Undoubtedly, we’ve all found ourselves surfing the web for answers when we stumble upon someone we know, posting something that piques our curiosity on social media. After all, isn’t that one of its purposes?
If you dig beneath the surface, akin to following the rule of tangents, often times the results may yield confusion with moments of clarity. Too obscure? It’s simply a metaphor – a correlation illustrating how unrelated examples used as explanatory tools, combined with a Ternary (Computing) System reference, which defines additional value – not just 1s and 0s.
Similarly, a common tactic for “Blackhats” is to use these data fragments and their tangent associations to formulate attack strategies. There are many ways creative attacks are formulated with the sole purpose of sourcing data from you, your colleagues or staff, such as user credentials.
In 2014, a primary conclusion from the Verizon DBIR security report was that stolen credentials lead the way as the root cause breaches, yet again. Once a malicious entity has a valid avenue for authentication, your intellectual property and other data are at great risk for exposure and exploitation.
Social media is a prime vector for gathering information to leverage in order to ultimately gain access to credentials. How? The answer is twofold – by blending social engineering tactics with malicious harvesting mechanisms.
So, how should you look to address social media access and use in your company?
- Ensure you work with your HR and legal teams to draft a corporate policy focused on Social Media and include it in your larger Security Policy framework.
- Provide employees security awareness training on the subject.
- Establish – and enforce – policies about what company information can be shared on blogs or personal social web pages.
- Educate employees about how their own online behavior could impact the company.
My advice would include leveraging your Security team or hiring a neutral third-party to help police your own website and related Tweets on a regular basis. This ‘social media moderation’ should include evaluating staff posts as they relate to your specific industry and even extending the review to HR job descriptions in order to holistically avoid self-sabotage.
Next time you’re surfing the social media ocean, or posting a comment, ask yourself how your comment can be used against you or your company before you click ‘submit’. A small dose of paranoia can be healthy in the security industry.
- Security Slice Podcast: Internet Privacy Realities
- Over-Sharing Riskier Than Government Snooping
- Risk Management Advice for Social Media
- NSA Surveillance Pales Compared to Social Media Data Collection
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].