Floor Pro’s & Restoration 1918 W. Broad Ave Albany, GA 31707.
IT Pro’s 3 Step Guide to Safe Social Media file03.08.2016 · case of linking to sensitive...
Transcript of IT Pro’s 3 Step Guide to Safe Social Media file03.08.2016 · case of linking to sensitive...
Social Media Changing the Way We Work for the Better 2
A Perfect Malware Vector 3
Real World Attacks and How They Could Have Been Prevented 4
Social Media as a Means for Information Leakage 7
How to Hack Bob 8
What Can be Done? 9
1) Policy is Key 9
2) Educate your Users 11
3) Don’t Blame the Platform 11
An Action Plan for a New Era 13
IT Pro’s 3 Step Guide to Safe Social Media
As a personal interaction tool, social media has
clearly recast the way we relate to family and
friends. But these tools aren’t just for keeping up
with long-lost high school buddies. Social media
also enables businesses.
Platforms like Facebook, Twitter and LinkedIn
have helped businesses enhance PR and market-
ing campaigns, build better relationships with
customers and personalize the recruiting pro-
cess. They’ve even helped bring together remote
teams of employees and partners in a way that
email never could.
As indispensible as these tools have proven to be,
they’re not perfect. Social media introduces a laun-
dry list of new business and technology risks that
organizations could never have dreamed about five
years ago. These risks can no longer be ignored.
As a team, IT leaders, executive management
and business stakeholders must work together to
address these risks in order to responsibly enjoy
the benefits of social media. Of course that’s
easier said than done, right? This eBook will help
clarify why resisting social media in the workplace
is a failing proposition and three main tenets for
securing against attackers who use social media
as their malware vector of choice, including:
1. Strong social media policy development and
enforcement
2. User education
3. A layered security backstop at the endpoint
and network levels
Foreword
Table of Contents
Paul HenryForensics and Security Analyst, Lumension
1Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
Regardless of how management chooses to
embrace or reject social media, it’s here to stay.
According to Pew Research Center’s Internet
& American Life Project1, two-thirds of adult
internet users today are social networking site
users. And they’re not lurkers.
Over half of internet users share photos, 37
percent contribute rankings and ratings, about
a third create content tags and share personal
creations, and 26 percent regularly post com-
ments on sites and blogs.
As mobility trends begin to seep into popular
culture, devices like smartphones and tablets
serve to accelerate these social adoption trends.
At the moment, nearly a third of mobile users
visit social networking sites from their devices
and that number is growing. As Pew Internet
puts it, “mobile is the needle and social is the
thread in how information today is woven into
our lives.”2
It’s no surprise, then, that social media has
come to reshape the way we work, particularly
among the younger set of job candidates.
The use of social media while on the job is
incredibly important to young college grads just
entering the workforce. A recent Cisco study
suggests that 64% of college students plan to
ask about social media policies in interviews
and 24% say that the answer to that question
might make them pass on a job offer. While
the risk of attack increases when the policy on
social media is restrictive, not allowing at least
some access can put a company at a competi-
tive disadvantage when it comes to attracting
the best job candidates.
Many eMplOyeeS Openly STaTe ThaT a TOTal ban On The TechnOlOgy wOuld Mean TryIng TO fInd a wOrK-arOund In vIOlaTIOn Of IT pOlIcIeS.
Business leaders need to get out of the mindset
that these young workers are demanding social
media access so they can dawdle all day. Social
media upkeep may be a fun pastime, but it’s
also driving the way business gets done today.
In fact, according to the Society for Human
Resource Development (SHRM), 68 percent of
organizations engage in social media activities
to reach external audiences, be they customers,
potential customers, recruits or partners.
The question is, how big are the risks that come
with these opportunities?
Social Media Changing the Way We Work For the Better
1. Pew Research, Social Networking and the New Normal in the Digital Age
2Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
risks of human natureSocial media is dangerous for businesses because, well, it’s social. And what do people do most when they’re in social sit-uations? They share information. That’s great when they’re collaborating with customers, co-workers or business part-ners. But the information could also be used by a potential hacker to perpetrate an attack. And in some instances, in the case of linking to sensitive documents or blabbing early about a big announce-ment, the information could be inappro-priate for public consumption.
Technology risksSocial media websites are ripe for tech-nological abuse by hackers. As millions of users post links and content galore, it has become next to impossible for the social media sites to keep track of what’s legitimate and what’s malicious. Mean-while, users are accessing these sites on endpoints that lack adequate protection and with unsecure versions of browsers. That means that when these users stum-ble upon a bad link or malicious upload, the bad guys are very likely to succeed in infecting the machine.
Social media technology has arrived on our
doorstep with loads of risky baggage.
