Embed Size (px)
Citation preview
SOCIAL MEDIA DANGERS:
WHAT EVERY
“SOCIAL BUTTERFLY” SHOULD KNOW
Social Networking Security Risks – Best Practices for Creating
a Culture of Security
Friending, following, tweeting,
instagram-ing, checking in and
linking up….In today’s ever connected
world, people all over the globe are
utilizing social media
Employees are quick to bring social tendencies into the work
place creating a hot-spot of security vulnerabilities and a new
attack vector.
Social media, although evolving, is here to stay. The goal of
many organizations is finding a balance between encouraging
employees to utilize social media for business, while staying
mindful of the potential security issues.
Knowledge is power and the best way to
avoid unwanted attacks is to understand
the dangers of social media from a security
standpoint implementing solutions for
smarter socializing.
In this “Perspective” we look at the following:
• Primary tactics used to exploit online social networks
• Real World Scenarios of Social Engineering through Social
Media sites like Facebook, Twitter and LinkedIn
• Best practices to mitigate risks
Social Butterfly Beware
Smishing, baiting, pharming, Doxing and clickjacking…..No, these are not episodes of a reality show on a sports and outdoor channel.
These are uncommon names for common tactics used by social hackers leveraging social media channels to gain access to sensitive data. Devious characters with more nefarious interests than simply liking a post or commenting on a photo.
These social engineering gurus are utilizing social media sites such as Facebook, Twitter and LinkedIn, among others to approach, track and attempt to take down entire organizations.
Did You Know? • 25% of Facebook
users don’t bother with any kind of privacy control
• As of 2012, 17 billion location-tagged posts and check-ins were logged
• There were 175 million tweets sent from Twitter every day in 2012
• There are 575 likes and 81 comments by Instagram users every second
SOCIAL ENGINEERING.
THE CLEVER
MANIPULATION
OF THE NATURAL
HUMAN TENDENCY
TO TRUST.
“
”
TRICKY TRICKS OF THE TRADE Social Engineers (AKA: Hackers) do not care if you are an entry-level employee or the CEO of an enterprise. These highly trained individuals leverage their skills to attack all levels within an organization through new media and online tactics. Using proven methods they can gain access to sensitive information, destroy reputations and cost enterprises billions in clean-up and recovery. Spear phishing Occurs when a user receives a fake email from a hacker posing as a colleague. The email contains a dirty link or file corrupt with malware.
Clickjacking The concealment of hyperlinks beneath legitimate content which lead the user to unknowingly perform damageable actions such as downloading malware or sending your ID to a site. Numerous clickjacking scams have employed “Like” and “Share” buttons on social networking sites. Elicitation The strategic use of conversation to extract information from people without giving them the feeling they are being interrogated. Doxing The technique of tracing someone or gathering information about an individual using sources on the internet.
ATTENTION EMPLOYEE -
Does This Sound Like You?
You arrive to the office. It is cold and rainy outside. Once again the security guard who unlocks the door to the office building is late. You are bored and frustrated so you pull out your smart phone and Tweet to the world,
“I hate waiting for the security guard who is always late! #atmyoffice”
Your friends will may laugh, sympathize or even comment. No harm in that, right?..... Wrong!
You may have unwittingly exposed your employer and yourself to a security attack.
Random, rare, only something you read about? Think again. Information is power and in this scenario, you just provided a potential hacker with key insight into not only your schedule but also your employer’s potential vulnerabilities and a potential attack vector due to the security company’s lack of vigilance.
All can be used as inside knowledge when searching for vulnerabilities and planning an attack.
ATTENTION EMPLOYEE -
Does This Sound Like You?
Your business is growing. You are looking to hire new employees to help you meet market demands. Like most in your industry you post a job description for the new employment opportunities on your corporate LinkedIn page.
You receive a candidate response via email. You open that email. That email has malware connected to the ZeuS/Zbot Trojan, which according to the FBI, is commonly used by cyber criminals to defraud US businesses. The malware embedded allows the social engineer to obtain online banking credentials which costs you thousands of dollars in business.
“Malicious attachments have become such a problem that many organizations now require job seekers to fill out an online form rather than accept resumes and cover letters in attachments.” – Chris Hadnagy author of Social Engineering: The Art of Human Hacking.
ONCE INFORMATION IS POSTED
TO A SOCIAL NETWORKING SITE, IT
IS NO LONGER PRIVATE. THE MORE
INFORMATION YOU POST, THE MORE
VULNERABLE YOU BECOME
- FBI
“
”
COMMON SOCIAL MEDIA
SCAMS THAT CAN LEAD TO A
HACKED ACCOUNT
Help! I Need Money Often referred to as the 419 scam, a victim is approached via Facebook Messaging or IM by a friend pleading for help due to a robbery or other tragedy.
