept All is available and I do not really want to spend the time checking through 1550 partners to see what they really want to do on my device. No thanks. I will find the information or product via a different site that provides better options to manage these.

These services do have a Reject All option, but some sites choose not to display this ability.

Whilst there is a need for cookies, I can’t help but wonder how many people just click the accept all button and how many people will really sit and review the information on the 1550 partners that their data will be shared with?

The ICO has published guidelines on cookies, their use and the information that must be provided to the end users.

Browser companies have already started to block or phase out support for third party cookies for the past couple of years. The 4th January 2024 marks the start of Google starting to phase out the use of third party cookies, with a full phasing out by the end of Q3 2024.

Third-party cookies are the main mechanism that enables cross-site tracking. Several major browsers have either already placed restrictions on third-party cookies in some way or are planning to. Third-party cookies also enable many valid use cases, such as managing state in embedded content or enabling user sessions across multiple sites.

As part of the Privacy Sandbox project, Chrome is phasing out support for third-party cookies and proposing new functionality for cookies along with purpose-built APIs to continue supporting legitimate use cases while preserving user privacy. The phase out will be gradual and starts from January 4th, 2024 with disabling third-party cookies for 1% of users to facilitate testing.

Source: https://developers.google.com/privacy-sandbox/3pcd

2024 will be the year of change in the use of third party cookies.

The Intersection of Technology and Ethics

07 Tuesday Mar 2023

Posted by in 21st Century Human, Digital, Security

1 Comment

Tags

, ,

Technology has always brought ethical dilemmas throughout the ages from the rise of machinery in cotton mills to facial recognition today. With the rise of technology in modern society, this has also led to the increase of various ethical dilemmas, challenging us to navigate the intersection of technology and ethics.

Our ability to report and consume information has made a lot of these dilemmas more visible to everyone and allowed society to debate them as these can have significant implications on individuals, society, and the environment. As technology evolves it is important to consider the ethical implications and ensure they align with human values and benefits humanity.

Here are some of the ethical considerations of technology to consider;

Privacy: The collection, storage, and use of personal data are among the most significant ethical concerns in technology. Laws such as GDPR exist to help with this and help guide on what is and is not acceptable/possible.

Bias: The development and use of technology can perpetuate biases, such as gender or racial bias, and lead to discrimination. AI is a good example of this it is essential to ensure that algorithms and technologies are developed and tested to prevent biases and align with ethical principles. Also to ensure fairness in the algorithms decision’s

Impact on Jobs: Will AI take peoples jobs? This is a topic I have blogged about before “I lost my job to a robot“. The increasing use of artificial intelligence and automation raises questions about the impact on jobs and the workforce.

Cybersecurity: The more we store and use technology the more we can be vulnerable to cyber-attacks and data breaches, posing risks to individuals’ privacy and security. Good cybersecurity and good end user practices are key to the success of any technology.

Environmental impact: The production and disposal of technology can have significant environmental impacts, including pollution and waste. It’s crucial to prioritize sustainable practices, such as using eco-friendly materials and implementing recycling programs.

Autonomy: Technology can be used to monitor and control individuals, raising concerns about autonomy and individual rights. the news on facial recognition cameras at a location in London showed the impact this can have.

Access and Inequality: Technology can perpetuate existing social and economic inequalities by limiting access to technology and excluding marginalised groups. The digital divide between those that can readily access and those that can’t is a big problem for society today.

As technology develops it is important that we look to continually monitor the impacts and make adjustments to ensure that it aligns with ethical principles. Ultimately, technology is best placed to improve the human experience while considering the impact on society, the environment, and future generations.

“Digital Ash” – What we leave behind

22 Wednesday Feb 2023

Posted by in 21st Century Human, Data, Security

1 Comment

Tags

, ,

As technology continues to evolve, more and more of our lives are being lived online. We use social media to connect with friends and family, conduct business online, and even store important documents and memories. But what happens to all of this digital content when we die?

Recent experiences for me around this topic are the reason that I decided to write about it.

It is possible in some platforms now to assign trustees of the account who can deal with it when you are no longer able to. Other systems don’t and the data just stays there.

The internet is full of “digital ash,” the digital remnants of our lives that we leave behind when we die. This digital content can include everything from social media profiles to email accounts, cloud storage, and more. The amount of content we leave grows on a daily basis as we live our normal lives.

