Social media platforms like Twitter, Facebook and LinkedIn continue to offer an important window into brands for customers and other stakeholders. However, as the threat landscape evolves, these same platforms can also act as back doors for attacks targeted at businesses and those who work with them.
The line between personal and corporate devices has also been blurred. More and more employers have a BYOD to work policy which allows employees to access their corporate emails on the same device used for their social media accounts. And if this isn’t the case, many employees access their accounts on the corporate network anyway.
In both cases, it opens up fresh opportunities for cybercriminals to gain access to corporate data and systems.
Identifying social vulnerabilities
There are many attack vectors which cyberattackers can choose to exploit through social media, just as they do over other platforms. It could be phishing and social engineering or malware and ransomware, but, in all cases, the attack can be launched from a link. And just like any other form of cybercrime, individuals are susceptible to clicking on these links and attachments, believing them to be legitimate.
In fact, according to RSA, social media may be the fastest-growing communication channel for cybercriminals. Over a six-month period, the company observed a 70 per cent growth in the volume of visible fraud activity on social media.
And if cybercriminals want to adopt a more socially engineered tactic, then a named individual on social media platforms can be the ideal vehicle to launch a pervasive attack. It’s as simple as exploiting day-to-day business activity and using employees as the access points for attacks on organisations.
Take LinkedIn as an example; a recruiter receives an email from a potential candidate with a link to a portfolio or a CV as PDF. There is danger in both — malware could be embedded in the PDF or the link could take them to an equally legitimate-looking phishing website.
An awareness issue
The best way to mitigate the risk of social media enabled cybercrime is awareness. Ultimately, it’s an organisation’s staff that is interacting with pages, posts and clicking on links. Training them up on best practices is the first step in turning what has historically been seen as the weakest link in the cybersecurity chain, into one of the strongest.
If staff are properly trained, aware of the threats and able to identify them, this goes a long way towards mitigating the risk of attacks. But user training should include more than just a one-off session. Every organisation should have an ongoing, structured training and awareness user programme. It should provide a continuous stream of information about the latest threats, what to look out for, and best practices to employ.
The programme should also include simulations on a regular basis so that staff can be aware of the different types of attacks and how convincing cybercriminals can be — all in a safe setting. For instance, phishing assessment services, red teaming and bespoke audits can be useful for organisations to assess their own security posture.
Staff are key to protecting organisations from social media threats and there are many things which they can do to be effective against attacks. This includes keeping browsers up-to-date and using reputable and well-made plug-ins, having a multi-factor enabled login, using a password manager and not clicking links in unknown messages.
It’s important that any training doesn’t just cover personal channels and practices but the use of corporate channels too. As well as improperly trained employees opening up opportunities for the cybercriminal, the company may inadvertently betray itself online by oversharing information. For example, images that enable attackers to identify the location of CCTV cameras, access control systems, or posts about the suppliers and vendors they use. This information doesn’t always even need to be shared. Cybercriminals are able to find this out by identifying who the company likes and follows on social media and those who like and follows them back.
Using red teaming to build resilience
Even with the right training processes and user awareness in place, organisations must assume that an attack will happen and focus on how to build their resilience in such an event.
Red teaming is an extremely effective way to test and build resilience. It is a full-attack simulation that focuses on all areas of the organisation and tries to catch it off guard. Security experts, acting the part of cybercriminals carry out the assessments which cover a wide range of areas, from breaching networks and systems to using social engineering tactics, which can be via social media, and gaining physical access to premises and devices.
Red teaming can also be goal-led, where the organisation asks the team to focus on one particular area. It could be testing BYO devices or using social media to gain access to the corporate network.
Securing the organisation’s future
Having a successful cybersecurity posture is not only about preventing attacks. It is also about mitigating the effects of an attack if it does happen by ensuring that the business knows how to respond quickly to resume operations.
Any brand interactions on social media can be exploited by cybercriminals. That’s why working with an accredited cybersecurity consultant can help to keep organisations informed of emerging threats. It can go a long way to mitigate the evolving risks posed by social media attacks, as well as other new or long-standing forms of cybercrime.
James Smith, Principal Security Consultant & Head of Penetration Testing, Bridewell Consulting