Three years ago I performed a penetration test of a transportation company in the Midwest. Save for a few low-severity vulnerabilities, Company X had a well-managed public-facing network infrastructure. Satisfied with the status of their network security, I turned my attention to the human network.
Searching for Company X on sites like Twitter, Facebook, and LinkedIn, I discovered employee names and corporate activities that were not shared on its website. As the search continued, Company X’s culture, processes, and lexicon emerged from the social dialogue.
Within three hours I was able to collect identifying information on key employees including birth dates, employment and educational history, and hobbies. These data points were cross-referenced with other resources on the Internet to profile Company X’s community involvement activities.
This information enabled me to persuade employees to give me access to critical information and secured areas. This included usernames, passwords and access to employee-only areas.
Unfortunately, this was not an isolated scenario. McAfee recognizes that social media is used by miscreants as an “effective means to reach you as an individual user or an employee of a targeted company.” It notes that the disclosure-based trust model used by social networking sites also makes them vulnerable to miscreants that mine this data or persuade users to click on links that execute malware.
From a corporate governance perspective, social network threats are difficult to manage. Even if a company excludes itself from social networks, it has little control over their employees or customers’ activities.
For example, the successful compromises of physical security on my social engineering engagements have been enabled by information gleaned from Facebook / MySpace pages run by company employees. In these cases, the guise created from my research allowed me to influence employee behavior to circumvent logical and physical access controls.
Individual users should also be cognizant of the privacy threats associated with social media disclosures. Early in 2010, I researched three individuals from my Toastmaster’s chapter to illustrate how much information could be mined from the Internet. At the end of the two-day project, I had discovered their home and work addresses, the common restaurants they frequent, and their affiliation with community groups.
Shockingly, I was also able to find medical information for one of the individuals, including her condition, her primary doctor, and the hospital where her doctor works. This threat is complicated by the prevalence of targeted phishing and malware attacks directed at users based on their profile activity.
Some approaches proposed to address these threats attempt to model the formation of trust relationships in the physical world. Security Issues in Online Social Networks proposes architectures wherein “users should dictate the fine-grained policies regarding who may view their information.”
The solutions would require individuals or companies to create data classification policies associated with their social media presence. However, the stakeholder support that these solutions require makes their implementation problematic. Additionally, they limit the data available to the social media provider in its effort to generate advertising revenue.
The successful use of social media management by one of my clients points to a practical response to these challenges. Embracing Facebook and Twitter as part of the marketing and sales campaigns, it recruited its employees in promoting a positive brand image. Thus, employees are shown the value of the messages they share online.
More importantly, the organization’s security awareness program focuses on the social interactions that intersect with logical and physical controls. These efforts have resulted in fewer negative findings during social engineering engagements.
The hunger for connectedness and trust are core to the challenges posed by social networks. Their secure usage lies not with an artifice of policy templates and FUD. Rather, it relies on recognizing the value of your information to those that would abuse it.