|
|
|
"It is impossible for ideas to
compete in the marketplace if no forum for
their presentation is provided or available."
Thomas Mann, 1896
The Business Forum
Journal
Social
Engineering in Social Networks
By Joseph Vaughn-Perling
LinkedIn IPO�d a year ago,
SINA in
China, Twitter, Google+, and with the Facebook IPO there is much focus on
the economic value of social networks. In setting value, part of the
assessments must include what value is at risk. Social networks incorporate
significant risks which are often ignored by the people who use them. One
of these risks is the usefulness these networks provide to those who would
engage in social engineering. Furthermore, increasingly these networks are
used to authenticate users to other systems and web sites. Fortunately there
are also some ways to defend against this. The effectiveness of each social
network�s capability of addressing these risks is a good metric for
evaluating their exposure.
Much of this value is in
the usefulness of the social network to meet our goals. We can define �social
engineering� as the act of manipulating a person to accomplish goals not
in their own interest but instead in the interest of the social engineer.
The vulnerability to social engineering and the ability of the network
provider to mitigate that vulnerability are the forces at play on the
collective consciousness of that which comprises the value of these
networks, the individuals within those societies.
The risks can be loosely
categorized as Financial Risk, Personal Risk, Social Risk, and Corporate
Risk, and then we will examine some ways to mitigate these risks.
Financial
Risk.
Social networks can be
easily used to provide fraudulent background information which can be used
for a variety of malfeasance and perhaps the most nefarious of these are by
scam artists seeking your money. Not only is the information posted about
oneself on a social network not fact checked, its authenticity can be
artificially enhanced to appear more credible. One method commonly used by
miscreants it the practice of �clickjacking�
to increase the number of �likes� or �follows� or �+1�s for their fraud. A
particular
"likejacking" virus can make use of most any interaction with your browser
to increase the �likes� of a Facebook listing.
Increasingly, social
network providers are also identity management providers. People can use
their Facebook, or iCloud or another credential to connect with many other
websites or applications. This makes the security of anything in any of
these other sites to be necessarily worse than the security of the social
network. Simply put, an intrusion to either of the social network, or the
other site may compromise the identity credential. The larger the grouping
of single-sign-on applications for the credential, the more vulnerable it
may become depending on the protocol and protections used by the provider.
This increases the risk
of identity theft exponentially with each new authentication supplicant to
the social network�s system which is brought into the network. It also
increases the value of the threat to attackers as more and more value is
brought under the same authentication mechanism. Different network
providers have implemented security differently, and not all of the
protocols are compatible or offer similar security.
Personal Risk
Social networks provide
ample opportunity to disclose very personal details about the life and
activities of an individual. This can include such elemental data as the
individual�s current location, information or news about your family, your
interests, travel plans, even daily itinerary. From this information,
additional information can be easily inferred. If your interests and
activities include golfing, yachting, luxury travel, equestrian activities
and attending cultural events� then you can assume that your wealth level
can also be ascertained.
Additional information
can suggest particular times of vulnerability for an individual. Death
announcements, medical information, travel details all can point to times of
increased risk and change in the life of an individual. Generally, for
social media which require advertising for their revenue, the more
vulnerable an individual becomes due to information disclosures, the more
valuable they become to the social media site as they are more easily
targeted by those marketing to them. This misalignment of interests between
people and the websites they use to communicate is the source of most of the
problems for their safety.
For the section of people
who rely on their fame for their fortune, there are vastly more
vulnerabilities. There is now a market for school yearbooks are bought and
used to infiltrate the lives of famous people by impersonating people they
may have known during their earlier years and infiltrating their social
circles in order to discover and sell personal information about them to
tabloids. Few of us have such problems, but in fact all of our reputations
may be at risk by the use of social media against us to some extent.
Because of this, there is a side business of Search Engine Optimization
(SEO) firms to manage the digital reputation of individuals and businesses.
Social Risk
A variety of purely
social risks are inherent from unintended disclosures which may be made
through social media. When interacting with a social media site, the social
media provider may have an incentive to track activity and purchases in
order to better target advertising and so are able to sell that advertising
more dearly. This incentive runs counter to the natural incentive for the
individual who may have some desire to connect with a community, or get a
good price, or even to understand whether a purchase may be advisable. The
searches are tracked, the particular advertisements one clicks on, and the
words we write are all tracked in order to create a picture of who we are
and more importantly, what we are likely to buy. To the extent that people
live slightly in their own future through their aspirations hopes fears and
desires, they provide to the advertisers insights into what they would be
most likely to purchase.
