This blog is adapted from the white paper Why InfoSec Needs to Care About Social Media. Read the full white paper for best practices and ZeroFOX recommendations.
The information security team’s role has changed significantly over the last few decades. Ten years ago infosec was laser focused on securing the endpoint, getting a handle on the extended network perimeter, and minimizing the potential attack surface. Today, the information security team’s charter is much more complex. Yes, infosec is still tasked with protecting the organization from all potential information, technology and digital risks, but the new twist is that they must do this while enabling more connectivity, mobility, and engagement across the organization. Security must now facilitate the expansion of the attack surface, something that runs counter to every fiber of security best practices.
Social media has also exploded as a business platform due to the fact that in our connected world, almost all consumers engage with businesses online. 81% of consumers’ purchasing decisions are influenced by their friends’ social media posts, and according to Google, 67% of buyers are influenced by review sites. Brands have taken note: according to CMO Survey, 22.4% of marketing budgets are spent on social media—and 93% of companies use social media to target buyers.
With this new rise, cyber criminals have a fresh battleground that is ready for their armies to exploit. They are using new techniques to hack into social media accounts, create spoofed profiles, sell counterfeit goods and fake coupons, damage brands, plan attacks on people and places and, ultimately, make a quick buck.
However, social is likewise a huge boon for security teams, as it represents a massive repository of free, easily accessible intelligence. So what are the top 5 reasons infosec needs to care about social networks?
(1) Like websites, social media accounts are high-value targets for attack
When it comes to the corporate website, marketing is in charge of conception, design, content creation, maintenance, and optimization. Security is charged with surrounding the asset, hardening controls and ensuring it is safe from intruders. In the new marketing paradigm, social media accounts are the latest and greatest way to engage with customers and prospects. When it comes to social networking profiles, marketers aren’t burdened by hosting, databases, network infrastructure, and development. They can focus on what they do best: content creation, engagement, lead nurturing, and advertising. But the security team’s job hasn’t changed. They must keep a keen eye on these highly public assets and ensure they are surrounded by the most robust protections available.
Like every other corporate asset, the security team needs visibility and control. Just like security safeguards the website, so too must they be involved with the organization’s social media accounts, which is increasingly where business engagements take place. As it stands now, dangerously few security teams incorporate social media and other external digital channels into their security posture and highly-publix incidents have huge impacts on brand reputation, customer trust and, ultimately, an organization’s ability to grow revenue from social media.
We’ve all seen the headlines around hacked social media pages; they have affected the likes of major brands like Crayola, HBO, NFL and Delta, Government organizations and nonprofits like UNICEF and CENTCOM, and high profile figures like Taylor Swift, Sundar Pichai and Mark Zuckerberg himself, the godfather of the social media revolution. On such a highly-public channel as social media, news of the attack spreads instantly. The brand reputation damage is immediate, and press is quick to publish the latest in a growing wave account takeover. From the security team’s perspective, the incident occurs in broad daylight, meaning the company’s vulnerabilities and lack of controls are instantly broadcast to the world before the infosec team can initiate incident response or other damage control.
The New York Post claims 160,000 account are hacked every day on Facebook alone, and the University of Phoenix states that 66% of US citizens have had their account hijacked, (which means if you know the name of your social media manager’s dog, you are halfway to brute forcing your organization’s account). Unlike other assets, security teams can’t pull the proverbial plug on a breached social media account, meaning the attacker can remain in control for hours if not days. The cost? Every second you don’t have control over your account causes a viral information cascade that results in brand & customer relationship damage, lost business, public relations nightmares and customer support costs.
(2) Social media is a vulnerable new attack vector
On social media, the relationship between cyber attackers and their victims has never been closer — or more trusting. The use of “social tactics” in global cyber attacks began to climb in 2010 and social media attacks themselves have skyrocketed in recent years. These include phishing, identity theft, malware distribution, social engineering, and the compromise of banking or system login credentials.
Security experts agree: according to Norton, only 1 in 10 of employees opens an unsolicited email, but nearly a third of employees accepted unsolicited friend requests on social media. McAfee reports that employees experience cyber crime more often on social than any other business platform, including email and file sharing. Cisco’s 2016 Annual Security Report revealed that Facebook is now the #1 most common way to breach your network. According to a PandaSecurity report, 20% of businesses are infected by malware directly through social media. TrendMicro’s research shows that 5.8% of tweets are malicious; that’s 29,000,000 malicious tweets per day. Cloudmark surveys reveal a whopping 40% of enterprises have fallen victim to social media spearphishing attacks. In early 2017, TIME Magazine revealed that 10,000 US Government employees has been sent malware in customized spearphishing tweets sent by Russian operative. Malware including HAMMERTOSS and ZeuS leverage social as a C&C or to proliferate itself at scale. The list could go on and on.