The risks presented by pervasive use of social
media come at IT from two different direc-
tions. On one side, there are the risks presented
by human nature. On the other there are the
technological risks. When the two sides rub up
against one another, it is sort of like tectonic
plates shifting. That’s when security folks really
start feeling the ground move under their feet.
A Perfect Malware Vector
of companies surveyed believe
that social networking tools have
already or are likely to increase
malware or virus infections 2
believe that they have the proper
controls in place to help handle
these threats 2
of organizations do not track
employee use of social network-
ing services on company-owned
computers or handheld devices 2
51%
29%
70%
Together these two big risk pools create a per-
fect environment for data thieves to strike. The
goal of these social engineering attacks is ulti-
mately to either take over accounts or to dis-
tribute a malware payload that can give the bad
guys the keys to the entire network.
2. 2012 State of the Endpoint report, Ponemon Institute
3Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
Obfuscated links: On sites like Twitter,
where URL shortening is the norm, attack-
ers can entice users to click into a link about
some phony news item and because the URL is
cloaked by a service like Bit.ly, they won’t sus-
pect it is a suspicious link.
click Jacking: This tactic usually tricks
users into revealing personal information with
a sensational message or with transparent .gifs
that hover over the “Like” button found on many
company pages.
Malicious codecs/updates: One favorite
tactic is pretending to share a video and redi-
recting the user to a malware installer posing as
an update to a browser plug-in or codec. Secure
browsers and traditional AV software are power-
less to stop this kind of focused, personal attack.
Spear phishing: Emails that seem to come
from someone you know asking for information
like passwords; this technique now makes up 23
percent of all social media attacks.
password guessing: Are your secret questions
really any secret at all? A study by IEEE in 2009
found that 28 percent of those that simply knew and
trusted an individual could often guess that person’s
answers to their account secret questions.
password sniffing: If a hacker is able to
access your password, his ability to steal more
information only increases when people rely on the
same password across multiple accounts. Case in
point: password research on the data associated
with the Sony Breach.
Here are some common examples of how the risks are coming together:
4Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
This fix has now been made. More specifically,
in the case of Chrome and IE, the “javascript”
substring is stripped when the code is pasted
and Firefox no longer executes the script within
the scope of the active page.
While the attack was not targeted at corporate
networks, it’s obvious that a similar exploit
could be used to target corporate employees
without the experience and training to avoid the
pitfall. Encourage your users to always run the
most current version of their browser and keep
it patched and up-to-date.
Example #1:In 2011, Facebook users got a glimpse of how
easily social networking can be exploited for nefari-
ous ends. A group, sometimes identified as a splin-
ter of hacking collective Anonymous, tricked thou-
sands of users into copying malicious scripts into
their browser URL bars, thus compromising their
own machines. The accounts were used to send out
a stream of violent, pornographic, and otherwise
non-family friendly images. For about 48 hours,
Facebook was unable to shut down the propagation
of images and remove them from the site.
This could have been prevented. In Chrome v13,
Firefox v6 and IE 9, the browser developers should
have noticed the dangers of the “javascript” pro-
tocol and disallowed code from being pasted
directly into the address bar and executing.
Real-World Attacks And How They Could’ve Been Prevented
5Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
Many users believe they are safe when they run
WSUS and allow Microsoft patches to be auto-
matically installed. Nothing could be further
from the truth on today’s Internet. The threat
vector is not always Microsoft and only patch-
ing Microsoft products will leave you woefully
exposed. An effective flaw remediation / patch
management solution must address “all” third
party software that operates within the users
environment.
The secure rule of thumb is to never open a
document unless
1. it is sent by someone you know and...
2. you are expecting them to send you a document.
Had these lawyers followed that guideline, the
attacks could never have been carried out.
Example #2:Not all attacks are geared around mischief. During
2011’s so-called Arab Spring, a spear-phishing
attack targeted specific lawyers at four major firms
known for their work in the oil industry. It’s widely
believed that the individuals were chosen and
researched through Linkedin and other social net-
working tools. Armed with that information, the
hackers were able to send emails directly to privi-
leged users, claiming to be analyst’s reports on how
the tension in Libya would affect oil futures. As the
lawyers opened the PDF documents, they opened
the door for malware that provided the attackers
the ability to execute arbitrary code on the victim’s
machine. The email headers were spoofed so that
they appeared to come from the target’s own com-
pany, but forensics suggests that the attacks were
based out of Romania, China, or Russia.
Adobe has had a long history of vulnerabilities
and users have been blindsided by Adobe and
other third-party vendors software issues.
6Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
The amount of data shared on sites like Face-
book and Linkedin also provides the bad guys
with plenty of information to come hunting
for passwords and other secrets. Once they’ve
learned your users’ interests, history, and a bit
about their family, an insecure password is easy
pickings. Since so many people use the same
passwords again and again, this over-sharing
can jeopardize an entire network, no matter the
strength of its AV.
