it pro’s 3 step guide to safe social media file03.08.2016 · case of linking to sensitive...

Social Media Changing the Way We Work for the Better 2

A Perfect Malware Vector 3

Real World Attacks and How They Could Have Been Prevented 4

Social Media as a Means for Information Leakage 7

How to Hack Bob 8

What Can be Done? 9

1) Policy is Key 9

2) Educate your Users 11

3) Don’t Blame the Platform 11

An Action Plan for a New Era 13

IT Pro’s 3 Step Guide to Safe Social Media

As a personal interaction tool, social media has

clearly recast the way we relate to family and

friends. But these tools aren’t just for keeping up

with long-lost high school buddies. Social media

also enables businesses.

Platforms like Facebook, Twitter and LinkedIn

have helped businesses enhance PR and market-

ing campaigns, build better relationships with

customers and personalize the recruiting pro-

cess. They’ve even helped bring together remote

teams of employees and partners in a way that

email never could.

As indispensible as these tools have proven to be,

they’re not perfect. Social media introduces a laun-

dry list of new business and technology risks that

organizations could never have dreamed about five

years ago. These risks can no longer be ignored.

As a team, IT leaders, executive management

and business stakeholders must work together to

address these risks in order to responsibly enjoy

the benefits of social media. Of course that’s

easier said than done, right? This eBook will help

clarify why resisting social media in the workplace

is a failing proposition and three main tenets for

securing against attackers who use social media

as their malware vector of choice, including:

1. Strong social media policy development and

enforcement

2. User education

3. A layered security backstop at the endpoint

and network levels

Foreword

Table of Contents

Paul HenryForensics and Security Analyst, Lumension

1Share ThIS

ebOOK


Regardless of how management chooses to

embrace or reject social media, it’s here to stay.

According to Pew Research Center’s Internet

& American Life Project1, two-thirds of adult

internet users today are social networking site

users. And they’re not lurkers.

Over half of internet users share photos, 37

percent contribute rankings and ratings, about

a third create content tags and share personal

creations, and 26 percent regularly post com-

ments on sites and blogs.

As mobility trends begin to seep into popular

culture, devices like smartphones and tablets

serve to accelerate these social adoption trends.

At the moment, nearly a third of mobile users

visit social networking sites from their devices

and that number is growing. As Pew Internet

puts it, “mobile is the needle and social is the

thread in how information today is woven into

our lives.”2

It’s no surprise, then, that social media has

come to reshape the way we work, particularly

among the younger set of job candidates.

The use of social media while on the job is

incredibly important to young college grads just

entering the workforce. A recent Cisco study

suggests that 64% of college students plan to

ask about social media policies in interviews

and 24% say that the answer to that question

might make them pass on a job offer. While

the risk of attack increases when the policy on

social media is restrictive, not allowing at least

some access can put a company at a competi-

tive disadvantage when it comes to attracting

the best job candidates.

Many eMplOyeeS Openly STaTe ThaT a TOTal ban On The TechnOlOgy wOuld Mean TryIng TO fInd a wOrK-arOund In vIOlaTIOn Of IT pOlIcIeS.

Business leaders need to get out of the mindset

that these young workers are demanding social

media access so they can dawdle all day. Social

media upkeep may be a fun pastime, but it’s

also driving the way business gets done today.

In fact, according to the Society for Human

Resource Development (SHRM), 68 percent of

organizations engage in social media activities

to reach external audiences, be they customers,

potential customers, recruits or partners.

The question is, how big are the risks that come

with these opportunities?

Social Media Changing the Way We Work For the Better

1. Pew Research, Social Networking and the New Normal in the Digital Age

2Share ThIS

ebOOK


risks of human natureSocial media is dangerous for businesses because, well, it’s social. And what do people do most when they’re in social sit-uations? They share information. That’s great when they’re collaborating with customers, co-workers or business part-ners. But the information could also be used by a potential hacker to perpetrate an attack. And in some instances, in the case of linking to sensitive documents or blabbing early about a big announce-ment, the information could be inappro-priate for public consumption.

Technology risksSocial media websites are ripe for tech-nological abuse by hackers. As millions of users post links and content galore, it has become next to impossible for the social media sites to keep track of what’s legitimate and what’s malicious. Mean-while, users are accessing these sites on endpoints that lack adequate protection and with unsecure versions of browsers. That means that when these users stum-ble upon a bad link or malicious upload, the bad guys are very likely to succeed in infecting the machine.

Social media technology has arrived on our

doorstep with loads of risky baggage.

The risks presented by pervasive use of social

media come at IT from two different direc-

tions. On one side, there are the risks presented

by human nature. On the other there are the

technological risks. When the two sides rub up

against one another, it is sort of like tectonic

plates shifting. That’s when security folks really

start feeling the ground move under their feet.