These risks can have massive financial impacts. According to Kaspersky, the global annual cost of phishing attacks on social media is $1.2 billion. ZeroFOX estimates that financial scams found on Instagram alone cost brands roughly $420 million each year. In the timespan of one year, the US Department of Justice tallied 17.5 million people who had personal data stolen by cyber criminals online. 90% of respondents to a recent Symantec survey report that the average cost to an organization of a social media incident is an amazing $3,588,611.
Ultimately, social media lowers the barrier to entry for every attacker — even an inexperienced attacker can create a fake online persona, find targets, and spread a malware or phishing link to billions of people across the globe. Worst of all, the targets have never been more numerous or more trusting.
(3) Social media is an excellent source of OSINT threat intelligence
Many attackers coordinate their efforts in broad daylight. Distributed denial of service (DDoS) attacks have been known to use a specific Twitter hashtag to coordinate the attack. Attackers, and especially hacktivists, crowdsource attack participants through hashtag campaigns and command the DDoS attack on Twitter by posting IP addresses, domains, attack tools, the time of the attack and the desired target. Because the attacks leverage public venues for participation, security teams can prepare a protection strategy, such as blackholing the incoming requests or coordinating with network teams, professional services, and internet service providers (ISPs).
Security teams can also monitor threat actor chatter to find if their organization is being mentioned. This is some of the purest, least expensive, most real-time and most actionable threat intelligence available anywhere. Amazingly, this kind of public chatter is quite common. By analyzing who is talking and the context of the keyphrase, security teams can get a decisive early warning system against attacks.
Attackers often publicize or boast of their successes on social media. They also advertise stolen data they might be selling. Just as social media is a major driver of legal market activity, so too is it used by salesmen on the blackmarket. Organizations can integrate sensitive information discovered on social media sites into DLP frameworks to more quickly identify when a breach has occurred and more efficiently begin remediation activities. Leaked or stolen data is more often traded in public purview than is realized.
If employee credentials or sensitive files are found on social media or digital channels such as paste sites, security teams can update company trainings, reset employee credentials, or trace where potential data loss prevention (DLP) measures failed to prevent sensitive files, such as medical records, intellectual property or account information, from leaving the network.
(4) Security techniques can mitigate other social media business risks
Social media can cause major headaches elsewhere in the organization as well. These business risks can hamstring and organization, such as hashtag hijacking, corporate impersonations, customer fraud (a global annual cost of nearly $4 billion) bot followers, counterfeit goods, ad fraud, online piracy (a global annual cost of over $70 billion), trolls, fake customer service reps, physical threats and more.
Fraud and scams in particular have found a new home on social media. For a scammer, social media is a powerful new tool to exploit a very specific, bulk group of users, such as the followers of a certain brand. Social media allows scammers to target these users since a brand’s follower lists and user engagement on a branded hashtag are publicly available. As such, a scammer has the unprecedented ability to acquire a list of victims and launch a targeted attack.
Customer-targeted scams usually tease a reward for some cost to participate, and use the false credibility of a brand’s logo or facetious success stories from other sock puppet accounts that indicate that the scam is “legit.” These scams thrive on social media because they are so easy to create and can be distributed to the target audience at scale. Even a non-technical scammer can create a group of fake accounts, built to comment on one another and lend credibility, with no more than an internet connection from anywhere in the world.
Using similar techniques for identifying and mitigating information security risks, security teams can help address a variety of threats that span information security, physical corporate security, compliance, revenue generation, and marketing. By continuously monitoring social media for malicious activity, security and marketing teams can identify profiles advertising pirated content or counterfeit goods, thus saving the organization potentially millions in lost revenue. This is a perfect opportunity for security teams to go beyond locking down assets and hardening walls by empowering other departments to do their jobs more safely and effectively. Moreover, the financial benefit is immediately tangible and quantifiable.
(5) Organizations leak data and provide reconnaissance intel to attackers
For an attacker, social media sites are an excellent tool to perform reconnaissance on a target organization. For example, LinkedIn encourages its users to post about their job roles and responsibilities to network with their colleagues across the globe, however this information can be dangerous in nefarious hands. An attacker may learn which employees have access to critical systems or who has financial signing authority based on role descriptions, enabling them to craft a more precise attack. Similarly, if a network engineer posts that they are certified for a certain firewalls, that can give attackers the information needed to determine that there is a high probability that their target organization uses said product.
Personal information can also be readily weaponized by an attacker during a social engineering campaign. The more information an attacker can glean about the victim’s family, hobbies, home address and personal connections, the better they can craft a unique spearphishing message.
Social media challenges must be solved collaboratively
Social media is an inevitable constant for conducting business in the modern world. As marketers, recruiters, salespeople, and advertisers continuously expand their presence, security teams must work alongside them to ensure it is done safely and securely. To address social media risks, security teams must work closely with several other departments. Other departments all are faced by risks on social media, and security teams are now tasked with remediating risk while enabling secure usage of social networking channels. Most importantly, security teams must lead this initiative.
Social media risks are here to stay. Are you prepared?