Many people and organisations today are embracing social media for a whole variety of reasons. For businesses it helps raise brand awareness, engage with customers and get key messages to the market in a rapid and effective manner. For individuals it allows them to keep in touch, share their views with the world and demonstrate their knowledge and expertise along with many other benefits.
It seems that many people like to share their life with the whole world on Facebook and Twitter, starting from their opinions on the latest TV series to where they went at the weekend and what they had for dinner last night.
So from a business perspective what should organisations do to reduce the risks related to social media? Before we can answer that question let us ask – what risks are we talking about?
The following describes things from the perspective of an organisation that has employees who will be using social media both as part of their role and in their personal life. The first and more obvious risk to most people in business will be the situation where an employee posts something online which is damaging to the organisation.
If an individual who is clearly identified as being part of your organisation (for example they have their job title and place of work on their profile) posts material which is in breach of policy or controversial, your brand could be at risk. Imagine an employee posting material or comments which were defamatory against a particular group. The second and along similar lines could be a member of staff releasing important or confidential information online.
These two examples point to deliberate acts and soon I will discuss how we may wish to handle them. But there are some other issues to be considered.
Perhaps you have employees who conduct themselves well on social media, don’t talk about your organisation and generally seem low risk. The problem is even some basic information revealed on social media (Facebook, Twitter, forum, blog, or any other social media profile) can be very useful to a skilled social engineer.
What is a social engineer? In simple terms for this blog let’s regard a social engineer as someone (could be part of a wider group) who wishes to compromise your organisation for whatever reason. Rather than launching technical hacking attacks they will use techniques to obtain access to data by attempting to convince people to grant access whether this be in person, over the phone, via email or some other means.
Where do social media profiles come into this? Let’s take this real life example from a test I took part in some time ago. Parker Solutions Group performs social engineering testing for organisations to see whether they are vulnerable. The example is shortened and is anonymous but hopefully makes a clear point:
The client in this case had set a test to identify whether a key HR database system could be compromised. One potential way of gaining access was to plant key logging software on the machine of a user of the application in order to capture their credentials. The problem of course was how to be successful loading the said key logger.
The test team started by conducting a variety of research on the organisation and noted that a particular staff member had an interest in the hobby of astronomy. Having done some further research it was clear that this staff member was a member of many interest groups and forums in this area. This staff member was also a key HR staff member. In this particular social engineering test the team developed a fake website related to astronomy offering a free sky mapping tool to all new members, the link was sent in a specific crafted spear phishing email to the target. (A spear phishing email is an email targeted at a specific person and is used to either obtain credentials or compromise a system. Think of those “your bank account is locked” emails except targeted at one specific person).
The test was a success, within 5 hours of the email being sent the unwitting victim had clicked the link and downloaded the “tool” which was in fact a trojan containing a key logger. Over the coming days the team successfully obtained the user’s logon and password without so much as phone call or physical intervention.
Of course this example requires a significant amount of planning and indeed hard work to be a success. In this case there was a need to create a specific website, develop a trojan and a spear phishing email.
At this point people may say “who will go to all this trouble” and indeed you may be quite correct. The level of effort a social engineer or attacker will go to will depend on who the target is and what information or systems are being protected. In another much simpler example, our test team used information from a Facebook profile to call an IT helpdesk and successfully answer the security questions. We called stating we needed a new password and a few questions later we had the credentials, all because of the Facebook story.
I urge anyone reading this to take a look at Maltego https://www.paterva.com/web6/.
This very powerful tool grabs all kinds of information to help a social engineer build a picture of the person they want to target.
So, what can a business do to reduce these risks?
The following points may help:
1) Develop a clear policy on social media. The policy should confirm answers to whether people can represent themselves as employees online, what the standards of conduct are, whether they should have separate work and personal profiles.
2) Consider having rules on disclaimers. For example if a person is going to make a statement about company business a disclaimer may state that the views are not that of the company (very useful in liable cases).
3) Ensure that staff is given thorough, interesting credible training and guidance on social media and its dangers. Focus on teaching people how to protect themselves (not just the business) it appears that people seem much more willing to listen at that point. One video to consider including in your awareness training should be the Brussels Mind Reader: http://www.youtube.com/watch?v=F7pYHN9iC9I.
4) Has the training been effective? Here you can consider social engineering testing. To be clear I am not suggesting you need to do something as involved as in my example, the level of testing should be proportionate to the risk. The testing should be tailored according to the level of training given and maturity.
5) Continue to consider the risks of social engineering when undertaking information security risk assessments. Remember that not all attacks are technical in nature and social engineering is always more likely. Why hack a system when you can obtain information through much simpler methods.
Graeme Parker is an experienced professional on Cyber Security, Risk Management and Governance fields with proven experience in implementing and developing effective management systems for these fields. If you have any questions, please do not hesitate to contact Graeme at: firstname.lastname@example.org
For more information on Social Engineering Testing see: