With all of the recent advancements in technology, including the ability for anyone to know what is going on around the world with just a few keystrokes or finger swipes, it is amazing that anything can be a mystery anymore. When I was young, you had to rely on the newspaper, nightly news programs on the TV or radio, or books and magazines. Encyclopedias were the old-school version of the Internet, but you had to know what to look for. Now Twitter, Facebook, Google, LinkedIn, and endless other social media and Internet search tools allow you to get any information you need when you need it. You don’t even have to know exactly what you are looking for to get more information on a topic than you could read through in a year. Simply plug a few keywords into your favorite Internet search engine and you will be on your way to a subject matter expert in minutes.
Yet what most people think of as the Internet is only a fraction of what is available. The Internet as most people know it is actually called the surface web. The deep web is essentially the Internet – the complete Internet. It is the rest of the Internet that is unsearchable with regular web browsers. If you do a quick search on the deep web, you will see that it is a hotbed of illegal and nefarious activities, including the sale of drugs, human organs, weapons, stolen identities, hit man services, and more. A lot of bad content exists in the deep web and can put your organization at risk.
No one knows how big the deep web is, but recent estimates have put the content of the deep web as much as 500 times the amount of content available on the surface web. The only way to search the deep web is through The Onion Router (TOR)<sup>1</sup> network. TOR is a free modified web browser that allows you to anonymously surf the deep web. This anonymity gives rise to the deep web being known as the “hidden web,” “deepnet,” or “dark web.” U.S. government agencies are frustrated and scared by the deep web because they:
- Can’t control or access all areas of the deep web; it is simply too big
- Can’t stop it because the connections to TOR cannot be controlled
- Can’t track the sources and destinations of traffic
So why should your organization be worried about the deep web? Most organizations have standard desktops that do not include the TOR browser, and think that the deep web is not a threat. Unfortunately, the threat is still real and every organization is at risk. TOR is a free application and is gaining in popularity for home use. There are even TOR apps for smartphones that allow you to surf the deep web anywhere you have service.
TOR will only become more mainstream as time goes on and there is little to nothing that can be done, as the software to access the deep web is free.
Organizations have no control over what individuals do in their personal time. Anyone choosing to explore the depths of the deep web, regardless of the reason, is a target for malicious attacks. In order to maintain anonymity (the main purpose of the deep web), there are TOR browser configurations that disable certain content from being viewed within the browser. Much of the content is downloadable, and smart hackers and evildoers will lure in their prey with irresistible content that won’t load in the web page but is conveniently available to download and view offline.
These downloaded files are often laden with malicious content such as viruses, Trojans, or keyloggers. With a simple double click of the seemingly benign file, your employee has now become a security risk to your organization. Intruders can watch everything your employee does on a compromised machine. They can install additional hacking tools and break into other devices in the same household. Hackers can even infiltrate smartphones, steal contact information, listen to calls, and check emails. Once an employee checks work email from their personal computer (most organizations have some form of webmail), a hacker will have the user credentials to your network and can then begin hacking attempts on your organization.
What can you do about this threat? Organizations should address the deep web. Be creative with your approach and develop training that is fun and interactive but stresses the dangers of the deep web. The deep web has been around for years but it is still unknown to most people. I conducted an informal survey with consummate security professionals and almost 4 out of every 5 could not tell me what the deep web was or how to access it. Remarkably, only 2% have actually browsed the deep web.
The deep web is something new and exciting to many. Like a child who doesn’t understand what a hot stove is until he or she touches it and gets burned, your employees may want to dive into the deep web until they or your organization get burned. It is only a matter of time before diving into the deep web becomes as common as surfing the web is today. I urge other CISOs, CIOs, and executives to ask your staff and employees about the deep web. Make it an impromptu question so they cannot go research and give you what appears to be an educated answer. Ask your security personnel to explain the deep web to you and be ready for a lot of blank stares. Then ask yourself how vulnerable your organization and your data really is.