See Who Viewed Your Profile “OMG OMG OMG…I can’t believe this actually works! Now you can really see who viewed your profile!” As tempting as it is to want to know who has been checking out your posts and photos, this Facebook scam and fake app are not worth the risk. Embarrassing Videos Racy, embarrassing and inappropriate videos are how this clickjacking scam can get your attention and your personal information. Free Gift Card Starbucks, Best Buy, Cheesecake Factory free gift card or special offers are promotions that you will never be able to cash in on. Remember, if it sounds too good to be true then it probably will be.
COMMON SOCIAL MEDIA
SCAMS THAT CAN LEAD TO A
HACKED ACCOUNT
Dislike Button This much sought after option although requested often by Facebook members, does not exist and is a classic spam scam. Get Rich Quick “Make thousands working from home!” “EZ way to make some extra cash!” These bogus offers predominantly delivered via Twitter will have you in the hole and in a poor mood. Special Mentions “Is this you in this video?” “Have you seen this photo of you?” Both Facebook and Twitter serve up special bad links with these attention grabbing mentions. Confirm Your LinkedIn Account A successful phishing lure designed to capture your private information.
Safer Socializing Be Mindful of Your Check-Ins Many utilize social media sites that allow users to “check in” at restaurants, retailers and event locations. Some engage for discount incentives while others do it to let their friends and family know their whereabouts. What most people fail to remember is that this information is intelligence for those looking to better understand your schedule, habits and potential opportunities for strategic attack.
Activate Privacy Settings Look at the privacy settings for the social media services that you utilize and make certain that you are only sharing information with people you know.
Password Protection Don’t forget about the importance of utilizing a secure password for your different social media accounts. If your password is your first born son’s name or the college you attended, this is like giving candy to a baby when it comes to the criminal mind of hacking into your account.
Smart Resources
Bitdefender
Safego
2012 antivirus
OpenDNS
Whitehouse.gov
MyPageKeeper
StopTheHacker
Malwarebytes
SocialShield
ZoneAlarm
Firewall
Minor Monitor
CREATING A CULTURE OF
SECURITY – BEST PRACTICES
• Disable scripting and iframes in your internet browser of choice
• Turn off “HTTP TRACE” support on all webservers
• Do not share information about yourself, family and friends be it online, in print or in person
• Be leery of domain names with misspelled words
• Type in the URL into your browser to view vs. clicking on a link shared via social media or email
• Get to know your co-workers and clients and beware of impersonators
• Disable Global Position System (GPS) coding in items that you might not normally think of such as your digital camera.
• Use multiple layers of security throughout your network
• Establish policies and procedures for intrusion detection systems on company networks
• Establish clear policies about what company information can be shared on blogs and personal social sites. Stay diligent and enforce
• Provide annual security training
• Avoid accessing banking accounts from public computers or through public Wi-Fi spots
• Don’t provide information about yourself that will allow others to answer your security questions (I forgot my password key questions)
• Report suspicious incidents
(source: FBI)
Knowledge is Power Social Media is here to stay be it at home or at the office. Social Engineering, system compromises, employee and third-party negligence are all contributing factors to security breaches. Just as it is important for organizations to protect their networks from attack, it is essential that they effectively educate their employees to fend off costly attacks which target employee vulnerabilities.
Effective security awareness training for your employees and clients can improve your overall security posture, and could be the most important investment you make this year.
DDI’s Security Awareness Education program, SecurED™ helps organizations provide relevant, entertaining, web-based training that helps to establish a culture of security.
SecurED™
A security awareness education program from Digital Defense, Inc. (DDI), combines serious security expertise with fun, engaging characters to deliver memorable messages that employees can access anytime, anywhere from virtually any device.
• Emmy® award-winning comedy sketch writer
• Hollywood talent
• Fun & Engaging
• Convenient
• Cost-Effective
• Training That Sticks
LEARN MORE
ABOUT SecurED ™
REFERENCES & RESOURCES
Information and research for this study were collected from a number of different sources including the following
Resources:
Security Risk Assessments
Security Awareness Education
On-Demand SaaS Solution
Decisive Security Intelligence
Managed SaaS Solutions
Learn More About
Digital Defense, Inc.
Digital Defense, Inc. 9000 Tesoro Drive, Suite 100 San Antonio, TX 78217 888.273.1412
www.ddifrontline.com
