Social Media and the Social Engineer
Social media is one of those necessary evils. It seems that unless you are Adele, you need it to thrive in this business world. We have to tweet to our customers and fans, make sure our posts are on Facebook, update our Google+, and ensure that those in our LinkedIn Groups are included. The truth is, we love social media, don’t we? Yes, we even got Michele, aka @SultryAsian, on Twitter, finally!
While all of the above is true, if unchecked and updated without thought, social media can be a danger, too. Each year at the SECTF we receive reports from the contestants that outline what they find on social media, and some of it is pretty scary.
One thing we always say in our company is that we hate that phrase, “Stupid users.” I don’t think that stupidity is the cause of the majority of security issues we see out there. Maybe people are just uneducated about the way the information they release can be used in an attack.
Real life examples
For example, a Twitter follower and blogger sent me a story about how HP has de-merged and the Enterprise Service Division has a new brand.
The company must be doing a great job at building up the excitement for the employees and making sure their “tribe” is intact. It looks like the new brand has hosted some events and what looks like a party.
It is natural when you feel good about something to want to talk about it. And in the day and age of social media, what has accompanied this exciting news?
These are just two of the dozens that we saw all over social media. Why is this dangerous?
Come on, is it really that bad?
Well, think of just a few angles:
- Now an attacker knows exactly what these new badges look like.
- Recreating these badges has been made easier.
- Dozens of employees have released their full names as well as roles in the company.
- Many of the pictures also contain work spaces and more.
So how can a company promote themselves, keep the excitement going, and not make themselves a target? Well, that is not an easy answer in this “everything is getting hacked” world. But here are a few ideas:
1. Critical thinking
It is important to think through what you allow employees to release on the web. It is not just about having policies, but also about thinking through what the dangers are and then helping your employees to understand the risk if they take the wrong action.
2. Actionable policies
Now that you have thought it through, don’t just give employees a list of things they can’t do… Tell them what it is you want from them. More importantly, tell them what they can do! For instance: “Feel free to tweet all the pictures of the party and the new logo you want, but please keep your corporate ID off of social media.”
3. Understand the value of the information you possess
It is important to realize how an attacker can use even the smallest bits of data, then decide how you will handle it. Knowing that they can use X, Y, and Z against you, you have to decide if you are still willing to release it — and if you are, then what measures you will take for protection.
These simple steps can keep you from becoming the low-hanging fruit. Social media — we all need it, and we all love it, too. Learn how to use it wisely, and you can avoid making yourself a target.
‘Til next time.
Written by Chris “loganWHD” Hadnagy