Understanding the risks — social engineering
Like malware, social engineering attacks are also on the rise, with government agencies and organisations serving this industry, as well as those in the banking, health and law enforcement sectors, being most commonly targeted.
“The social engineering challenge for organisations is that it’s largely irrelevant if the social networking site is accessible via an organisation’s IT infrastructure — the employee can equally be targeted while using their own equipment, completely independently of any controls that the organisation may have in place,” IBRS’s Turner says.
“An unintended consequence of the consumerisation of IT is that consumers are racing ahead in their use of information technology, and they are effectively operating out on the Internet on their own — without the support of an IT security department.”
A big part of the issue is that consumers are not trained in how to manage their Facebook profile’s privacy settings and in using discretion with how much personal information they broadcast and how this can reveal a great deal about them. And even how employees using online dating sites can be socially engineered by their dates or potential dates.
Arbor Networks’ APAC solutions architect, Roland Dobbins, also emphasises the social engineering risks associated with social media and argues that many of the techniques associated with email over the years have now transitioned to social media.
"The same types of threats that users face with email — getting email intended to compromise their machines — are now on social media," he warns. "The bad guys are using the same techniques, so the same diligence exercised with email should be exercised with social media."
Dobbins says the typical attack involves a user's credentials for a given social media account — usually Twitter or Facebook — being stolen so that the attacker can then pretend to be that user and exploit the trust that user has among their social network for financial gain.
“[The attacker] will say, ‘Hey, I'm on holiday somewhere and my wallet has been stolen and I need you to wire me some money so I can get home'," he says. "That is a very common type of scam. People want to help, so they will fall for this.
"If the bad guy wants to complete a more thorough form of identity theft, then the more information he can mine about a social media user, and that user’s cloud of social contacts, makes it a lot easier to commit identity theft then apply for a credit cards in the victim’s name."
Dobbins adds that as our personal and work lives have become so intertwined, getting a toehold into an organisation in order to compromise intellectual property or commit corporate espionage often starts with social media.
"The bad guys will target someone who works at an organisation and attempt to get into his various social media accounts, as there is a lot of information and messaging that people pass back and forth between their networks, through the IM [instant messaging] built into social media, to get a more complete picture of the organisation," he says.
"As people often have friends who are colleagues this is a great source of information. The bad guy may be able to get enough information to social engineer his way into the organisation and access critical data."
Blue Coat’s Andresen says it’s important to understand that at the heart of these risks is the issue of trust. “The trust model is so powerful,” he says. “An email from someone you don’t know you are just likely to delete. But when a friend says look at a Web page or this content you are much more likely to look at it.
“Lady Gaga has 40 million friends. If someone can post a link on there then 40 million people will be suggested to look at it. [It is] much more powerful for cyber crime to have users help propagate the malware.”