Spear PhishingEven if the bad guy can’t guess at the pass-
word, all information makes a social engineering
attack much, much easier.
Before social media, it was possible for an
employee to make a poor judgment call and let
a few friends or family in on big developments
on their company’s horizon. It wasn’t unheard of
for a stray worker to talk to the press in the park-
ing lot if a big scandal was brewing. But most
had the sense to keep their heads down and let
those at the top handle public relations.
The illusion of trust online has changed the
texture of this situation. It’s likely you’re going
to tell your “friends” if your publically traded
corporation has something exciting to announce
in the near future. It’s easy to forget though,
that many of those hundreds of “friends” don’t
know you at all. Depending on your role within
your company, a handful of those friends might
have chosen you specifically with the purpose of
hoping you drop a secret or two.
Social Media as a Means for Information Leakage
7Share ThIS
ebOOK
SOCIALMEDIA DANGER
CAUTION
CAUTION Bob
IT Pro’s 3 Step Guide to Safe Social Media
Bob is a middle manager in Corporate
America. He is also crazy about fishing and has fishing videos all over Faceook. Recently, he posted about an amazing father-son fishing trip he took to Alaska.
Bob also spends a lot of time on the road for work. He is a frequent attendee
on the conference circuit and spends a lot of time throwing his business card around. Fortunately, Facebook allows him to accept friend request from people he’s met during those conference cocktail hours.
Meet Vlad. He is a cyber criminal. He decides to
target Bob becuase his profile shows he’s an employee of SensiCorp, a manufacturing firm that has developed valuable technical blueprints.
These days, Bob accepts friend requests from just about anyone who asks. So when a respectable looking guy named
‘John Smith’ friends him and says they recently met at the conference Bob posted about, Bob accepts. John’s profile says he’s a manager in Bob’s industry and he also loves to fish.
Vlad starts his attack by taking stock of Bob’s interests from
his profile information. ‘John’, sends Bob a link to a video of him and his son who coincidently, also just went fishing in Alaska. Click the link, Bob, and see if John’s monster catch measures up.
On Facebook, Bob doesn’t have associates, he has ‘friends.’ And
who would deny a friend the chance to share something special about their
lives through a video or photo? Certainly not Bob.
This is why attackers like Vlad love social media.
How to Hack BobAnATOMy OF A SpeAR pHiSing ATTACk
The link is actually to a malicious
backdoor Trojan. When Bob gets a message stating that in order to look at the video he’ll need to download a new player, Bob quickly does.
To: Bob
From: John
Subject: Alaska fishing trip.
Hi again!
Had a great time talking to you
at the convention. As i said, my
son loves to fish too and we
thought you would like to check
out this video from our Alaska
trip.
Sincerely,
John
Bob is oblivious to the chain reaction of infections he started. His click allowed Vlad to install malware on Bob’s
machine that gives Vlad remote control of Bob’s corporate network. in no time, Vlad has got his hands on these valuable blueprints and Bob doesn’t even know he helped the bad guy steal the goods.
- Hanging with my son- Fishing- Computers
interests
Friend requestJohn Smith
yeS nO
1.
2.
3.
4.
5.
6.
7.
8Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
Nearly three-quarters of organizations fail to provide any training to employees who use social media to engage exter-nally on behalf of the company.
Never assume that users know how to behave
responsibly with corporate security. Many don’t.
It’s illustrative to learn from the painful mis-
take that lead to one of the biggest breaches of
2011, the RSA Security breach.
In this case an employee, deliberately singled
out in a spearphishing attack, was sent a social
engineering email. The message was safely
caught in the spam filter and should have been
quietly deleted. It was compelling enough to
tempt the employee into pulling the message
out of that folder. A little lapse in policy on the
part of one employee can lead to an inestimable
level of damage, both financially and harm to
the company’s hard-earned brand.
1. Policy Is KeyIt is absolutely critical that organizations estab-
lish a firm set of use policies around social
media. Most companies already have rules in
effect that ban non-public relations staff from
talking to the media on behalf of the company.
Social media and its window on the world are no
different.
The importance of a clear, enforceable policy is
two-fold. First, careless employees can expose a
company to harm, regulatory penalties, or law-
suits in a way not possible in the past. Media
outlets scanning Twitter or Facebook feeds can
patch together different employee viewpoints to
cover the story in whichever light they choose,
much to the dismay of the legitimate public
relations staff.
Second, workers doing nothing worse than just
mentioning their affiliation with the company
can still be leaving the front door open if they
aren’t careful, as in the case with Bob.
What Can Be Done?
9Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
Traits of A Good Social Media Policy Every company is different, so it follows that
social media policies will vary wildly from orga-
nization to organization. But there is one univer-
sal must of a social media policy: you need to
have one. Write it, disseminate it and enforce it.