A Perfect Malware Vector

of companies surveyed believe

that social networking tools have

already or are likely to increase

malware or virus infections 2

believe that they have the proper

controls in place to help handle

these threats 2

of organizations do not track

employee use of social network-

ing services on company-owned

computers or handheld devices 2

51%

29%

70%

Together these two big risk pools create a per-

fect environment for data thieves to strike. The

goal of these social engineering attacks is ulti-

mately to either take over accounts or to dis-

tribute a malware payload that can give the bad

guys the keys to the entire network.

2. 2012 State of the Endpoint report, Ponemon Institute

3Share ThIS

ebOOK


Obfuscated links: On sites like Twitter,

where URL shortening is the norm, attack-

ers can entice users to click into a link about

some phony news item and because the URL is

cloaked by a service like Bit.ly, they won’t sus-

pect it is a suspicious link.

click Jacking: This tactic usually tricks

users into revealing personal information with

a sensational message or with transparent .gifs

that hover over the “Like” button found on many

company pages.

Malicious codecs/updates: One favorite

tactic is pretending to share a video and redi-

recting the user to a malware installer posing as

an update to a browser plug-in or codec. Secure

browsers and traditional AV software are power-

less to stop this kind of focused, personal attack.

Spear phishing: Emails that seem to come

from someone you know asking for information

like passwords; this technique now makes up 23

percent of all social media attacks.

password guessing: Are your secret questions

really any secret at all? A study by IEEE in 2009

found that 28 percent of those that simply knew and

trusted an individual could often guess that person’s

answers to their account secret questions.

password sniffing: If a hacker is able to

access your password, his ability to steal more

information only increases when people rely on the

same password across multiple accounts. Case in

point: password research on the data associated

with the Sony Breach.

Here are some common examples of how the risks are coming together:

4Share ThIS

ebOOK


This fix has now been made. More specifically,

in the case of Chrome and IE, the “javascript”

substring is stripped when the code is pasted

and Firefox no longer executes the script within

the scope of the active page.

While the attack was not targeted at corporate

networks, it’s obvious that a similar exploit

could be used to target corporate employees

without the experience and training to avoid the

pitfall. Encourage your users to always run the

most current version of their browser and keep

it patched and up-to-date.

Example #1:In 2011, Facebook users got a glimpse of how

easily social networking can be exploited for nefari-

ous ends. A group, sometimes identified as a splin-

ter of hacking collective Anonymous, tricked thou-

sands of users into copying malicious scripts into

their browser URL bars, thus compromising their

own machines. The accounts were used to send out

a stream of violent, pornographic, and otherwise

non-family friendly images. For about 48 hours,

Facebook was unable to shut down the propagation

of images and remove them from the site.

This could have been prevented. In Chrome v13,

Firefox v6 and IE 9, the browser developers should

have noticed the dangers of the “javascript” pro-

tocol and disallowed code from being pasted

directly into the address bar and executing.

Real-World Attacks And How They Could’ve Been Prevented

5Share ThIS

ebOOK


Many users believe they are safe when they run

WSUS and allow Microsoft patches to be auto-

matically installed. Nothing could be further

from the truth on today’s Internet. The threat

vector is not always Microsoft and only patch-

ing Microsoft products will leave you woefully

exposed. An effective flaw remediation / patch

management solution must address “all” third

party software that operates within the users

environment.

The secure rule of thumb is to never open a

document unless

1. it is sent by someone you know and...

2. you are expecting them to send you a document.

Had these lawyers followed that guideline, the

attacks could never have been carried out.

Example #2:Not all attacks are geared around mischief. During

2011’s so-called Arab Spring, a spear-phishing

attack targeted specific lawyers at four major firms

known for their work in the oil industry. It’s widely

believed that the individuals were chosen and

researched through Linkedin and other social net-

working tools. Armed with that information, the

hackers were able to send emails directly to privi-

leged users, claiming to be analyst’s reports on how

the tension in Libya would affect oil futures. As the

lawyers opened the PDF documents, they opened

the door for malware that provided the attackers

the ability to execute arbitrary code on the victim’s

machine. The email headers were spoofed so that

they appeared to come from the target’s own com-

pany, but forensics suggests that the attacks were

based out of Romania, China, or Russia.

Adobe has had a long history of vulnerabilities

and users have been blindsided by Adobe and

other third-party vendors software issues.

6Share ThIS

ebOOK


The amount of data shared on sites like Face-

book and Linkedin also provides the bad guys

with plenty of information to come hunting

for passwords and other secrets. Once they’ve

learned your users’ interests, history, and a bit

about their family, an insecure password is easy

pickings. Since so many people use the same

passwords again and again, this over-sharing

can jeopardize an entire network, no matter the

strength of its AV.

Spear PhishingEven if the bad guy can’t guess at the pass-

word, all information makes a social engineering

attack much, much easier.

