By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
Last time I ended my post by describing what’s known as a “spear phishing” attack. I said an executive received an email of a personal nature addressed directly to him. The email included a lot of facts about the executive to make it believable. It mentioned the executive’s daughter, the fact that she played soccer, and that there was a recent game. The sender says he’s a father of a player on the opposing team, that he had caught some great photos of the executive’s daughter and wants to share them. “Here’s the link – enjoy.”
Would you click on that link? Be honest.
Most dads I know would click on that link without a second thought, so don’t feel bad if you said yes. That’s what makes spear phishing so effective and dangerous. The technique depends on gathering a lot of personal information on the target.
In today’s social media world, that’s not hard to do. The attacker would have to spend some time online going through the obvious sites like Facebook and LinkedIn, maybe find the target’s Twitter handle, and put together a profile of the target. Formally this is referred to as aggregation and inference. The attacker gathers a lot of publicly available information from various sources from which they can create a picture of the activities and interests of the target. All the attacker needs to do now is create an enticing premise by which to trick the target into taking the bait.
There is actually quite a heated debate going on in the industry about allowing access to social media in the work place. I happen to be on the side of allowing it. Social media represents a new way of communicating and tying people together. In most business settings it can actually promote productivity by increasing the flow of needed information. But as with any new technology, there are risks.
The first security concern to consider is the information that people are sharing online. Companies would do well to provide some basic guidelines and training on the appropriate use of social media. Users can also protect their information by configuring privacy settings on their personal accounts. Also, users should think about the information they share on one site vs. another.
In our example above, the attacker probably got the victim’s company from LinkedIn. That would give them a clue to the victim’s hometown, but maybe not if the company they work for is large. Go over to Facebook, ah, so here the target posted their hometown. And what’s this? “Congratulations to my daughter and her soccer team.” Ding, ding, ding. How about Twitter? “Watching a soccer game at my daughter’s high school – priceless.” Gotcha!
You get the idea. It’s pretty easy. To combat this users should think about what they’re sharing from the point of view of someone who wants to gather information about you that really shouldn’t have it. People should be asking themselves this every time they post on social networks.
As for allowing social media or not, each company needs to make this decision for themselves. There is a lot of middle ground between the extremes of no limitation on the use of social media and an outright ban. Security is situational, and the amount of security depends on the risk tolerance of the company. Usually a good training program is sufficient to lower the risk of information disclosure, to the point that the employees and company as a whole can benefit from the interconnectedness of social media without leaking important information.