This information also has
other social uses. The individual motivations may or may not be innocent.
Social media information is often used in hiring decisions and other
decisions a person�s society makes about them, dating, and even casual
acquaintances which spark our curiosity might generate a search. Certainly
whenever we contemplate adding a person to a circle of trust in a social
media site, we learn a bit about them and use this to determine whether
additional association is desirable.
Additionally, a social
media may engage in its own social engineering. In
May 2012, Facebook initiated an organ donor status to encourage its
users to claim that they are organ donors. There is social pressure for
joining causes of all types which are somewhat effective in reshaping what
we see as social good.
Corporate Risk
Perhaps the greatest risk
is the risk to corporations. As centers of value, there is a corresponding
center of threat for social engineering. One of the most noteworthy victims
of social network social engineering was the RSA breach. The attack against
RSA was launched by use of
spear phishing using information discovered about its employees using
social media. Identifying individuals within an organization and their role
within that organization is made more easy by use of social media. An
attacker can discover the members of your company�s IT organization
responsible for the asset of interest to them, and then find out about the
interests and activities of these people in order to craft a message to them
with the most likelihood of being opened and its instructions followed.
This can be as innocuous as clicking on a link to a website that has hidden
malware on it, or reading an attached file to an email.
Even the more secure
cloud media is vulnerable to social engineering. This week a
web security company�s CEO was hacked through his use of Google+, gmail,
AT&T mobility and their own internal security policy due to a social
engineering attack. Social engineering targets the week element of
security, the people who use it. Often these people can be overconfident or
simply have a moment of weakness. Either way, a determined social engineer
can wreak carefully architected security implementations.
This sort of attack also
damages a corporate brand. Further brand damage can occur when bad things
written about a corporation in social networks hardship which can only be
partially mitigated by marketing efforts from within the social network.
Information
Leakage
Additional risk to social
engineers arises through analysis from within the social network by the
social network itself. Undergoing an initial public offering for a company
brings not just new money but also new reporting requirements for the
company. This means new data collection and collation. The combination of
new money and new reporting can be a great catalyst for changes. There is a
risk in the robustness of a social network company struggling with these
issues, as there is with any change. A certain level of analysis and
monitoring of its users is permitted by governance in order to handle issues
such as fraud, however the more information over which a social network
claims ownership, the greater their responsibility for it, and the greater
the vulnerability to the society the network serves
Defenses
Mitigation of these risks
in some cases will depend on the social media provider. There are many
differences between social media offerings. Some social media sites provide
configuration capabilities that can limit the exposure of information that
may increase risks to individuals and groups. Configuration options that
create �walled
gardens� within the site to constrain information distribution to known
groups provides benefits to the extent that the levels of trust within each
group or subgroup are adequately governed. There is little that can be done
to prevent breaches of trust or betrayal, though some sites offer means to
detect it after the fact. The extent to which monitoring and fine grained
authorization configuration are simply and easily provided to its users is
perhaps the best measure of an effective social media site from the
perspective of the users.
Some mitigation can be
effective with all social media exposure by redrafting IT security policies
to incorporate social media usage within a company. Or for individuals, by
understanding the risks, and constraining behavior appropriately.
There are some specific
areas which can assist with this IT policy or behavior modification. These
can become the core of your new IT policy structure, or your personal
governance:
- Understand what you are clicking.
- Use good password security, including password
recovery procedures (or disabling password - recovery).
- Trust selectively. Just because something says
it is from someone, does not mean that it is from them.
- Protect your contact information. It can be
used to impersonate you, or to gain other details of your identity.
-
Protect your groupings. Trust has layers and
levels. Do you trust a person you never met as much as a close friend? Are
they in the same trust grouping? Does the social media provider have only
one group, if so than consider having multiple accounts.
-
Assume that anything you submit is permanent
and visible to everyone. Take care with what you associate to yourself.
You are the sum of your actions and people will trust you or not depending
on what you do and what you write.
