Showing results for 
Search instead for 
Did you mean: 

Death by social media

Level 9

In my last article, The human factor, I discussed how you could have the most secure technology that currently exists in place and that could all amount to nothing if an attacker can persuade one of your users to do their bidding. In this article, I want to focus on a particular topic that fits in nicely, social media. There are apparently as many definitions of social media as there are people who use it but in the context of this article, I am referring to online services that people use to dynamically share information and media. Examples of such services include Facebook, Twitter, Instagram and YouTube.

The world has certainly changed a lot in the last 10 years when these kind of services really took off. There has been a massive culture shift from people sharing things via snail mail, to email, to social media. Most businesses have a presence across a number of social media sites as applicable and the vast majority of workers expect to be able to use them for personal use whilst at work. I could go on a rant here about the business risk caused by the lost productivity as social media addicts check in to their accounts every few minutes, but I don't want to be a party pooper. Instead, I will use my shield of security to justify why access to social media, especially from work computers but also on personal equipment on the office network if you have a BYOD policy, presents a risk to businesses that can be difficult to mitigate against.

Why? It goes back to the theme of my last post. People. There was a time when we seemed to be winning the battle against the bad guys. Most people (even my Dad!) knew not to be clicking on URLs sent in emails without going through a number of precursory checks. With the previously mentioned culture shift, we have now become so used to clicking on links that our friends and family post on social media that I doubt if the majority of people even stop to think about what they are just about to click on.

Consider that people who are active on social media are checking their various feeds throughout the day and you have a recipe for disaster just simmering away, ready to boil over. If you have a loose BYOD policy, or are one of those organisations that gives users local admin accounts (ya know, just to make it easier for them to do their jobs), or your training programme doesn't include social media, then you are opening yourself up to a massive risk.

I used to have a colleague many years ago who, having witnessed somebody at work send a trick URL to another colleague which got that person in hot water, told me "you are only ever one click away from being fired". That's a pretty harsh take, but perhaps "you are only ever one click away from data loss" might be a better message to share across your company.

As always, I'm really keen to hear your thoughts on the topic of today's post.

Level 14

This topic makes me think about our use of social media sites like Facebook and Twitter.  First of all, I see a lot of (what I think of as) oversharing -- both personal also professional stuff.  For hackers, identity thieves and even current and/or potential employers love oversharing folks.  The more stuff they can find out about you the more they can use -- often times against you.

By the way, I too do not wish to be a party pooper.   Still, to paraphrase Benjamin Disraeli... Prepare for the worst, but hope for the best. In this day and age, we should expect that anything and everything we post can and will be used against us.  Yes, I know it is not fun, but I think that's our reality.

Let's be careful about our posts in social media... lest we dig our own virtual graves.  51TZ4UlJX+L (1).jpg

Level 9

Thanks for your thoughts mr.e and I agree

Level 15

Good topic and excellent post.  mr.e your comments were right on par with what I was thinking.  The oversharing of information makes social engineering so much simpler.  We need to as security professionals educate and do as much as we can to only encourage sharing what needs to be shared.  Vegaskid I appreciate the thought provoking posts. 

Level 9

Thank you very much jkump for your kind words.

Level 12

all about focus on social media

Level 18

This is pretty much spot on... 

Level 13

If I had a dollar I could donate every time someone shared a photo of a sick kid on Facebook ...Like chain emails, sadly the social engineering attacks prey on the user thinking 'what harm could this do'? I know there's a chance Disney isn't giving away family holidays but it's going to take me 5 seconds to share it just in case they really are. No harm done.  Thankfully I think our security software has evolved to help mitigate suspicious URLs (though nothing will be bulletproof), as announced by Microsoft with their new Exchange Online Protection features (inc quarantining suspicious URLs in emails). But at the end of the day, we'll still have people who will click on something. You can understand why sys admins shudder at uncontrolled allowance of BYOD, especially in smaller organisations who have it in the too hard basket.  

Level 17

That reminds of Audi forever giving away a couple of R8's. As if! But it would be nice

We don't have any blocking at work but the onus is on the employee. They agree to adhere to our internet usage policy. Other than mobile phones we don't have BYOD.

Level 9

And don't get me started on the 'if you don't share this post, a kitten will die' nonsense!! ;-)

Level 14

C'mon, Vegaskid‌.  Have a heart...  Save a kitten!!!