With social media Information and "social engineering" compromising IT security, user accounts are leaving businesses vulnerable to hackers.
It has become increasingly obvious to Security Operations Managers (SOMs) that well-orchestrated phishing campaigns can start with breaching an employee’s social media account. These campaigns, which can result in sensitive organizational data being leaked, are aimed at unsuspecting workers who fail to follow best practices to ward off such attacks. In some cases, the company itself may not have effective security protocols in place.
Confronting Security Violations
Hackers targeting a company may have already garnered information on the gaps in a company security system and are often seeking to exploit its vulnerabilities through a form of employee psychological manipulation referred to as “Social Engineering.” In essence, Social Engineering takes advantage of the human tendency to trust someone who appears to be acting with authority. These hackers specialize in penetrating IT systems safeguards by tricking employees into compromising company security. It is common for them to make use of fake IDs to establish a phony level of expertise and authorization; such seeming authority can instill false confidence and trust, which is then used by the hacker to gain further access. Deceptive phone calls or emails requesting information are utilized to uncover passwords, or to persuade an employee to download compromising malware.
On Social Media platforms, phishing is common and the industry has responded to both by beefing up security. Facebook recently partnered with GitHub to launch an account recovery feature called Delegated Recovery. The Social Media giant intends this to be an “identity management hub” that they hope will replace email accounts as the user’s primary means of account recovery. Many sites typically respond to lost passwords by sending a new one to the user’s email account—which may itself be compromised—creating even greater violations of security. Serious breaches of user information may contain the answers to security questions, thus negating the effectiveness of changing passwords and allowing violations to spread from one account to another.
Yahoo’s email accounts were hacked in August of 2013, an attack which involved the security information of up to a billion users, and then again in 2014, which resulted in 500 million more such violations. During these attacks passwords and security questions were stolen, though bank account information was fortunately not accessed. Clearly hackers were able to bypass even the considerable resources of a major company. Once data has been stolen, it is likely to be sold and resold. Hackers can make millions from their sale, which provides a considerable incentive for information theft to continue.
Facebook hopes that their new recovery program will provide a solution to these attacks. The company intends Delegated Recovery to improve not only their own account security, but security everywhere. “We’re building this and giving it away because recovery is a problem every online service shares,” said Facebook security engineer Brad Hill. “Recovery isn’t a product, it’s a foundation. Secure access is the foundation on which we build all our other products.”
Personal Security and OPSEC
Given the proliferation of Social Media information breaches, there is a tendency for individuals to write cybersecurity off as a lost cause. Many, and perhaps most, major host companies have experienced some sort of security breach. The list of compromised services includes Yahoo, LinkedIn, eBay, and MySpace. Nonetheless, there are steps that individuals can take to uncover and address such violations of their personal information. The New York Times published an interactive article in December of 2016 which lists some of the major hacking incidents over the last three years. Though their list is admittedly incomplete, discovering whether or not you have been hacked can be an important step in addressing the issue—especially since the chances are good that your security has been compromised, even if you don’t know it. John Chambers, CEO of Cisco, reportedly said, “There are two types of companies: Those that have been hacked, and those who don’t know they have been hacked.” The same might be said of individuals.
The steps to strengthening personal security are known to most people. Unless tools like Facebook’s Delegated Recovery are widely adopted and proven effective, it is a good start to focus on being more careful of passwords. In pursuing this strategy, one should remember that Password Strength Meters encountered on websites generally give inaccurate assessments of the strength of a password. One effective strategy may be the adoption of a password manager that utilizes a variety of complex, random number-letter combinations. While this may seem inconvenient, note that if one uses a password manager, the only password that it is necessary to recall accesses the password manager itself. Theoretically that is a complicated one, but committing to memory a single, complex password is within the capacity of most people.
SOMs require more complicated series of protocols, and will likely pursue an assessment to gauge the level of threat facing their company, and use the results as a determinant of the organizational response. According to Rick Holland, vice president of Digital Shadows, there are two things for companies to remain focused on: “One, how do you think about your own OPSEC? [Operational Security] And then, two, how do you keep an eye on what adversaries are doing to see if you can keep up with the trends.”
Not all hackers have the same level of skill or the same motivations. Some hacker organizations may deliberately employ poor operational security of their own so as to leave a footprint, cultivate notoriety and advance a brand of sorts. The hactivist group Anonymous fits this profile. Others hackers will be more secretive, preferring to keep their activities known only to those groups who purchase their stolen information.
To some extent, a Security Operations Manager’s most effective response is likely to be proactive; the first line of defense in operational security is keeping company information out of social media accounts. SOMs can’t prohibit employees from having such accounts, but they can restrict the use of company data in them. Issues of operational security commonly occur because of inadequate operational resources and impatient employees. For example, an employee may need access to company data while away, perhaps on site with a client, and in anticipation of this need forward delicate information to a personal account. Or perhaps an employee is required to enter a company email address for a vendor, or third party, in a situation where no secondary, safe email account has been provided. SOMs who anticipate these likely responses by employees will be better able to ward off security threats. Those who wish to remain proactive must maintain clear avenues of communication with employees, especially those working with clients on the front line. This may be the best way to keep important company data safe from prying eyes.
Social media, a technology intended to improve communication, is most easily breached by social engineering that occurs through direct human interaction; and yet social media is best secured by direct human communication of effective security policies. This is the ultimate irony of OPSEC: that humans remain both the best offense and the best defense in the ongoing battle for cybersecurity.
Tame the Ever-Increasing Flow of Information
InfoDesk has created the world’s smartest platform for managing and sharing information. With our comprehensive solutions, you can bring all your information together, filter and select relevant content, and deliver the right intelligence to the right people. InfoDesk has been providing actionable intelligence to multinational corporations, government agencies and other organizations since 1999. InfoDesk is based in New York with offices in London, Washington, DC and India. Learn more about InfoDesk.