Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social...
Transcript of Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social...
![Page 1: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/1.jpg)
Testing Your Organization's Social Media Awareness
![Page 2: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/2.jpg)
Contents
u Social Media
u Why is it important
u Why we should be testing it
u How we can test itu Social Mapper
u Social Attacker
![Page 3: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/3.jpg)
# id –unjacob-wilkinu Security Consultant, Penetration
Tester,Red Teamer, Hacker
u Performed 100s of Penetration Tests
u Hacked Multiple Banks (with permission)
u Creator of Spray & Social Mapper
u British (☕")
![Page 4: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/4.jpg)
Social Media
![Page 5: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/5.jpg)
How does it affect security?
u Social Media Phishing is on the rise
u Preferred Vector for attackers
u 33% click rates vs 11% for business email
u Bring your own device
u Access from work devices
u Alternatives attack vectors
u Credential based phished – shared work credentials
u Malicious file download
u Browser exploitation
![Page 6: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/6.jpg)
How do we address this?
u Improving Awareness
u Mock Campaigns
u Identify who is at risk
u Two types of test:
u Passive
u Active
![Page 7: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/7.jpg)
Passive Testing with Social Mapperu Feed in LinkedIn Company or list
of enumerated employees
u Logs into Social Media sites with provided credentials
u Searches based on name, and identifies via Facial Recognition
u Pros:
u Quicker
u Less Intrusive
u Cons:
u Identification only, no evaluation
![Page 8: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/8.jpg)
Running Social Mapper
![Page 9: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/9.jpg)
Example Social Mapper Report
![Page 10: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/10.jpg)
Active Testing with Social Attackeru Feed in Social Mapper output of
targets social media profiles.
u Logs into Social Media sites with provided credentials
u Initiates connections to targets
u Sends phishing messages/links to users which accept.
u Pros:
u Full testing, identifies at risk users
u Cons:
u Slower
u Intrusive on private profiles
![Page 11: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/11.jpg)
Running Social Attacker
![Page 12: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/12.jpg)
Example Social Attacker Report
![Page 13: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/13.jpg)
Defenses
![Page 14: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/14.jpg)
Protecting Yourself
u Don’t use the same name/username across sites.
u Don’t accept connections from people you don’t know.
u Don’t click on links from people you don’t know.
u Don’t show your face in your profile picture.
![Page 15: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/15.jpg)
![Page 16: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/16.jpg)
Protecting Your Organization
u Run Social Media Awareness testing.
u At least Social Mapper to identify employees linked to your company online.
u Warn employees about Social Media Phishing.
u Add additional slides/information to standard phishing awareness trainings.
u Ask Employees not to link themselves to your organization on LinkedIn
![Page 17: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/17.jpg)
![Page 18: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/18.jpg)
Advice to Social Media Sites
u Work on detecting browser instrumentation bots that use selenium.
u Move away from name based searches
u Require additional proof of connection such as phone number
u (like WhatsApp & WeChat)
![Page 19: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/19.jpg)
Disclaimer
u Targeting employees private social media accounts may be illegal in some countries. Check local laws before running any tests.
u Don’t target organizations you don’t have permission to target.
u Running this tool will likely break Social Media Sites Terms and Conditions. Your accounts may be banned.
![Page 20: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/20.jpg)
Summary
![Page 21: Testing Your Organization's Social Media Awareness · Protecting Your Organization u Run Social Media Awareness testing. u At least Social Mapper to identify employees linked to your](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec46ef0ef4f3c57292732bc/html5/thumbnails/21.jpg)
Q&A
uThanks for listeninguAny Questions? AMA
uvia email/twitter is fine too!
https://github.com/Greenwolf/social_mapper
@Jacob_Wilkin
https://github.com/Greenwolf/social_attacker