As Facebook, LinkedIn and Twitter have become commonplace in personal and professional lives, the dangers of social networking for businesses have also grown. And even IT professionals who should know better may be putting their organizations at risk.
We wrote recently about the dangers of social networking sites such as Facebook and how hackers can use social media to steal passwords and other data from companies’ employees. In particular, high profile executives may be targeted, since they are the most visible and have access to the most sensitive information.
Many IT departments try to avoid those risks by training employees and company leaders on the dangers of social networking and making them aware of what pitfalls to avoid.
But it isn’t just careless non-technical employees and executives that may fall for the latest social networking scams. IT professionals and others with information security expertise can be fooled, too.
That’s the message behind a recent experiment conducted by Aamir Lakhani and Joseph Muniz, security experts with Texas-based World Wide Technology. Their research was conducted as a sanctioned security test involving a US government agency that specializes in cyber security, the Daily Mail reports.
Fooled by fake profile
The researchers created profiles on Facebook, LinkedIn and other sites for an attractive, intelligent and completely fictional person named Emily Williams. The profiles claimed the character was a 28-year-old MIT graduate with 10 years of experience in IT. Lakhani and Muniz got permission from a Hooters waitress to use her photos for the profile.
Once the profiles were created, the researchers set about contacting employees within the targeted agency. Within 15 hours, they were able to make 60 Facebook and 55 LinkedIn connections from the organization and its contractors, and the numbers soon grew to the hundreds.
Over the following three months, they were able to steal a lot of highly sensitive information. In one attack, several staff members clicked on a malicious e-card sent from Williams’ email address which installed a virus that Lakhani and Muniz used to steal passwords, domain credentials and other information. Using that data, the researchers were able to give Williams her own VPN account with access to the agency’s network.
Keys to avoid social networking risks
Lakhani and Muniz have conducted the same test for other organizations, including financial institutions, healthcare firms and others. In all cases, the results have been the same, they said in a presentation at the recent RSA Europe 2013 conference.
One of the keys, according to Lakhani and Muniz, is that sex sells, or at least that people are more trusting of women than men. When a similar experiment was conducted with a male character, they couldn’t even make the initial social media connections.
A big danger of social networking is that a lot of information needed to conduct scams is out in the open for everyone to see. When the researchers got questions asking how Williams knew a target, they responded using information taken from the person’s profile — for example, that they met at a conference he or she had recently written about attending.
Here are some the steps IT departments can take to keep their own organizations safe from the new dangers of social networking:
- Train everyone, including IT staff and others who should know better. Training should be frequent and come in many forms. Most importantly, tell people never to share sensitive information with anyone online.
- Ask people to share suspicious behavior they see with IT, so that the rest of the organization can be warned.
- Take down information from personal and professional social networking profiles that could be used to help hackers launch their attacks. That may include employee names and job titles, email addresses, internal project names, and organizational structures.
- Segment networks so that if one user is compromised, it doesn’t affect the rest of the network.