Even better, don’t make it shelfware and don’t it
write it in legalese—make it something anyone
from the mailroom to the boardroom can under-
stand and follow. Here’s what it should cover:
»How (or whether) users represent themselves
as employees of the company
»A ban on sharing the company’s confidential
digital property
»Respect of copyright in the content employees
post
»Acceptable business use of time on social
media sites
»Notice of inspection and monitoring of employee
activity when visiting sites on company time or
with company resources
»Reporting requirements in the event that employ-
ees breach information
»Endpoint compliance policy on what kind of pro-
tections need to be in place on machines visiting
social sites
»Password policies for both social media accounts
and other company accounts
»Encourage smart privacy settings – here are links
for specific how-to’s and remember, these sites
change their privacy steps frequently
• YouTube
For more on what a social media policy document should look like, here is a sample.
10Share ThIS
ebOOK
SOCIALMEDIA DANGER
CAUTION
CAUTION
Bob
IT Pro’s 3 Step Guide to Safe Social Media
2. Educate your Users While developing policy is key, so too is educat-
ing all employees, contractors, and anyone else
with access to your network about the risks. Poli-
cies don’t amount to anything if no one knows
anything about them. User education should be
engaging and comprised of information they need
to know. Flooding them with tons of technical
data will only get them to tune out during training
and waste everybody’s time.
3. Dont’ Blame the PlatformFor all the ink dedicated to the subject, social
media is not the enemy. It’s not evil in and of
itself. Security professional are often guilty of tar-
geting a new trend and setting it up as the scape-
goat. The fact of the matter is social media is
little more than a delivery mechanism. And one of
our biggest faults in network security has been to
focus on the delivery mechanism du jour. Instead
of worrying about the delivery, we need to set
our sights on preventing malicious software from
executing within the environment. We won’t win
otherwise – we’re out manned and out gunned and
clearly our adversaries have a better imagination
when it comes to learning the ins and outs of the
latest malware delivery mechanisms than we do.
Instead, we have to focus on the endgame.
Fortunately, it doesn’t necessarily take imagina-
tion to practice good security hygiene. Instead, it
takes discipline. That discipline is practiced every
day by ensuring endpoints are well-patched, users
are trained about the risks, policies are enforced
through monitoring and blocking technologies
and sensitive information is well-fortified within
the network.
It’s the meat-and-potatoes fundamentals that
security pros have been preaching about for years
that are going to get us out of this jam, not some
new whizbang technology.
Share this easy-to-understand eBook and video with the employees at your organization.
11Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
3. Network Segmentation: When stores of per-
sonally identifiable information are intermingled
with less mission-critical documents like copies
of flyers for the annual picnic, attackers find
it easier than a summertime scavenger hunt to
find company treasures. It is critical that IT seg-
ment the most sensitive data stores from the
rest of the network to make it harder for attack-
ers to pivot from the endpoint to get to them.
4. User Monitoring and DLP: It’s not just the
attackers that are endangering information.
Without oversight, insiders can either purposely
or inadvertently post sensitive information onto
online sharing sites and send them viral via
social media sites. Monitoring and technologi-
cal enforcement of policies ensures that your
organization is alerted to and acts on bad user
behavior that puts the whole network at risk.
Social Media Security SuggestionsBeyond the very important task of educat-
ing users and developing sound social media
use policies, IT staff can also protect against
social media threats by following four security
fundamentals:
1. Strong Endpoint Management: When sys-
tems are well-patched and free of vulnerabili-
ties, social media attackers won’t find an easy
attack surface. Similarly, a systems protected
by traditional technologies integrated with new
approaches like application whitelisting simply
won’t allow a user to download a piece of mal-
ware masquerading as a video codec or browser
update.
2. Rule of Least Privilege: Attackers love it
when organizations give their employees more
access to systems than they really need. The
more permissions users have to access network
and database resources, the easier it is for a
hacker to turn an attack on an isolated machine
into full-blown raid of the organization’s most
precious information.
12Share ThIS
ebOOK
IT Pro’s 3 Step Guide to Safe Social Media
Act on those three points and your organization
is more likely to reap the benefits of social media
outreach without suffering the consequences of
the risks it brings to bear.
There’s clearly no putting social media back
into Pandora’s Box. As IT professionals move
forward in this new era, the only way they’re
going to keep up with the threats is to face the
reality of social media use head-on.
As discussed, any good plan of action
needs to depend on three main tenets:
1. Strong social media policy develop-
ment and enforcement
2. User education
3. A layered security backstop at the
endpoint and network levels
An Action Plan For A New Era
13Share ThIS
ebOOK
A 3-Step Guide to Safe Social Media
by Lumension is licensed under a
Creative Commons Attribution-NonCom-
mercial-NoDerivs 3.0 Unported License.
8660 E Hartford Drive Suite 300
Scottsdale, AZ 85255