Here are some important things to consider about digital ash:

Ownership

When we die, our digital assets still exist online. However, the ownership of these assets is often unclear. Depending on the platform, our digital content may be owned by the platform itself, our family members, or the executor of our estate. It’s important to understand who owns these assets and what can be done with them.

Privacy

Digital content can contain sensitive information that we may not want to be publicly available after we die. For example, email accounts may contain sensitive financial information or private conversations. It’s important to consider privacy when thinking about what will happen to our digital ash after we die. Many systems now implement two factor authentication which protects the data, but if its your wish to have it deleted can someone actually do this with a high level of security in place?

Legacy

Social media accounts, blogs, and other digital content can serve as a form of legacy after we die. Our online presence can provide comfort to loved ones and allow them to remember us. It’s important to consider what we want our legacy to be and how our digital ash can contribute to that legacy.

Digital Estate Planning

Just like we plan for our physical estate, we can also plan for our digital estate. Digital estate planning involves creating a plan for what will happen to our digital content after we die. This can include instructions for how social media accounts should be managed, how email accounts should be closed, and more. Do you have a plan alongside your will?

Online Memorials

In recent years, there has been an increase in the creation of online memorials for loved ones who have passed away. These memorials can take the form of social media pages, blogs, or other digital content. It’s important to consider whether we want an online memorial and how it should be created and managed.

It important to consider the above when you next review your will arrangements.

Metapolice – Policing the Metaverse

20 Monday Feb 2023

Posted by in Metaverse, Security

Leave a comment

Tags

,

Photo by kat wilcox on Pexels.com

The “Metapolice” will be a thing of the not too distant future with Interpol looking at how the organisation could police crime in the Metaverse – reported in a BBC News article a couple of weeks ago. Following my last two blog posts about the Metaverse and security – “My Virtual Selfie – Avatars and Identity Security” and “Multiple Metaverse“, this is a timely topic

The thought of a Metapolice brings to my mind the novel “Halting State” by Charles Stross – a cybercrime has been committed in the massively multiplayer online role-playing game (MMORPG) Avalon Four. A robbery of several thousand euros worth of “prestige items” occurs in the game’s central bank, led by a band of orcs and a “dragon for fire support. (extract from Wikipedia)”

The Metaverse is an ever-expanding virtual space that will and is becoming integrated with our daily lives. As it grows, there are many concerns about the regulation and policing of this virtual world, so what is needed to make the topic of policing the Metaverse effective and why it is essential to create a safe and secure virtual space.

The Metaverse is a set of multiple platforms/virtual worlds that is made up of other multiple interconnected virtual worlds, where users can interact with each other in a simulated environment. Many tech companies are investing in the Metaverse and envision it as the next stage of the internet, where people can shop, play, and interact with each other in a virtual world.

As with any social platform/system there are concerns about privacy, security, and the potential for criminal activity. Just as in the physical world, there is a need for policing and regulation in the virtual world to maintain order and ensure the safety of its inhabitants.

One of the biggest challenges in policing the Metaverse is jurisdiction. As the Metaverse is not confined to any one country, it can be challenging to define who has the legal authority to regulate it. Interpol have the ability to span these borders and makes it a good move that they are looking into how to police the Metaverse. With many platforms, many standards and governance arise and with these a single set of laws will be hard to put into place. Better agreements internationally are needed on how to govern the Metaverse and establish a set of standards and laws that all users and platforms must adhere to. The speed of the technology adoption though will move faster than any legislation/regulation can.

Another challenge for policing is the sheer volume of data that is created in the Metaverse. Platforms collect vast amounts of personal data from users, including their online activity and location. This data can be used for targeted advertising or sold to third parties. There needs to be regulation to ensure that users are aware of the data being collected and have the ability to control how it is used. Tracking users is one of the norms of using the internet and the Metaverse won’t be any different.

When it comes to criminal activity in the Metaverse, there are concerns about cyberbullying, online harassment, and cybercrime. There have already been instances of fraud, identity theft, and virtual theft in the Metaverse and it is important to have a system in place to identify offenders so law enforcement can deal with them and to deter others from committing similar crimes.

