As social media adoption in enterprises grows, so does the risk of social engineering; yet, many companies aren't adequately prepared. The nature of profile information and connections with trusted sources on social networks means that the legitimacy of requests becomes more difficult for users to verify, according to security experts.
"Many of us are more likely to trust communication from a familiar contact or trusted source," said Ronnie Ng, senior manager for systems engineering at Symantec Singapore. So it is unsurprising that cyber attackers are engaging in research and reconnaissance on social networking platforms to mount effective social engineering attacks, he told ZDNet Asia in an email.
For example, fraudsters can exploit a person's profile information that is easily available on a social networking site, and use such details to pose as a friend or family member, making it more difficult for users to verify the legitimacy of a request.
This sort of security risk is further exacerbated in organisations as consumer and enterprise social media tools, including Facebook, Twitter and LinkedIn, are increasingly adopted at both the corporate and employee level, Ng highlighted.
Paul Ducklin, Sophos head of technology for the Asia-Pacific region, concurred that a company can be at risk of social engineering from staff activity on social networks. "Careless or over-trusting behaviour on social networking sites makes things much easier for social engineers," he said in an email.
"If I know not only what your job title is, but also what projects you've been working on lately, which customers you've just signed up or where you've been on your business travels, the easier it is for me to spear-phish you," Ducklin noted.
Even if an attacker only knew details about one's home or social life, he can still trick you at work by using that information and is several steps closer to getting you to trust him enough to open an "innocent-looking PDF", he added.
Symantec's Ng concurred, pointing out that spear-phishing is a common tactic used in social engineering attacks. Cyber criminals can simply leverage information publicly available on social media and combine the data with that from other sources, such as company websites, to construct "plausible deceptions", he explained.
These malicious requests are then directed to certain individuals in a company, again using the information gathered through the research, to make the message appear legitimate, he said.
Another tactic that companies should be wary of is shortened URLs, Ng added. Attackers capitalise on the fact that people are becoming accustomed to clicking on shortened web links and are also unable to quickly determine where the URL will send them, potentially leading them to a phishing scam or malware infection, he said.
The danger can get magnified, as one of the favourite methods of attackers is posting links to malicious sites on the news feed of all the contacts or friends of a victim, according to Ng.
Companies not well prepared
The Symantec executive emphasised that a majority of Singapore enterprises remain unprepared and unprotected from the heightened threats of social engineering, despite companies having indicated that social networking sites pose high security threats.
IT managers and businesses alike face several challenges in securing and managing their company systems and networks with limited resources, Ng said. And this threat landscape is changing significantly because of the complexity of IT consumerisation and social media utilisation to improve productivity.
Many organisations are hence struggling between balancing giving social networking access to employees without compromising the security and integrity of their information assets, he added.
Ng recommended that the best method to protect the company from social engineering attacks requires a holistic security strategy. On a technical side, this means deploying protection solutions across endpoints, email and web gateways, strengthening critical servers and deploying adequate measures to back-up and recover systems.
He also urged organisations to take a proactive information-centric approach to protect both information and interactions. "It is not enough to know where the information resides; with a content-aware approach to protect information, one will know where your sensitive information resides, as well as who has access and how the information enters and leaves the organisation."
Ducklin added that it is not an issue of whether companies should ban or block social media at work as a security measure, since most enterprises want to maintain some sort of social networking presence.
Instead, he recommended that companies rethink their policies and guidelines on social media. "Your staff can put your business at risk at work by what they share when they're at home, and vice versa. So you'd want to help them understand and be more resistant to risks all the time ... with sensible and informative guidelines that please them and benefit you."
Ducklin also said that organisations should bear in mind that social engineering acts are not limited to the online world, as information available on social networks can be used in more traditional phone-based social engineering.
Via ZDNet Asia