Skip to main content

Does Sociability Compromise Security?

May 11, 2010

Do you allow your employees to use Facebook, Twitter, LinkedIn and others from your corporate network? Or, do you have a “no social media on the corporate network” policy? If you’re part of the first group, read on.  You’ve got some serious security issues to consider.

In the old days, when Web 1.0 was all the rage, a website developer or administrator published all the content for end users to read. Things were relatively safe as long as certain protection mechanisms were in place. But, life has become more complicated in recent years with the launch and subsequent popularity of Web 2.0. This new age of collaboration introduced a fun and innovative way for end users to communicate via social media sites such as FaceBook, Twitter, MySpace and many many others.  However, because social media sites pull content from multiple sites and servers, Web 2.0 has made it significantly more complicated for you to truly secure your users’ browsers.

Trust is really at the root of the problem.  Social networking sites give users an inherent sense of trust that they shouldn’t have. And, unfortunately that trust opens the door wide open for a variety of new attack vectors. If you don’t have the right policies and solutions in place, there’s a pretty good chance that sooner or later the bad guys are going to use social media to access your corporate data.

How will they do it? There are a few different strategies we’re seeing.

  1. In some instances, criminals are creating malicious websites (or infecting legit sites due to their own vulnerabilities) that have malware installed and are redirecting users in various ways to those sites. Once a user goes to the malicious site, their system becomes infected with this malware.  At this point, the attacker is purely limited by their imagination on what could happen next.  Most commonly, the malware starts harvesting information from your user’s system, such as their passwords or corporate information.  The malware then attempts to either stream this information back to a predetermined host controlled by the attacker, or utilizes a batch process to email or funnel this information out to the attacker.
  2. As of late, spear phishing is the attack strategy of choice. With this method, criminals gather information about your employees from social networking sites.

This brings up another common oversight or gap in many organizations current information security policies.  As an example, should your employees be allowed to disclose that they work for you?  How about the division of the company they work in?  How about what project or program they are working on?   All of this type of information can be used in a spear phishing attack.

 

Once the attacker has gathered enough information about their intended target, they start sending personal emails to your end users to gain their trust, and then direct them to websites or applications to install, which facilitates the malware infection. Cross-domain attacks are also common. This strategy influences users to click on links they normally wouldn’t have because of their newly assumed trust level with the attacker’s bogus company or request.  Once infected, again, it’s up to the attacker’s imagination at this point on what they wish to do with their new victim.

There are a number of things you can do to protect your company and mitigate the threats:

  • Implement an IT security program with sound policies – Adopt or update your existing Acceptable Internet Usage policy to inform your employees on what types of information they are allowed to post online about your company to reduce the possibility of spear phishing.
  • Implement the right technologies – At this point, you should already have anti-malware/anti-virus software installed on every corporate computer to attempt to cover your end users. In addition to this, you should consider investing in data leak prevention solutions, to help enforce your corporate policies on what is acceptable content to post online or even be allowed to leave your network.
  • Continually educate your employees – a lot of cybercrime relies on an end user’s lack of knowledge. Continually update and performed user awareness training sessions or “brown bag” events to teach your users the common threats they will face, as well as update them on the latest attacks being carried out.

 

Related Blogs

October 26, 2017

Help Keep Your Children Safe Online

The Children’s Internet Usage Study conducted by the Center for Cyber Safety and Education discovered that 30 percent of children ages 8-14 use the in...

See Details

October 11, 2017

From the Boardroom to the Breakroom: Cyber Security in the Workplace

Key steps to cyber security in the workplace include establishing and maintaining a “security culture” in which company networks and the data they hol...

See Details

May 25, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 2

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that un...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

November 01, 2012

Social Engineering: An Expanding Frontier in Online Attacks

Social engineering is an expanding frontier for attacking public and private entities and their employees. With this approach, a malicious attacker ga...

See Details

April 15, 2014

Non-IT and Security Engineering Principles

I always look for interesting parallels between things we have learned or practiced in other industries and how they can be applied to the security di...

See Details

January 31, 2014

SDN APIs: A New Vocabulary for Network Engineers

Whiteboards and slides have been instrumental for networking discussions for a long time! Color-coding markers and those fancy “glass whiteboards” are...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.