As we’ve discussed at length on this blog, BYOD organizations must pay special attention to social network security and to their employees’ social media use. Both technology and end user education must come into play if companies want to avoid disastrous data breaches. To illustrate some of the dangers of social media, let’s examine the dos and don’ts we can learn from IT support and network services provider Fresh Mango Technologies’ social network security case study. Fresh Mango’s social network security case study shows how easily even a U.S. government agency can be compromised through social engineering.
Do: Be wary of friend requests from attractive strangers.
The Fresh Mango social network security case study, which was presented at the RSA Europe cyber security conference, detailed the ease with which a pair of hackers compromised a U.S. government agency using a fake social media profile. All it took was a pretty picture, a convincing fictitious connection to the targeted agency, and some initial work building up the fake profile’s social media presence, and the hackers were able to get employees at the target to add “Emily Williams” to their networks.
Don’t: Trust everything you read on a stranger’s social media profiles.
As tempting as it might be to believe that everything on a stranger’s LinkedIn profile is real, the truth is that no social networking platform truly verifies the information on a user’s account. The hackers featured in the Fresh Mango social network security case study gave “Emily Williams” a “just hired” status and an engineering title at the targeted agency. Even members of the agency’s HR, IT, and engineering departments fell for the lie.
Do: Avoid clicking links from questionable sources, especially on devices used to connect to the corporate network.
Once “Emily Williams” had befriended a number of employees at the targeted agency, the hackers commenced the next stage of their attack: gaining network access to host systems through malicious malware. “Emily Williams” targeted specific agency employees with holiday e-cards posted on her Facebook profile. Those e-cards unleashed a payload that compromised the employees’ browsers, allowing the hackers to search for vulnerabilities to exploit in order to gain access to passwords and insider information. Ultimately, the hackers were “able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise” the targeted agency.
Don’t: Give out company resources or information without verifying recipient credentials.
Among the more embarrassing results of the Fresh Mango social network security case study were the perks that certain employees gave to “Emily Williams.” Her new friends at the agency offered to do her favors such as “circumventing usual channels to get her a work laptop, and access to the organization’s network.” Caution seemed thrown to the winds for no reason other than that the “Emily Williams” profile was attractive, friendly, and seemingly entrenched in the organization, an illusion that had been carried out without any in-person espionage whatsoever.
The ultimate takeaway of the Fresh Mango social network security case study is simple: Trust no one, at least no one that you haven’t personally met or verified through official channels. The vast majority of social media users may be telling the truth about who they are, but on social networks, anyone can say anything, and a gullible end user or two can open the organization up to a world of embarrassment and disaster. To prevent that from happening, organizations must make sure their employees are aware of the risks of social media.
What have you learned from this social network security case study or others like it? Tell us your thoughts in the comments.