Before social media, it was possible for an

employee to make a poor judgment call and let

a few friends or family in on big developments

on their company’s horizon. It wasn’t unheard of

for a stray worker to talk to the press in the park-

ing lot if a big scandal was brewing. But most

had the sense to keep their heads down and let

those at the top handle public relations.

The illusion of trust online has changed the

texture of this situation. It’s likely you’re going

to tell your “friends” if your publically traded

corporation has something exciting to announce

in the near future. It’s easy to forget though,

that many of those hundreds of “friends” don’t

know you at all. Depending on your role within

your company, a handful of those friends might

have chosen you specifically with the purpose of

hoping you drop a secret or two.

Social Media as a Means for Information Leakage

7Share ThIS

ebOOK

SOCIALMEDIA DANGER

CAUTION

CAUTION Bob


Bob is a middle manager in Corporate

America. He is also crazy about fishing and has fishing videos all over Faceook. Recently, he posted about an amazing father-son fishing trip he took to Alaska.

Bob also spends a lot of time on the road for work. He is a frequent attendee

on the conference circuit and spends a lot of time throwing his business card around. Fortunately, Facebook allows him to accept friend request from people he’s met during those conference cocktail hours.

Meet Vlad. He is a cyber criminal. He decides to

target Bob becuase his profile shows he’s an employee of SensiCorp, a manufacturing firm that has developed valuable technical blueprints.

These days, Bob accepts friend requests from just about anyone who asks. So when a respectable looking guy named

‘John Smith’ friends him and says they recently met at the conference Bob posted about, Bob accepts. John’s profile says he’s a manager in Bob’s industry and he also loves to fish.

Vlad starts his attack by taking stock of Bob’s interests from

his profile information. ‘John’, sends Bob a link to a video of him and his son who coincidently, also just went fishing in Alaska. Click the link, Bob, and see if John’s monster catch measures up.

On Facebook, Bob doesn’t have associates, he has ‘friends.’ And

who would deny a friend the chance to share something special about their

lives through a video or photo? Certainly not Bob.

This is why attackers like Vlad love social media.

How to Hack BobAnATOMy OF A SpeAR pHiSing ATTACk

The link is actually to a malicious

backdoor Trojan. When Bob gets a message stating that in order to look at the video he’ll need to download a new player, Bob quickly does.

To: Bob

From: John

Subject: Alaska fishing trip.

Hi again!

Had a great time talking to you

at the convention. As i said, my

son loves to fish too and we

thought you would like to check

out this video from our Alaska

trip.

Sincerely,

John

Bob is oblivious to the chain reaction of infections he started. His click allowed Vlad to install malware on Bob’s

machine that gives Vlad remote control of Bob’s corporate network. in no time, Vlad has got his hands on these valuable blueprints and Bob doesn’t even know he helped the bad guy steal the goods.

- Hanging with my son- Fishing- Computers

interests

Friend requestJohn Smith

yeS nO

1.

2.

3.

4.

5.

6.

7.

8Share ThIS

ebOOK


Nearly three-quarters of organizations fail to provide any training to employees who use social media to engage exter-nally on behalf of the company.

Never assume that users know how to behave

responsibly with corporate security. Many don’t.

It’s illustrative to learn from the painful mis-

take that lead to one of the biggest breaches of

2011, the RSA Security breach.

In this case an employee, deliberately singled

out in a spearphishing attack, was sent a social

engineering email. The message was safely

caught in the spam filter and should have been

quietly deleted. It was compelling enough to

tempt the employee into pulling the message

out of that folder. A little lapse in policy on the

part of one employee can lead to an inestimable

level of damage, both financially and harm to

the company’s hard-earned brand.

1. Policy Is KeyIt is absolutely critical that organizations estab-

lish a firm set of use policies around social

media. Most companies already have rules in

effect that ban non-public relations staff from

talking to the media on behalf of the company.

Social media and its window on the world are no

different.

The importance of a clear, enforceable policy is

two-fold. First, careless employees can expose a

company to harm, regulatory penalties, or law-

suits in a way not possible in the past. Media

outlets scanning Twitter or Facebook feeds can

patch together different employee viewpoints to

cover the story in whichever light they choose,

much to the dismay of the legitimate public

relations staff.

Second, workers doing nothing worse than just

mentioning their affiliation with the company

can still be leaving the front door open if they

aren’t careful, as in the case with Bob.

What Can Be Done?

9Share ThIS

ebOOK


Traits of A Good Social Media Policy Every company is different, so it follows that

social media policies will vary wildly from orga-

nization to organization. But there is one univer-

sal must of a social media policy: you need to

have one. Write it, disseminate it and enforce it.

