Penetration testing employees' social media to improve policy

The human element of information security is often its downfall. So why aren't businesses looking at how secure its employees are on social media platforms?

Despite awareness of social media being a minefield for social engineering information and possible reputational harm, undertaking an audit of the security of such accounts has not been possible until now, according to penetration testing company Pure Hacking.

Pure Hacking-119
David Muscat Image: Pure Hacking

The company has set out in an attempt to tackle the problem with two services it claims no one else in the world is currently doing. One involves the penetration testing of an organisation's social media presence, to help identify what risks there are to a business, and the other involves an audit-style review of all social media controls.

Tests and audits like these could better prepare organisations for a Phone Dog versus Noah Kravitz case, where Kravitz took 17,000 followers with him after he left the company, which was seen as the possible theft of a company resource.

But they also highlight the less-publicised accounts that employees might have, which make no statement themselves about what their owner does, but can be linked to other information that's freely available on the internet.

"LinkedIn would be a classic case, for instance. You've got people saying that they're associated with particular organisations, it would be very easy to tie someone's LinkedIn account with associated Google or Twitter accounts and so forth," said Pure Hacking chief operating officer David Muscat.

"In the social media pen-test side of things, we don't just look for accounts owned by the organisation; we look for accounts even owned personally by individuals that might have an association with an organisation."

One important distinction that Muscat made was that its social media testing never attempts to break into the accounts of employees. But there isn't necessarily a need to. The information that Pure Hacking uses to profile social media activity is either that which the business has granted access to, or openly available information that is visible online anyway.

"We're not setting out to intrude on people's public profiles. We are simply capturing a view of what's out there now, and providing that view to the organisation with the associated risks involved. We could well, for instance, get a bit of backlash if the employees of an organisation found out what was going on; however, we are staying well within our rights of what we can look at in the public domain."

Muscat said that information from its testing would help guide the business to make better-informed policy decisions and move ahead with how to deal with issues, such as what to do when it is discovered that an employee is publishing harmful comments on their own social media accounts, or what should be done if an employee leaves the business.

He said that in most cases, businesses often have policies that are very loosely defined or don't exist at all, and that confirming what their social media presence looks like could help identify where the business needs to focus on first.