Rook Uncut: Social Media & Cybersecurity

With new data breaches or information security concerns making headlines each day, we are often approached by peers, friends, family, and the media to provide insight. Rook Uncut gives you our quick and raw answers to security questions. If you missed the last edition of Rook Uncut, check it out here.

In this post, I answer questions about how social media can threaten an organization’s cybersecurity posture.

Why is using social media for work purposes a security risk?

People tend to post information they feel is not a risk to their organization. This can usually be in the form of a small rant, for example: “Integrating MySql with #ruby + #rails on Windows 8 64 bit is a pain in the a**. Wasted my precious Sunday.” Or they might even try complimenting the company: “Wow, @COMPANY, your new on-boarding process is so much better. Great work reducing barrier to entry! :)”

However, when this information is accompanied with findings from other employees, attackers can begin to footprint their network without a single packet being sent in their direction. Adding to this, attackers can obtain a significant amount of information that can ease the creation of their phishing campaign. Social media can help attackers identify key players at an organization and help them identify who they should not be impersonating due to relationships.

Do you think hackers target social media specifically?

Yes, there’s a ton of information to include potential answers to your security questions. It often seems like social media monitoring/posting is a job given to interns, newer staff members, or even outsourced to freelancers, who may not be well-versed in the company’s security policies.

What should be done to ensure that they are educated in security issues within social media?

Organizations need proper oversight and clear policies. These employees or contractors should not be left alone. Their posts should be continuously reviewed and they should be given the proper training to understand the “Dos and Don’ts” established by the organization.

What tips and guidelines do you have for companies so that they can do a better job at practicing better security in social media outlets?

• Create clear social media policies and guidelines.
• Implement better user awareness training and include live exercises of social media footprinting. Show them the dangers; don’t just talk about it.
• If a company is opening up a new position or offering, they should come to an honest and up-front understanding of the required personnel. “An intern could do that,” can be a solution. However, I would just suggest that the company decides who is responsible for that intern and his/her social media activity.

Do you have any social media guidelines or policies in place at your organization? If so, would love to hear your lessons learned and best practices!