"If you have company secrets, you have to take steps to make sure it doesn't get into the public domain," said Daniel Pinto, a Stewartsville, N.J.-based security consultant whose company is called RAC Partners LLC. "Google isn't reaching into your company, it's just making available what's already out there. Sensitive information gets out if someone inside a company or one of its partners makes it available."
Pinto was reacting to a recent SearchSecurity.com report about techniques hackers can use to find intellectual property, passwords and other sensitive information via Google. The story was based on a presentation at last month's SecureWorld conference in Boston given by Tom Bowers, managing director of Allentown, Pa.-based Security Constructs LLC and the former manager of information security operations at a Fortune 100 pharmaceutical company.
Bowers urged IT professionals to learn those same techniques so they can intercept any sensitive data from their company that may end up on Google. "If something ends up on Google it becomes public information," Bowers said at the time. "It's your job to see if your intellectual property is on Google and to come up with the right defenses so it doesn't happen."
Hackers can zero in on their prey using such tools as Google Earth, Google Patent Search and Google Blog Search, he said. The tools can help the bad guys unearth financial filings and security analyst reports that are potential goldmines of information. For example, he said, Google Earth can provide spies with satellite photos of competitors' plants, and if a company includes too much information in one of its patents, Google Patent Search can be especially valuable.
Bowers isn't the first security expert to warn that Google could be used to unearth company secrets. Penetration tester Johnny Long has made headlines explaining ways to turn Google into a malicious tool, and his johnny.ihackstuff.com Web site includes a "Google hacking database."
Pinto said the key to neutralizing this threat is to make people aware that certain pieces of information are not to be publicized, whether it be in a crowded room or on a Web site.
"People, depending on their place in the organization, may or may not have the instinct to know what the company jewels are," he said. "There are things you don't talk about in a crowded restroom. It's a matter of making people aware of what must never be publicized."
He said companies need a basic review process outlining what may or may not be put on a Web site, and partners must be briefed on items that can't be made public.
"If you're a big company, your partner wants to brag that they're doing business with you, so your contract with them must explicitly outline information that can't be released," he said.
Stephen Carter, an IT professional based in Monroe, N.C., said companies have a responsibility to keep their sensitive data from going public, and that people who dig it up on Google aren't hacking.
"No one is hacking," he said in an email exchange. "No one is doing anything other than finding a way to look at publicly available data." If someone is clumsy enough to release confidential information into the public domain, he said, "That's between them, the owners of the data and maybe the authorities if a crime results from the release of the data or its misuse."
He said a good security team will have the whole environment hidden from public view by an "unassailable" firewall, and "normal users will be prevented from downloading software like the Google indexing tool and would probably be denied the rights to install it anyway." Meanwhile, email in most companies will be encrypted and filtered as would every piece of data and media entering or leaving the site.
With those basic security measures in place, he said, a company should be able to keep its sensitive information under wraps.
People will also be more inclined to think about what they are doing if they know they will be held responsible for their actions, he said, adding, "If they screw up too often then they will end up in a role where they no longer get access to secure data."