Social networking has become an integral part of everyday business and life. It’s how we communicate and where we get our news. Marketing utilizes social media to promote products and services. The NFL even live broadcasts games and fan interaction on Twitter. The majority of Americans are active on social media, and most of us are sharing just about everything there.
Cybercriminals are active on social media, too, taking advantage of all of that information sharing and swapping. It’s why a growing number of security experts are warning of social media’s security pitfalls and social media mistakes.
Now, social media in and of itself is not necessarily a security risk. However, says Stephen Gates, chief research intelligence analyst from NSFOCUS, everyone knows that if a hacker can get their victim to click, oftentimes their attack is successfully completed.
“Hackers want to get their unsuspecting victims to click on a link, or open/download a malicious file, etc., and social media is an easy way to get their victim to take action,” he adds. “Hackers understand the least path of resistance and take advantage of our humanity, curiosity and social nature.”
Social Media Pitfalls
What adds to social media’s popularity is how it promotes the idea of sharing information casually, through the use of surveys, memes, quizzes, posting pictures and graphics, or sharing someone else’s posting. We’re falling prey to social media pitfalls in the following ways:
- Over-sharing: Even seemingly innocuous information found on social networking sites, like mother’s maiden name or high school mascot, can be used by criminals to gain access into your accounts, as these often serve as the answers to popular password-reset questions, according to Bryan Hjelm, a security expert and VP at CSID.
- Passwords: What we see time and time again, says Hjelm, are poor password practices. Consumers often reuse passwords across accounts, and social media is no exception. If a password is compromised on any account, an attacker can reuse that password and gain access to other accounts.
- Updates and Settings: Many users are accessing social media via mobile, but are lax about installing the latest software updates for their devices, even though not updating can lead to vulnerabilities that put users at risk.
- Trust: Since we “know” the people in our social media networks, whether in real life or virtually, we tend to trust them, but this is one of the biggest social media mistakes we make. This trust, says Joe Carson at Thycotic, means users are receiving messages from friends whose accounts have been compromised and clicking the received link, which results in their own account being compromised.
- Liking Everything: Many users also have a habit of liking and following many pages, playing apps or games using social media, which means that those apps have access to data in their account - even long after they have finished the game. “They never go into the apps and remove the access,” Carson says.
Social Media Risks for Business
The same risks for giving up personal information can apply to businesses as well. Social media blunders by employees are very common.
“Employees may share internal information that they consider to be casual, such as office locations that may not be public, or they may share other information inadvertently that could be used to compromise the security of the business,” says Nathan Wenzler, principal security architect at AsTech Consulting.
“And, if an employee is using social media from a work computer and clicks on a malicious link, they could just as easily infect that system with malware or viruses, which could be used to compromise the company's network like any other attack.”
Cybercriminals use the information gathered from social media accounts to target employees, and use social engineering tactics to get them to take an action or provide information that then gives the attacker an initial entry point into the organization’s network. Similarly, says Josh Feinblum, vice president of information security at Rapid7, people often share information in social media that can give attackers a leg up on guessing passwords or answers to security questions, enabling them to potentially get access to a business’s systems.
“One of the more recent impactful attacks targets the financial teams within an organization,” Feinblum adds. “With social media providing a clear window of titles and reporting structures within your organization, it's been easy for criminals to trick finance teams into wiring money to illegitimate bank accounts.”
Enterprise Social Media Policy
Social media security means instituting a strong social media policy that should include:
- Two-factor authentication, particularly for businesses that have shared accounts. “Users should always remember that messages exchanged through a social media platform may not be coming from the individual they expect; it is possible that the user account was compromised and weaponized by a malicious actor. This issue decreases in severity if all users turn on two-factor authentication,” says Feinblum.
- Having a clear definition of who has access to social media accounts and how they access them. “This is especially important if it's a corporate account with multiple users. If one of those users leaves the company, appropriate steps need to take place to lock down the account again,” says Alvaro Hoyos, chief information security officer at OneLogin.
- Monitoring social media accounts. “This is important to be able to detect on a timely basis a potential account takeover, which can lead to other accounts being compromised or account impersonation tied to phishing attacks,” Hovos states.
When it comes to social media, users should treat it as they would any other internet source or connection. They should be vigilant and institute the same best security practices as they would elsewhere. Most of all, avoid falling for social media pitfalls of sharing and trusting too much. This is a time when a little skepticism and being wary can go a long way toward protecting your personal and organizational information.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba