Skip to content ↓ | Skip to navigation ↓

Undoubtedly, we’ve all found ourselves surfing the web for answers when we stumble upon someone we know, posting something that piques our curiosity on social media. After all, isn’t that one of its purposes?

If you dig beneath the surface, akin to following the rule of tangents, often times the results may yield confusion with moments of clarity. Too obscure? It’s simply a metaphor – a correlation illustrating how unrelated examples used as explanatory tools, combined with a Ternary (Computing) System reference, which defines additional value – not just 1s and 0s.

Similarly, a common tactic for “Blackhats” is to use these data fragments and their tangent associations to formulate attack strategies. There are many ways creative attacks are formulated with the sole purpose of sourcing data from you, your colleagues or staff, such as user credentials.

In 2014, a primary conclusion from the Verizon DBIR security report was that stolen credentials lead the way as the root cause breaches, yet again. Once a malicious entity has a valid avenue for authentication, your intellectual property and other data are at great risk for exposure and exploitation.

Social media is a prime vector for gathering information to leverage in order to ultimately gain access to credentials. How? The answer is twofold – by blending social engineering tactics with malicious harvesting mechanisms.

So, how should you look to address social media access and use in your company?

  • Ensure you work with your HR and legal teams to draft a corporate policy focused on Social Media and include it in your larger Security Policy framework.
  • Provide employees security awareness training on the subject.
  • Establish – and enforce – policies about what company information can be shared on blogs or personal social web pages.
  • Educate employees about how their own online behavior could impact the company.

My advice would include leveraging your Security team or hiring a neutral third-party to help police your own website and related Tweets on a regular basis. This ‘social media moderation’ should include evaluating staff posts as they relate to your specific industry and even extending the review to HR job descriptions in order to holistically avoid self-sabotage.

Next time you’re surfing the social media ocean, or posting a comment, ask yourself how your comment can be used against you or your company before you click ‘submit’. A small dose of paranoia can be healthy in the security industry.

 

Related Articles:

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Hacking Point of Sale
  • just me

    this article is a little bit paranoic

  • torrents

    My advice would include leveraging your Security team or hiring a neutral third-party to help police your own website and related Tweets on a regular basis.

  • Social media is a prime vector for gathering information to leverage in order to ultimately gain access to credentials. Ensure you work with your HR and legal teams to draft a corporate policy focused on Social Media and include it in your larger Security Policy framework.

  • Seema joshi

    Very useful post about the security on social media…Informative…Thanks for sharing

  • Business information shared publicly via the multitude of social media properties should be initially agreed and approved between the management and information security responsible people. many times legal cases pop up from mismanagement of corporate info shared via the web online providing access to data that would better stay "in-house".