To address these challenges, there needs to be a collaborative effort between tech companies, governments, and law enforcement agencies. Tech companies need to take responsibility for the data they collect and ensure that they have robust security measures in place to protect their users. Governments need to work together to establish a set of international standards and laws that can be enforced across different jurisdictions. Law enforcement agencies need to be trained to operate in the Metaverse and have the necessary tools to investigate and prosecute criminal activity.

All that aside, though, the Metaverse is becoming an increasingly interesting place to do business.

A hidden cost of reading articles and visiting websites

02 Monday Jan 2023

Posted by in Security, Tools

1 Comment

Tags

,

Part of my morning routine is to have a skim over the stories showing up in my Feedly list and have a look at anything that seems of interest whilst munching on some cereal or toast and washing it down with a cup of coffee. A couple of articles peek my interest from sites that I have used before but now want more information from me as a payment to view the content.

These are not sites that have a pay wall as such where you subscribe to read content, but cookie and consent walls. Whilst cookie walls are not new, the uptake of them has increased with more and more sites wanting to get hold of your data in exchange for reading an article. Cookies days are numbered and there are ways to protect yourself, but to the majority of internet users being presented with an option to accept or reject cookies can present complexity to those who don’t understand what is actually happening. This is the hidden cost that you are paying to read that article or visit that site.

First off though I want to thank the websites and companies out there that have made the choice of accept or reject really simple with two buttons and clear options and information. There are a lot out there who do however add complexity with all the options and legal jargon that can catch people out.

Here is an example:

I have removed the name of the site from the picture above. There are many ways that these walls are presented to the user and you are not presented with the easy way to optout other than close the page and say no thanks. I wonder how many people press the “Consent” button without actually looking at what they are consenting to?

Clicking the “Manage options” the screen on this particular site presents 30 or so options to select from. Some sites have even more and there is no standard – everyone is asking for different things and information.

This is at least one of the better set of options and it does allow you to unselect or turn off all of the options. There are sites I have seen that you cannot select on and off and you have no choice if you want to read the site. One site I visited recently the UI was badly or cleverly made so that when you deselected all the options you don’t want to expose to a company that the save on continue button was behind a Chat to Us now button with a large on focus area that you could not go any further forward.

Visiting some sites you are presented with the option to either accept the cookies or leave. If its a site you want to visit or purchase something from you are left with only one choice to accept not knowing exactly what is going on behind the scenes.

How does legitimate interest work?

Sites asking for legitimate interests are using your personal data on the basis of their legitimate interest and are basically asking you for permission to process this data under GDPR. I have found that this differs between sites and not every site explains what they are actually looking at or wanting to use the data for. Some sites are being generic about this area and not been really clear as to what they are collecting, rather saying cookies that allow our website to function without error.

The ICO (Information Commissioner’s Office) have a good article on what are Legitimate Interests.

The Future

The future of cookies has been previously announced by Google with chrome browsers as in Jan 2020 it was announced that they would eliminate third-party cookies in the browser, but this is now delayed until the second half of 2024.

2023/24 will be the year for companies who rely on cookies to look at how they can make advertising relevant for a cookie less future. API’s and API’s with context will be available for companies to use which will protect users better and also provide context based relevant advertising.

How to protect yourself

In the first instance make sure you have Anti-Virus protection. Most packages do include an amount of protection to your devices around this topic, however you should check what is available through your chosen vendor.

To help users keep their privacy companies led by Google have introduced and initiative that is currently in development called Privacy Sandboxes which replace functionality of cross-site tracking and removing third-party cookies. The Privacy Sandboxes also help in mitigating the risk of device fingerprinting. The link to Googles Privacy Sandbox initiative site is below.

Privacy Sandbox

For now there options available that can block certain trackers through browser addons that can protect you and stop tracking cookies. As an example Privacy Badger is available for a number of browsers. Its good and protects you well and you do have the option to turn off and on cookies.

Privacy Badger

Even if you don’t use an add on you should consider blocking third party cookies which allow companies to sell your data onwards.

Remember to clear out your cache on a regular basis to remove any unwanted trackers from your device.

There are other methods and tweaks you can make that can help your online protection. Here are some links to further reading and advice.

FTC – How to protect your privacy online

Clear, enable, and manage cookies in Chrome

Device Security Guidance

Posting Security ID’s in Social Posts

01 Thursday Sep 2022

Posted by in Security

Leave a comment

Tags

With the changes in the world following the pandemic and the opening up of job roles, there has been a rise on the number of people changing roles and jobs which have been reflected on Social Media such as LinkedIn/Twitter and possibly other social channels. One of the biggest trends I have noticed is the posting of security passes and work ID’s to show that the person worked at their current employer and the dates/times that they have been at that company.

