The Surface Web, The Dark Web, and What Lies Beneath

The movie Jaws was, and still is, one of the scariest movies of all time. The director, Steven Spielberg, knew that we are most frightened of the unknown – the audience never sees the giant shark until the end. As the movie progresses, our mind knows there is a shark under the water, we have an idea of what he might look like and how big he is, but our imagination creates a scarier creature than the special effects crew ever could.

When we think of the Dark Web, our mind conjures a place full of frightening criminal activity. While there are literally thousands of pages full of all the bad stuff we can imagine, people also use the Dark Web simply to access the internet. In countries with government eavesdropping or where internet activity is criminalized, the Dark Web holds one main draw, which is also its greatest fault: It allows people to search the internet anonymously, meaning they also can purchase things anonymously. It has become the premier cyber black market.

On the Dark Web, URLs end in “.onion” to indicate they are housed for the Dark Web and can be accessed by a special browser call TOR (The Onion Router)). Once you enter TOR, the traffic to and from your computer is routed through multiple servers in multiple countries to preserve anonymity.

To further explore, we need to better understand the complexity of the World Wide Web as a whole. There are two distinct layers (Surface Web and Deep Web), and they are differentiated by the way in which their web pages can be accessed, viewed, and shared by users.

The Surface Web

Everyone knows about the Surface Web. When you Google for info, search for travel deals, or look for new online music, you are employing the services of search engines that crawl the Surface Web to give you a list of related sites. Currently there are about 1.5 billion registered domains on the Surface Web. The Deep Web, however, is 5,000 times larger than the Surface Web. In our daily Googling lives, we are aware of only 10% of the actual web; 90% is below the surface in the Deep Web.

The Deep Web

When you find web pages that a typical search engine can’t access, you’re using the Deep Web. This sounds intimidating, but believe it or not, you use it every day. When you search for a vacation home or compare flight prices, you’re using the Deep Web. When you log in to your email account, online bank account, or shopping account, you’re using the Deep Web. That information won’t show up on a search engine, and that’s a good thing. If someone Googled your name, you would not want your banking information or shopping wish list showing up in results. This information is meant to be private, so sensitive web pages aren’t crawled by search engines.

The Dark Web

Here is where this turns frightening. Downloading the TOR browser will take you to the deepest part of the internet. According to, the kinds of sites most commonly associated with the Dark Web are marketplaces where drugs, firearms, passports, and radical religious propaganda and bought and sold with Bitcoin. In addition, sites to hire hitmen, engage in human trafficking, view underage pornography, and exchange videos that would disgust and terrify the average person are readily accessible. Edward Snowden used TOR to store the sensitive documents he stole from the National Security Agency. The Ashley Madison files also were stored on a site accessible only to TOR users. Of particular concern to businesses is access to stolen credit card numbers, corporate access credentials, and millions of file of personally identifiable information (PII) that are available for purchase on the Dark Web.

Should you explore the Dark Web to be sure your information hasn’t been compromised? In a word, no. Many service providers will monitor the web for you, or you can use services like Experian, QuickBooks, and TruthFinder to scour the Dark Web for you. The best defense, however, is a good offense. Use the info below to help protect yourself and your business.

Assume You Will Be Breached

Sooner or later hackers will try to attack you. In the past, hackers used to target large enterprises. While that is still the case, today small and medium-sized companies and even individuals are considered lucrative and easier targets. If you prepare for a data breach, you can create more effective safeguards to make your data harder to interpret.

Have A Plan

If your data ends up on the Dark Web, you need to plan to minimize the negative consequences. Evaluate particular risks to your business and create a step-by-step plan that includes an updated and robust cyber liability policy. The very act of obtaining coverage, and the resources a policy like this will provide, are invaluable. Otherwise, when a breach happens you will lose valuable time trying to figure out your next step.

If you can not help yourself and you must download the TOR browser “just to see what this is all about,” please know that although your internet service provider and the government might not be able to view your activity when you are on the TOR network, they do know you are on the network. In fact, according to the international newspaper The Guardian, the U.S. Supreme Court ruled that simply using TOR was sufficient probably cause for law enforcement to search and seize any computer around the world, including yours. Please surf safely!

10 Steps Agency Owners Can Follow to Help Protect Their Information

Security starts at the top – the agency owner has to be a part of the process and ensure that data security is a priority.

Make sure you partner with a competent IT security firm to help you set an information security strategy, implement it, and assemble your internal response team. We rightfully spend so much time, energy, money, and resources on risk management in other areas – physical security of our buildings, severe weather preparation and training, sexual harassment and other employment-related issues. IT security must enjoy the same level of importance organizationally, in terms of both time and money invested.

From an IT/operations perspective, the ten steps include:

  1. Patching system. Be sure to have one automated to keep your applications protected and up-to-date.
  2. Firewalls. Ensure that they are installed at all ingress/egress points.
  3. Email security. Identify emails from outside the organization, use dual factor authentication for remote access, and don’t assume email is confidential.
  4. Web browsing security. Blacklist sites that should not be accessed; block categories related to gambling, hacking, illegal downloads, malware, phishing attacks, potentially harmful domains; establish social media rules.
  5. Control administrative rights. Remove admin rights to all standard user accounts, discontinue access for terminated employees, and remember that no one should log in to the system with elevated permissions to check email or browse the web, as this could leave the door open to the most sensitive areas of your network.
  6. Password management. Require eight or more characters; create strong passwords and change them frequently; change all default passwords, including those for routers, firewalls, computers, phones/voicemail, IoT devices, and so on.
  7. Backups. These should be located off-site and segregated from your network; be sure to test them regularly! Don’t be reliant on a single vendor. If you host all of your data in the cloud, have a backup plan. What if your backup data is compromised?
  8. Vulnerability scanning and third-party penetration testing. These should go beyond the free, publicly available, nonintrusive scans. This is a deeper dive that should involve testing by various means, including social engineering that brings into play the human element (not just network-related pen testing).
  9. Inventory management. Perform checks regularly of all hardware, software, and mobile device management.
  10. Personal training. Incorpo-rate phishing simulations (both for money and for network credentials); email etiquette (encryption, etc.); social media do’s and don’ts; basic data hygiene, and physical premises security of IT assets.

Source: Rough Notes