UB6.C2.K1 Users share it name and surname on social networks
Using a user’s real name as the default User Principal Name (UPN) or email address can indeed present a security risk, as it provides attackers with valuable information that can be used in social engineering attacks. Here’s an overview of the threat and recommendations for mitigating it:
Threats Related to Using Real Names as Default UPNs or Email Addresses
- Increased Susceptibility to Phishing and Social Engineering Attacks:
- Public Information Availability: When a UPN or email address is based on a user’s real name, it can be easily guessed or found by attackers if the person has a public online presence (e.g., on social media or professional networking sites). This makes it easier for attackers to craft targeted phishing emails or other forms of social engineering attacks.
- Enhanced Credibility for Attackers: Attackers can use real names and email patterns to impersonate company employees more convincingly, making phishing emails appear more legitimate to other employees, clients, or partners.
- Account Discovery and Brute Force Attacks:
- Ease of Credential Harvesting: Using standardized naming conventions like
[email protected]
allows attackers to easily compile a list of potential usernames or email addresses. This can facilitate credential-stuffing or brute-force attacks, as attackers may already know the username format. - Potentially Increased Exposure in Data Breaches: If the UPN or email follows a predictable pattern, it is more likely to appear in data breaches, allowing attackers to match user information across various sources and potentially link professional accounts with personal ones.
- Ease of Credential Harvesting: Using standardized naming conventions like
- Personal Information Exposure:
- Privacy Risks: Exposing real names through email addresses can also compromise users’ privacy, especially if they prefer not to have their identities easily associated with their professional email accounts.
- Linking Accounts Across Platforms: If attackers know a user’s email pattern, they may be able to identify and correlate their activities across multiple platforms, leading to more personalized attacks or further exploitation.
Recommendations for Mitigating These Risks
To reduce these risks, organizations can adopt several strategies:
- Use Non-Personalized Usernames or Aliases for UPNs and Email Addresses:
- Randomized or Coded Naming Patterns: Instead of using
firstname.lastname
, organizations can consider randomized username formats or codes that do not reveal a user’s identity directly, such as[email protected]
or[email protected]
. - Employee IDs or Internal Identifiers: Using internal employee IDs as part of the UPN or email structure (e.g.,
[email protected]
) helps ensure that usernames are not easily guessable or related to publicly available information.
- Randomized or Coded Naming Patterns: Instead of using
- Leverage Multiple Subdomains:
- Subdomain Diversification: By using multiple subdomains for different departments, roles, or access levels (e.g.,
[email protected]
or[email protected]
), organizations can make it harder for attackers to predict email patterns across the organization. - Isolate Sensitive Access Points: For high-privilege accounts, using a separate subdomain can add an extra layer of obscurity and prevent attackers from gaining easy access to sensitive areas.
- Subdomain Diversification: By using multiple subdomains for different departments, roles, or access levels (e.g.,
- Implement Strong Security Measures for UPN and Email Privacy:
- Limit Public Exposure of Email Addresses: Organizations should restrict the publication of employee email addresses on websites or in publicly accessible documents. If necessary, consider using a generic contact email (e.g.,
[email protected]
) for public-facing information. - Educate Users About Social Engineering: Providing regular training on social engineering risks can help users recognize and report suspicious activities, reducing the chances of successful attacks.
- Limit Public Exposure of Email Addresses: Organizations should restrict the publication of employee email addresses on websites or in publicly accessible documents. If necessary, consider using a generic contact email (e.g.,
- Utilize Advanced Email Security and Access Controls:
- Enable Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security, ensuring that even if an attacker guesses the username, they cannot access the account without the second factor.
- Email Filtering and Phishing Detection: Use email filtering and anti-phishing technologies to detect and block suspicious emails that might target users based on their real names.
By diversifying user naming patterns, limiting the use of personal information in usernames, and employing advanced security measures, organizations can effectively reduce the risks associated with social engineering attacks and unauthorized access attempts.