Whilst this may make the person feel good about their move, they have most probably breached a security policy within their existing/old employer by posting their full pass online. With modern technology its easy to replicate the pass and then try and gain access to a companies office.

A quick search for the word Security Pass on LinkedIn shows a huge amount of passes that can be easily replicated and used by others to breach a companies security boundaries

Best practice is not to post this type of document on social. The last contact from your old company might be through a lawyer!

Sign Up and Forget Culture

01 Wednesday Jun 2022

Posted by in Security

Leave a comment

Tags

Have you ever visited a website that you have signed up to and created an account and then never used it again?

There have been a number of stories appearing recently that highlights a growing problem with the abundance of services and account sign ups on the internet. The story I will focus on is about a home owner who found a car parked on her property that she knew nothing about. The outcome was that the landlord had signed up for a carparking service a few years back and never cancelled it.

Mum’s fury as driver ‘parks car on her driveway for Birmingham Airport’

Mystery solved into holidaymaker parking car on furious mum’s drive for Birmingham Airport

Over the many years of the internet how many services and pages have you signed up to and have subsequently forgotten about as you have moved onto other services or simply not used it in a very long time?

GDPR is there to protect and ensure data is up to date and correct, but is it really being applied to accounts on systems. There does seem to be a lack of reminders or removal of accounts that have been dormant/not logged in for some time from systems.

You will probably have key accounts that you maintain and use:

  • Daily – such as Social Networks, Shopping, Banking
  • Monthly – such as Utilities (Water, Gas, Electricity)
  • Yearly – such as HMRC/ Inland Revenue for a Tax Return

What else have you signed up to and then not used? Forgotten or unused accounts could pose a security threat to your identity. A good way to see if your details have been gathered by hackers and being sold is through the website Have I been Pwned. https://haveibeenpwned.com/

My Top 5 recommendations to consider when creating an account are:

  1. Think about the system/service you are signing up for. Is this a one off transaction or something you will use on a regular basis.
  2. Use a password management tool to help you track all the sites you use and have accounts on and review this once a month or every couple of months.
  3. Consider cancelling/deleting accounts that you no longer need.
  4. Use different passwords on different systems. A password management tool will help.
  5. Check your emails for changes to accounts/terms and conditions on systems you haven’t used in a while.

Social Engineering on Social Media

10 Friday Sep 2021

Posted by in Security, Social Media

Leave a comment

Tags

,

Opening my social feeds this morning for a quick browse over a cup of coffee and some toast, it doesn’t take long of scrolling down to find a post asking “What was the first car you owned? No Lying <laughing emoji>”. This post has 61k likes, 959k Comments and 8.4k shares and was only posted on 9th August. And people wonder why they get hacked.

Password systems for a long time have used a similar set of questions as they are usually easy to answer and remember, because they were life events. Questions such as:

  • What is your mother’s maiden name?
  • What is the name of your first pet?
  • What was your first car?
  • What elementary school did you attend?
  • What is the name of the town where you were born?

These types of social engineering data gathering posts are nothing new, but it would seem that people do not understand the greater risks around answering them.

With the large amount of data appearing on the dark web for usernames and a persons details (even if they don’t contain passwords) matching this data with the answers from social posts such as the one above gives a potential hacker more information about you. They now have the ability to reset your password using the answers you have provided to the security questions and take control of your accounts.

How many of you reading this post have answered the question similar to “What elementary school did you attend” or anything to do with education, but forgot that the same information is already lurking in your LinkedIn profile?

One way to check if your in any data on the dark web is to check using your email address at a service such as https://haveibeenpwned.com/

If you see a family member or friend post these types of questions on social media, it may be worth a conversation with them to advise of the dangers of such posts and the consequences of social engineering.

Tips to stay safe

Here are some tips for staying safe with your identity.

  • Don’t answer these types of posts on social media, even if its a friend who has posted it.
  • Check your not using an answer to a security question that is already in your social profile.
  • Use fictitious information instead of real information, but something you can remember.
  • Treat these answers like passwords and think about adding complexity to them.
  • Use two factor authentication where it is available on a system.

Further Reading