With more than 61 per cent of UK adults now accessing social media sites to communicate with their network of friends, upload photos, and post opinions, cybercriminals are adapting their behaviour to take full advantage. The recent LinkedIn security breach that released more than six million passwords into the wild highlighted this cyber trend and the need for more robust security when dealing with social media. However, it also highlights the need for more awareness and education among users of social media.
Hackers are increasingly targeting individuals through a combination of social media sites to build a profile ripe for attack. With research from MyJobGroup claiming that 55 per cent of the respondents access social media sites while at work, the potential impact to a business cannot be overlooked.
First, attackers will identify which particular organisation they want to target – whether the motive is corporate espionage or financial gain. Then they will look on various social networks for individuals who are employed with those organisations, perhaps within a particular function such as finance or human resources. The attacker will look to befriend these individuals, building a network within the organisation and tricking unsuspecting users into accepting a friend request even if they don’t know the individual personally.
Once an attacker has established one connection, it becomes easier to establish others providing a source of additional information about the target’s interests, making a spear phishing attack easier. Once the attacker has built the profile of their target, they can tailor the attack to appear like something the target is receiving from a friend about a topic they are interested in. The target will be more inclined to click on these links that lead to a quiet attack and ultimately give the attackers access to the corporate network.
While some businesses will avert these threats by blocking employee access to social media while on corporate equipment, there is more value having employees engage with their social networks – whether that is for recruiting, building partnerships or engaging customers. Companies therefore need to teach employees about the dangers of social media when combined with today’s social engineering attacks as well as best practices when engaging on social media.
From a CISO perspective, detecting targeted attacks requires various levels of monitoring. Most targeted attacks conducted against end users require information to be handed over to a third party via a phishing attempt in order to gain login credentials to systems or via targeted trojans. More sophisticated attacks rely on trojans being deployed to the end-user machine via client side exploits taking advantage of PDF or JRE vulnerabilities or malformed documents such as Word or Excel files.
Detecting exploits can be problematic as there are many ways to obfuscate these attacks to bypass defences, from obfuscating the shell code used in the exploit to packing the executable with various encryption routines. Relying on various layered defences is key in identifying these attacks as no single line of defence will also be reliable in defending against this type of attacks.
A holistic approach needs to be deployed including extensive end-point monitoring as well as network behaviour monitoring which ranges from full-traffic capture and archiving and strategically placed intrusion detection sensors. This will allow you to detect attempts that might bypass end-point defences and will have a network footprint that is much more difficult to confuse.
End-point monitoring for behaviours on the file system, registry and network is essential to tying together targeted attacks that may affect your organisation aiding in forensic analysis as well as speeding up investigations. Having the capability to identify exactly what a piece of malicious code has performed on the end point as well as how long it has been there, coupled with a full record of all outbound communications from the end point will allow you to instantly detect attacks and understand what your exposure might be.
Having a well-educated and alert employee base makes the task of defence much easier. A creative and well-planned security awareness campaign using 'real-world' techniques for phishing can be used to test the defences that are in place as well as staff in place to handle these scenarios.
Common sense combined with best practices to secure personal information online will help users develop their digital “sixth sense” and protect themselves along with their companies from today’s clever, socially engineered attacks that could wreak significant havoc on a business if left unchecked
Below are some tips that will help educate employees to some of the risks of social media and how to protect themselves and their companies:
- Do not accept invitations from individuals you do not know even if the requestor is friends with someone in your network.
- Take full advantage of the privacy settings most social networks offer and ensure information you post can only be seen by those you have accepted into your network. Be diligent about keeping your business and personal networks separate and be cognizant of the information you post on each.
- Be suspicious and cautious about information that is sent to you from people you don’t know very well especially if it is of a more personal nature you wouldn’t have shared with that individual.
- Avoid leaving clues to security questions you may have established on other more sensitive sites such as online banking – for example, the city of your birth, your mother’s maiden name.
- Bring a healthy dose of suspicion to any online interaction, looking for clues of something that is that is just a bit off in the language or about something you know not to be true.
As Webroot’s first chief information security officer, Jacques Erasmus oversees all data security measures across the business, including development, implementation, and compliance. He is responsible for managing risks related to Webroot’s information security, business continuity planning, crisis management, compliance and privacy.