There is a consistent list of concerns that most organizations have with respect social media use in the workplace. The list includes impacts on productivity, a lack of user controls, and potential security compromises. But the most sobering message the Lumension security and forensic analyst delivered during his conference session on malware and social media was the fact that regardless of an organization’s policies, the amount of information that employees post on their personal social media sites makes it all-the-more easier to hoodwink them once they have been targeted.
Cybercriminals no longer seek out only high-value or high net worth individuals in the age of social media, Henry asserted. “Everyone today is a target with respect to social media”, he told the Interop audience. “We are putting way too much information on our social websites.”
Henry revealed that he recently cancelled his Facebook account when he learned that the social network would use cookies to track account holders web browsing even when they were not logged into the site. Facebook, of course, will then sell this tracking data to interested marketers to help with its bottom line, he noted.
“I don’t mind people making money off of me, as long as I can make a couple bucks too”, Henry said jokingly. The analyst said he has switched over to Google+ for the time being, observing that it offers “some semblance of privacy currently associated with it”, but he added that most social networking sites are simply portals for social engineers to gather all the details they will ever need to execute a well-crafted spearphishing scam.
Henry reiterated: “again, we are putting way too much information on our social media websites”.
In his remarks, the forensic analyst noted that phishing makes up 23% of all malware attacks in the social media space.
The amount of information that can be gathered from a person’s Facebook account drastically increases the chances that a targeted person would click on a link or attachment within a phishing email, Henry said. He reminded the audience that this method was employed in one of the year’s most infamous data breach incidents: the recent compromise of RSA’s SecurID tokens.
Spearphishing was one of the primary malware delivery methods that Henry identified on social networks, along with clickjacking (aka, likejacking) and password sniffing.
“Most people don’t realize that when they are using Facebook from their iPhone, it’s all in the clear”, said Henry, referring to the fact that such transmissions are unencrypted using smartphone/tablet applications. Users therefore are handing over their login credentials to anyone running a password sniffing program on a nearby public WiFi network, he added. “If you are using WiFi, understand that unless you access Facebook using a browser, then you are doing it in the clear. I don’t know of a single Facebook app today that actually encrypts your credentials.”
When it comes to password sniffing, Henry’s advice was rather blunt: “Don’t trust WiFi – period, end of story.”
Of course, not all organizations can simply block access to social media sites in the workplace or on employee’s devices, nor can they easily dictate policy for personal use of these sites when employees are ‘off the clock’. So Henry offered a few tips organizations can take to help mitigate the associated risks. Among these are: user education programs; usage policies on social media use within the enterprise or with enterprise assets; a comprehensive software patch and remediation deployment; and an endpoint security solution.
Henry recommended and handful of technologies that organizations should be employing as a baseline defense as well. They included an application control or whitelisting capability, anti-virus, automated software patch and remediation, and offerings that enforce the ‘Rule of Least Privilege’ for access to information.