As social media adoption in enterprises grows, so does the risk of social engineering, yet many companies aren't adequately prepared. The nature of profile information and connections with trusted sources on social networks means the legitimacy of requests becomes more difficult for users to verify, note security experts.
"Many of us are more likely to trust communication from a familiar contact or trusted source," said Ronnie Ng, senior manager for systems engineering at Symantec Singapore. So it is unsurprising that cyberattackers are engaging in research and reconnaissance on social networking platforms to mount effective social engineering attacks, he told ZDNet Asia in an e-mail.
For example, fraudsters can exploit a person's profile information that is easily available on a social networking site, and use such details to pose as a friend or family member, making it more difficult for users to verify the legitimacy of request.
This sort of security risk is further exacerbated in organizations as consumer and enterprise social media tools, including Facebook, Twitter and LinkedIn, are increasingly adopted at both the corporate and employee level, Ng highlighted.
Paul Ducklin, Sophos head of technology for the Asia-Pacific region, concurred that a company can be at risk of social engineering from staff activity on social networks. "Careless or over-trusting behavior on social networking sites makes things much easier for social engineers," he said in an e-mail.
"If I know not only what your job title is, but also what projects you've been working on lately, which customers you've just signed up, or where you've been on your business travels, the easier it is for me to spear-phish you," Ducklin noted.
Even if an attacker only knew details about one's home or social life, he can still trick you at work by using that information and is several steps closer to getting you to trust him enough to open an "innocent-looking PDF", he added.
Symantec's Ng, concurred, pointing out that spear-phishing is a common tactic used in social engineering attacks. Cybercriminals can simply leverage information publicly available on social media and combine the data with that from other sources such as company Web sites, to construct "plausible deceptions", he explained.
These malicious requests are then directed to certain individuals in a company, again using the information gathered through the research, to make the message appear legitimate, he said.
Another tactic companies should be wary of is shortened URLs, Ng added. Attackers capitalize on the fact that people are becoming accustomed to clicking on shortened Web links and also are unable to quickly determine where the URL will send them, potentially leading them to a phishing scam or malware infection, he said.
The danger can get magnified, as one of the favorite methods of attackers is posting links to malicious sites on the news feed of all the contacts or friends of a victim, according to Ng.
Companies not well-prepared
The Symantec executive emphasized that a majority of Singapore enterprises remain unprepared and unprotected from the heighted threats of social engineering, despite companies having indicated that social networking sites pose high security threats.
IT managers and businesses alike face several challenges in securing and managing their company systems and networks with limited resources, Ng said. And this threat landscape is changing significantly because of the complexity of IT consumerization and social media utilization to improve productivity.
Many organizations are hence struggling between balancing giving social networking access to employees without compromising the security and integrity of their information assets, he added.
Ng recommended that the best method to protect the company from social engineering attacks requires a holistic security strategy. On a technical side, this means deploying protection solutions across endpoints, e-mail and Web gateways, strengthening critical servers and deploying adequate measures to back up and recover systems.
He also urged organizations to take a proactive information-centric approach to protect both information and interactions. "It is not enough to know where the information resides; with a content-aware approach to protect information, one will know where your sensitive information resides as well as who has access and how the information enters and leaves the organization."
Ducklin added that it is not an issue of whether companies should ban or block social media at work as a security measure, since most enterprises want to maintain some sort of social networking presence.
Instead, he recommended that companies rethink their policies and guidelines on social media. "Your staff can put your business at risk at work by what they share when they're at home and vice versa. So you'd want to help them understand and be more resistant to risks all the time…with sensible and informative guidelines that please them and benefit you."
Ducklin also said organizations should bear in mind that social engineering acts are not limited to the online world, as information available on social networks can be used in more traditional phone-based social engineering.