- Do only what is necessary. Refrain from adding
extraneous bits to what you do, each addition degrades the security.
-
Do no harm. �Going negative� on other people
or companies may provide the target of your ire with evidence against you
for any manner of counter attacks against you or the company you represent.
Another mechanism some
corporations use is to create �honey
pot� users of social media sites which appear as attractive social
engineering targets in order to detect when there is a social engineering
attack against them. This requires some effort on the part of the
corporation but can be a valuable early warning system to detect and deter
such attacks as well as enhancing the social engineering awareness campaign
of the company.
Awareness is the best
defense, and an educated user base will be highly resistant to social
engineering. Awareness campaigns can never be relaxed and require
continuous reinforcement. The more successful awareness programs are
mandatory and are tracked within a company. Personal accountability must be
enhanced as well as a culture of security within an organization.
Every individual using
social media is well served by practicing limited trust principles and
consider the potential audiences of all information shared. Email is a very
insecure communication mechanism; social media is inherently more insecure.
Some protections are available from configurations available within the
social media environment, however the EULAs often provide for the social
media provider to make changes with or without notice and also may confer
partial or total ownership with information shared on their networks.
Another defense is the
use of
multi-factor authentication. Some common mechanisms for this are the
Token-on-Demand features delivered to a mobile device, or pin code on a
token. These mechanisms will be helpful in primary authentication, but do
not do anything to help how the service is used once authentication is
completed. This defense is resistant to social engineering, but since the
weakness social engineers exploit is the human factor, nothing can be as
good as education and awareness.
In the final analysis, as
regards the use of social networks the intelligent user takes care to
balance against the risks they present. Society is dynamic and innately
personal, but not at all private. Every word that issues from each of us
becomes part of our �permanent record� for all the universe to examine. We
are the sum of what we do, and what we say, as well as what is said about us
by others. When exposing ourselves to the world, we offer new avenues for
adventure to the vast audience of all participants of society. Within that
society are those that love us and those that would prey upon us, and many
who would pass idly by. Take care that all of these are in mind with each
of those words and deeds, being care-free reminds of Janet Joplin�s sage
advice: �Freedom's just another word for nothing left to lose.�
Joseph Vaughn-Perling
is a Fellow of The Business Forum Institute and
is currently the Security and Authentication Capability Manager for
British Telecom Global Services. He holds a B.S. degree in
Psychology & Cognitive Science from the University of California Los
Angeles and studied Law at the University of San Diego Law School. Prior to
joining British Telecom he was
LAN/WAN Technologist for William O�Neil & Co.
publisher of Investors Daily; and was Senior Consulting Engineer, (Global Security, Security Development &
Legal Dept) at Infonet Services Corporation. Joseph is a Certified
Information Systems Security Professional (CISSP) and a Certified
Checkpoint Systems Engineer (CCSE) He is a recognized Network Design
Architect for fault tolerant globe spanning networks and applications
and Member of the Board of Directors for International Networking
companies.
Contact
the Author:
~
Click Here
Return to
The Business
Forum Journal
 Search
Our Site
Search the ENTIRE Business
Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
Editorial Policy: Nothing you read in
The Business Forum Journal
should ever be construed to
be the opinion of, statements condoned by, or advice
from, The Business Forum, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content
of what we publish, nor do we accept any responsibility for the claims, or
any of the statements made, within anything published herein. We merely
aim to provide an academic forum and an information sourcing vehicle for
the benefit of the business and the academic communities of the Pacific States of America
and the World.
Therefore, readers must always determine for themselves where the statistics, comments, statements and
advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk. We
accept absolutely no liability whatsoever, nor take any responsibility for
what anyone does, or does not do, based upon what is published herein, or
information gained through the use of links to other web sites included
herein.
Please refer to our:
legal
disclaimer
Home
Calendar The Business Forum Journal
Features
Concept
History
Library
Formats
Guest Testimonials
Client Testimonials
Search
News Wire
Why Sponsor
Tell-A-Friend
Join
Experts
Contact The Business Forum
The Business Forum
Beverly Hills, California United States of America
Email:
[email protected]
Graphics by
DawsonDesign
Webmaster:
bruceclay.com
� Copyright The Business Forum Institute 1982 - 2012 All rights reserved.
|
|
|
|
|