Even better, don’t make it shelfware and don’t it

write it in legalese—make it something anyone

from the mailroom to the boardroom can under-

stand and follow. Here’s what it should cover:

»How (or whether) users represent themselves

as employees of the company

»A ban on sharing the company’s confidential

digital property

»Respect of copyright in the content employees

post

»Acceptable business use of time on social

media sites

»Notice of inspection and monitoring of employee

activity when visiting sites on company time or

with company resources

»Reporting requirements in the event that employ-

ees breach information

»Endpoint compliance policy on what kind of pro-

tections need to be in place on machines visiting

social sites

»Password policies for both social media accounts

and other company accounts

»Encourage smart privacy settings – here are links

for specific how-to’s and remember, these sites

change their privacy steps frequently

• Facebook

• Twitter

• Linkedin

• YouTube

For more on what a social media policy document should look like, here is a sample.

10Share ThIS

ebOOK

SOCIALMEDIA DANGER

CAUTION

CAUTION

Bob


2. Educate your Users While developing policy is key, so too is educat-

ing all employees, contractors, and anyone else

with access to your network about the risks. Poli-

cies don’t amount to anything if no one knows

anything about them. User education should be

engaging and comprised of information they need

to know. Flooding them with tons of technical

data will only get them to tune out during training

and waste everybody’s time.

3. Dont’ Blame the PlatformFor all the ink dedicated to the subject, social

media is not the enemy. It’s not evil in and of

itself. Security professional are often guilty of tar-

geting a new trend and setting it up as the scape-

goat. The fact of the matter is social media is

little more than a delivery mechanism. And one of

our biggest faults in network security has been to

focus on the delivery mechanism du jour. Instead

of worrying about the delivery, we need to set

our sights on preventing malicious software from

executing within the environment. We won’t win

otherwise – we’re out manned and out gunned and

clearly our adversaries have a better imagination

when it comes to learning the ins and outs of the

latest malware delivery mechanisms than we do.

Instead, we have to focus on the endgame.

Fortunately, it doesn’t necessarily take imagina-

tion to practice good security hygiene. Instead, it

takes discipline. That discipline is practiced every

day by ensuring endpoints are well-patched, users

are trained about the risks, policies are enforced

through monitoring and blocking technologies

and sensitive information is well-fortified within

the network.

It’s the meat-and-potatoes fundamentals that

security pros have been preaching about for years

that are going to get us out of this jam, not some

new whizbang technology.

Share this easy-to-understand eBook and video with the employees at your organization.

11Share ThIS

ebOOK


3. Network Segmentation: When stores of per-

sonally identifiable information are intermingled

with less mission-critical documents like copies

of flyers for the annual picnic, attackers find

it easier than a summertime scavenger hunt to

find company treasures. It is critical that IT seg-

ment the most sensitive data stores from the

rest of the network to make it harder for attack-

ers to pivot from the endpoint to get to them.

4. User Monitoring and DLP: It’s not just the

attackers that are endangering information.

Without oversight, insiders can either purposely

or inadvertently post sensitive information onto

online sharing sites and send them viral via

social media sites. Monitoring and technologi-

cal enforcement of policies ensures that your

organization is alerted to and acts on bad user

behavior that puts the whole network at risk.

Social Media Security SuggestionsBeyond the very important task of educat-

ing users and developing sound social media

use policies, IT staff can also protect against

social media threats by following four security

fundamentals:

1. Strong Endpoint Management: When sys-

tems are well-patched and free of vulnerabili-

ties, social media attackers won’t find an easy

attack surface. Similarly, a systems protected

by traditional technologies integrated with new

approaches like application whitelisting simply

won’t allow a user to download a piece of mal-

ware masquerading as a video codec or browser

update.

2. Rule of Least Privilege: Attackers love it

when organizations give their employees more

access to systems than they really need. The

more permissions users have to access network

and database resources, the easier it is for a

hacker to turn an attack on an isolated machine

into full-blown raid of the organization’s most

precious information.

12Share ThIS

ebOOK


Act on those three points and your organization

is more likely to reap the benefits of social media

outreach without suffering the consequences of

the risks it brings to bear.

There’s clearly no putting social media back

into Pandora’s Box. As IT professionals move

forward in this new era, the only way they’re

going to keep up with the threats is to face the

reality of social media use head-on.

As discussed, any good plan of action

needs to depend on three main tenets:

1. Strong social media policy develop-

ment and enforcement

2. User education

3. A layered security backstop at the

endpoint and network levels

An Action Plan For A New Era

13Share ThIS

ebOOK

A 3-Step Guide to Safe Social Media

by Lumension is licensed under a

Creative Commons Attribution-NonCom-

mercial-NoDerivs 3.0 Unported License.

8660 E Hartford Drive Suite 300

Scottsdale, AZ 85255

it pro’s 3 step guide to safe social media file03.08.2016 · case of linking to sensitive...

Documents