Social Networks Are 'Huge Boondoggle for Bad Guys'
Social networks give cybercrooks a potentially powerful point of leverage, sometimes allowing them to launch sophisticated attacks against businesses. However, companies may be reluctant to institute a zero-tolerance ban on all forms of online social networking. A balance of good education, good policy and good technology must be struck.
You've gotta love social networking. It lets us make zillions of "friends" all over the world, it's making corporations scramble to meet customer requirements, and it's made Mark Zuckerberg and a few other people very, very rich.
Unfortunately, cybercriminals are among those other people enriched by social networking.
For instance, it's believed cybercriminals mined data on social networks before launching highly targeted attacks that let them breach the systems of companies like RSA and Epsilon recently.
"The social media world has been a huge boondoggle for bad guys, not just in digging up information about you, but also in the vector of attack," said Stuart McClure, general manager, SVP and CTO of the risk and compliance unit at McAfee. "Bart Simpson used to put 10 megaphones together and whisper so it became a huge cacophony of sound. Much the same thing is happening with social media."
McClure's remarks were made at a panel on "Security, Privacy and Risk Considerations in a Social Networked World," held at the Information Technology Security Entrepreneurs Forum at Stanford University recently.
Other problems that crop up in a social networked world include a lack of privacy, and possible weaknesses in the security of the networks themselves.
Cybercriminals and Social Networks
Social networks have proved to be a rich hunting ground for cybercrooks.
They let the bad guys hit hundreds or even thousands of victims with simple attacks such as spoofed, or faked, messages from their friends containing links to sites with malware. Cybercriminals have taken the next step, now scouring social networks for information about prospective targets before launching their attacks.
"The use of social media as an attack vector by malware authors has grown at a pace equal to or even greater than the general use of social networks as a communication medium," James Brooks, director of product management at Cyveillance, told TechNewsWorld.
That's due to the increasing popularity and use of social networks; the availability of tools that can help mask malware threats, such as URL shortening; and a lack of awareness about security on the part of consumers, Brooks said.
Corporations are increasingly being exposed to hacking by savvy cybercriminals who glean information about their employees from social networks.
Controlling Social Network Exposure
Are corporations in general at risk from cybercriminals mining social network sites for data on their employees for use in targeted email attacks? It's quite likely.
If RSA, which itself is in the IT security business, can be hit by cybercriminals leveraging social network sites, which corporation is safe? And what can be done about it?
"CIOs don't know how to deal with the problem of social networks, even though social networking's one of the most widely used technologies today," Russell Thomas, a Ph.D. student in computational social science at George Mason University, told TechNewsWorld.
That makes them vulnerable. Add in budget and time constraints and the inadequate solutions offered by vendors and you have a powder keg just waiting to go up.
"There's only so much time in the day; CIOs have only so much budget, and they look at solutions offered by vendors -- Microsoft, Google, Facebook and so on," Thomas said. "But there's a gap between what social networks enable and the security they offer, and the people who are best at exploiting the gap are the marketers and the cybercriminals."
Instituting corporate policies banning or restricting access to social networks on office computers may not be an acceptable solution.
"You have to enact policies people will follow," Thomas explained. "People under 30 are used to social networks and mobile devices, and they may not follow restrictive policies."
For example, the United States military initially banned social networks, then allowed them and now encourage their use because "it makes the troops feel less disconnected from their families, so they're willing to go into the field again," Thomas stated
What about people limiting the amount of data they put on social networking sites? After all, we don't walk into a shopping mall and begin showing perfect strangers photos of our family and telling them personal details about ourselves. Shouldn't we apply those same precautions on social networking sites?
< "From a pure security perspective, yes, we should," Mickey Boodaei, CEO of Trusteer, told TechNewsWorld. "However that would defeat the entire purpose of social networks, which is sharing."
For example, people sign up to LinkedIn to get job offers and business offers, Boodaei explained. They need to expose their names, titles and resumes.
That's all the information cybercriminals need to create carefully targeted email attacks, Boodaei said. "Trying to limit the use of social networks or the content we share on these sites is not likely to succeed," he warned.
Education Is Not Enough
Many security experts suggest corporations implement more user training and education programs.
"While there is no silver bullet to eliminate all threats, education is certainly the key approach, and what you should do first and repeat often," Cyveillance's Brooks said.
"With intelligence gained about potential targets from social networks as well as other areas on the Internet, criminals can obtain the information needed to craft emails that will fool even the most savvy of users," Cyveillance's Brooks said.
Brooks is talking about training employees to adopt a security-conscious point of view. That would include refraining from opening unsolicited emails or clicking on embedded links or attachments without ascertaining the sender's identity first.
However, education alone is not a panacea.
"Education is necessary, but enterprises should assume that cybercriminals can outsmart employees," Boodaei pointed out.
"They need to update their security architecture, which includes implementing solutions that defend against zero-day attacks on endpoint devices," he added.
"The best that can be done is to educate employees, set up a good social media policy, and detect the attacks in progress using the latest technologies designed to stop social engineering attacks," Brooks suggested.