IT security and social networking are not friends. We were comfortable with our castles and perimeters. Before social networking, there was a place for everything.
Now, social networking has wrecked our castles erased our lines. Here we will discuss a higher-altitude view of social media and IT security.
The key to this problem is connectivity. Social media sits upon layers of technology — mobile communications, the miniaturisation and optimisation of hardware, and the maturity, diversity and pervasion of software.
The concept of inside and outside is no longer very useful. Most people think and do work outside the office. Most people bring bits of their home life into the office. Private individuals own the devices and online accounts. Work information and personal information are now intermingled, as are the related behaviours, locations and times.
The tangible issues remain the same – personal welfare, data protection, sabotage, remote control, various HR issues, reputation and so on.
The methodology of the bad guy is changing. Multi-layered attacks are now his tools of trade.
Compound Attack Techniques
Rather than simple attacks of the past, such as a blast of Ethiopian spam, one threat type is now combined with others. The combination attack is designed to better subvert orthodox security controls, as well as increase accuracy and efficiency. Spam delivery now uses personal messaging within social networking applications and combines with many other elements of social media to defeat our defence.
For the organisation, the hyper-connectedness of the world has further increased the attack surface:
- Cloud features, plus mobile device applications mean lots of different-use cases and lots of variables in social networking activity.
- BYO device with staff connecting from home with phones and tablets. Who knows what’s out there connecting to your data.
These days, anyone can rent or build an attack system that automates multiple, social media techniques. The following are the three broad varieties of attack to consider:
These are attacks based on economies of scale without prior knowledge of the individual victims. They are typically brief, use a single methodology and show low persistence.
Example 1: Classic Twitter attack — Cross-site scripting
- The bad guy creates a few new twitter accounts.
- He uses auto-follow and auto-reply scripts to connect to a large number of real active users.
- When some of those users look at his Twitter profile, they get injected with another script, sending them to download malware from another site.
- The malware then looks for vulnerabilities on the victim’s device to do something sinister.
These are techniques based on certain specific knowledge about the victim. While more sophisticated, this method is generally standardised and of low persistence.
Example 2: Facebook attack — spear-phishing
- The bad guy buys a real, hacked Facebook account password.
- Impersonating, he joins an alumni or ex-employees’ group.
- He befriends other group members.
- Once friends, he harvests personal data and other contacts from victims’ Facebook accounts.
- He sends event invitations to other contacts containing a link to malware.
- The malware gains closer access to the new victims’ computers and does something sinister.
APT — Advanced Persistent Threat
The Advanced Persistent Threat is a term describing cyber-attackers that have:
- significant resources, including high levels of expertise, research and intelligence;
- prioritised and purposeful targets. They do not rely on opportunistic methods of selecting targets;
- a potent mix of intent and capability to execute attacks.
Generally, the APT is interested in defence, finance, manufacturing and research, as well as other targets related to political and economic objectives. The problem for the rest of us is that we might employ the sister-in-law of someone of interest to the perpetrator of an APT assault. Via social media connections, our IT system can unknowingly become collateral damage and end up being an owned drone, controlled by an APT enemy.
The APT ideally wants long-term access to target systems and will make gradual and quiet progress to become embedded.
The APT makes extensive use of social media for intelligence gathering. They use statistical and psychological expertise to create automated techniques to improve their strike-rate.
For example, they will use personality trait tests to design a software program that trawls social media content (posts, tweets, etc.), recognises certain things about the content, and uses that knowledge to identify individuals that meet certain criteria. These criteria might be:
- friend of employee of target organisation
- exhibits tendency towards introversion
- exhibits indicators of low decisiveness
- exhibits wider-than-normal variation in language used.
All individuals matching that list would be sent a certain type of spear-fishing email in the hope that they are more likely to click on the link, or they are more likely to suffer a particular vulnerability.
APT will use sophisticated techniques to improve their customization and their ability to predict results, such as statistical correlation and regression testing.
They will generally escalate their sophistication as the victim responds to the attack, using adequate effort at each stage, without wasting energy on excess activity.
The two main areas are:
- protecting your information
- protecting against vulnerabilities in the social networking software environment.
Consider defensive principles. For example, Feature = Vulnerability. Disposal of unused software will reduce your attack surface. What else will reduce your exposure in this way? Close unused online accounts. Social media applications infamously get live access to loads of private information. Your policy should reflect this fact.
Supporting the use of varied digital platforms is an inescapable chore for IT operations. The associated security concepts don’t have to be complex. Get advice from others that have been through similar decisions and talk to a few different consultants. Find a way to get a simple and functional view of the pressure-points. Generally these are:
- interaction and access levels among corporate network, mobile devices, social media and the cloud (synchronising what data, what password)
- data retention (documents, chats, transactions, forensics)
- personal versus work activity — how wide is the grey line?
- use multiple malware and intrusion detection methods.
If you can isolate or aggregate your internet connections, such as with a corporate office network, you can install an appliance that will intercept, retain and allow review of all social networking content such as posts, chats, photos or Gmail messages and attachments. Generally, these appliances are part of a mature information assurance program and issues such as consent, handling, review and escalation have been addressed diligently. Such appliances prove invaluable in investigations and disputes. They demonstrate the value in well-planned, proactive security spending.
For larger organisations, there are more sophisticated examples of the same kind of forensic technology.
Reduce the size and quality of your social media footprint.
It is critical that everyone participating becomes more familiar with social networking applications, their context and associated behaviour. For example, what are the security effects of tagging a friend in a photo?
To drive a car, we need to know about the brakes. We need to know how to apply the brakes and what situations call for their use. It should also be an obligation to have personal knowledge of online safety. There is so great a risk to your friends and connections because of the amount of trust created by the social media connections, that it is only polite to take due care.
Technical-only solutions, such as firewalls and anti-virus software, cannot protect us. As individuals, we can read, listen and
As organisations, we can:
- Take high-level views of our protective posture and identify decision principles that provide easy wins.
- Engage vocational training expertise to educate users more effectively. Create champion users that advise others and propagate the desired security culture.
- Be more innovative in developing business cases for security improvements. Seek ways to create and identify economic benefits in each technical idea. I don’t mean academic illusions, I mean real cost advantages. There are always opportunities to improve cost outcomes. Persist.
- Seek ways to exchange knowledge about security efforts and results. Use formal relationships, such as industry associations, and informal professional and personal relationships such as a schoolmate that now works across the road, to discuss successes and pitfalls that might be common to others in similar positions. Don’t be shy.
The culture of some executives, and other VIPs having informal exemptions from bits of policy, can be quite dangerous. While it’s probably silly to hope for this to cease completely, it’s important for those exempted to have some understanding of the principles at hand. The adage that you must know the rules in order to break them, is most pertinent here. If you must break the rules, please do so without hanging the treasure out for all to see.
While it appears social media and the threat landscape is becoming more complex, find opportunity in this perception. Higher numbers mean better samples, and better quality research. Draw simple inferences from your overall observations and look for efficient and rudimentary solutions.
Kim Khor is a computer forensics expert. Kim consults on network security, incident response, risk and compliance, investigations and electronic evidence management in the Asia Pacific region and can be contacted at firstname.lastname@example.org