In today’s world, social media plays a big part in the marketing strategy of many businesses. It’s a useful way for businesses to attract new customers, visitors, donors, media, and interested prospects. Furthermore, social media is a tool to create trust between a website owner and a visitor. But new attacks are being created to take advantage of that trust because attacks are now sending visitors to malicious sites.
“Many of the breaches reported last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice. Attackers seem to be capitalizing on this lack of security basics.” (1)
Unfortunately, the biggest risk to security is us. Human beings have a tendency to be sloppy with security protocols. The reason? Security personnel are the last ones at the table when building any type of computer, network, or information security project, whether network or program related. Just look at some of the websites you visit every day. As security personnel, we are taught that the best passwords consist of lower and uppercase letters, numbers, and special characters. Yet, most websites will not allow special characters. If security personnel had been involved, that would have been one of the first things that would have been changed.
Another thing is SQL injection attacks. With the proper security protocols in place, this issue could be avoided, yet these attacks happen all too frequently.
And what about laziness? I know of one case where a fix for a particular breach had been out for six months. Security professionals warned business leaders, yet nothing was done, and the business was hacked. This situation was completely preventable. Fortunately for everyone involved, I don’t believe any personally identifiable information (PII) from customers was stolen.
As security professionals, we have our own problems. We’re well known for saying “no” when building any new project. Although priority one is risk management and organizational security, in trying to be risk adverse, we tend to forget about usability. There’s a fine line between security and usability, and while we cannot stop every breach and intrusion, we can reduce the amount of damage done. No matter how secure we make any project, there is always a way that an intruder can get around it, from social engineering to outright theft. We do our best to keep the “bad guys” out as much as possible, but the really bad guys find a way in despite everything we do. Things like vulnerability management and penetration testing can go a long way to keeping us safe – but those are only a few steps we need to take.
According to the 2013 Data Breach Investigations Report from Verizon, 95% of all attacks begin with a phishing email. (2) Social media offers information that allows those phishing attacks to take place and includes: names of important people within a business, their addresses, their education, their previous employers, and other identifying data. This allows an attacker to tailor email messages specifically for a particular individual. All of this data will make an email appear legitimate and more likely that it will be opened since it looks like it comes from somebody an individual knows. For example, an alumni association, a HR person from a previous employer, etc.
Years before I began my career in security, I received what looked like a personal email from my boss, so I opened it. Both my company and I had a terrible day as a result. This was my introduction to the world of infosecurity and the ramifications of security breaches – and I never forgot the lessons learned that day. But at that time, the IT department did not teach employees what an infected email attachment looked like. This is also why it is so important to schedule regular training sessions with all employees – security training is NOT a one-time only exercise.
And, it’s important to teach everyone, including all members of the C-Suite, about what to look for and how addresses can be spoofed. It is the job of every security/IT department to educate employees about what a legitimate email is and what it is not. An infected email may contain a link to an infected website that will download a virus or malware. Always remember, once a virus has been invited into your network, it can wreak havoc.
And lastly, there’s BYOD (bring your own device to work). An employee who uses his or her own device (smartphone or tablet) does not have personal and professional data streams firewalled. Individuals are just as susceptible to phishing as businesses are – even more so, in fact, because they tend to put an exhaustive amount of data on social networking sites with little regard for security.
With a little social engineering, an attacker can find out where a person works and execute a phishing scheme against him or her since mobile apps tend to be less secure, especially in the Android world. In April 2013, 60 characters cost the US stock market $200 billion (yes, two hundred billion dollars) from a single tweet. (3) The Twitter account of the Associated Press was hacked, and news was Tweeted that there had been an accident at the White House injuring President Obama – completely false.
Don’t get me wrong, social networking is not going anywhere. It offers a great way to touch customers of all types. But certain guidelines need to be put in place, such as, keeping personal and professional data to a minimum, to keep you and your company safe – not sorry.
Image Credit: IBM X-Force Research and Development.
SOURCES FOR THIS POST:
(1) IBM X-Force 2013 Mid-Year Trend and Risk Report – page 6.
(2) 2013 Data Breach Investigations Report by Verizon – page 36.
(3) IBM X-Force 2013 Mid-Year Trend and Risk Report – page 19.
To read the “IBM X-Force 2013 Mid-Year Trend and Risk Report,” click for a free download: http://www-03.ibm.com/security/xforce
To read the “2013 Data Breach Investigations Report” from Verizon,” click for a free download: http://www.verizonenterprise.com/DBIR/2013/
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.