Identifying the Threats

You have to determine the vectors of threats being launched against your company. Social media includes blogs, microblogs, instant messaging, mobile applications, and community pages on Facebook, real-world community networking groups organized through Meetups and Tweetups, YouTube, Flickr, and much more. New avenues of online social interaction develop every few months; these channels have to be assessed for potential threats, for damage they can cause, and for the company’s capability to respond immediately. In the summer of 2010, security firm ProofPoint commissioned a study¹ on data loss prevention for U.S. companies and found the following:

¹ Outbound Email and Data Loss Prevention in Today’s Enterprise, Proofpoint (2010), http://www.proofpoint.com/id/outbound/index.php.

36 percent of respondents said their organization was impacted by the exposure of sensitive or embarrassing information during the past 12 months.

7 percent of companies terminated an employee for social networking policy violations.

11 percent of companies terminated an employee for blog or message board posting policy violations.

13 percent of U.S. companies investigated an exposure event involving mobile or web-based short message services during the past 12 months.

25 percent of companies investigated the exposure of confidential, sensitive, or private information via a blog or message board posting.

18 percent of companies investigated a data loss event via a blog or message board during the past 12 months.

17 percent disciplined an employee for violating blog or message board policies.

A focused attack from social media channels will come from the following sources:

Blogs An attacker can disseminate incorrect information about your organization, which is picked up by other bloggers who further perpetuate the myth.

Video A disparaging video can easily spread. Videos tend to have more weight than blogs with viewers/customers because they can see the issue, rather than just read about it. On March 27, 2010, U.S. Department of Agriculture official Shirley Sherrod addressed the NAACP’s 20th Annual Freedom Fund Banquet. Months later, a small excerpt from Sherrod’s speech was posted by Tea Partier Andrew Breitbart on YouTube. The excerpt went viral, stirring up controversy over Sherrod’s racially biased statements. As a result, Secretary of Agriculture Tom Vilsack had to force Sherrod to resign. Later, however, further footage of the speech showed Sherrod’s comments to be taken out of context, prompting the USDA to offer Sherrod a new position (see http://www.thenewamerican.com/index.php/usnews/politics/4133-shirley-sherrod-fiasco).

Microblogging Quick hits can occur through sites like Twitter that can quickly impact your image and spread lies about your company. Without a preplanned counterstrategy in place, the misinformation could spread faster than you can address it and share fresh information with your community.

Mobile Mobile applications for social media make sharing information much easier and can target specific types of users based on mobile usage or even geolocation of the customer.

Social Meetups or Tweetups The offline world of “meetups” to promote social media activities are frequent, very well informed, and attended by active online sharers, so an attack here has the potential to greatly impact your brand, both online and offline in tandem.

The Attackers

The attackers in the social media space are often different from typical IT attackers. The attacker profile can be categorized into the following types:

Hackers The pure thrill of breaking into a secure resource just to prove you can is still there. Hacker can do it for profit by stealing your sensitive information such as customer lists, can compromise your social profiles to launch botnet attacks, or do it on behalf of some competitor, agency, or activist group.

Disgruntled employees This category of attacker is probably the largest. Never before has a single person had the capability to attack a brand so quickly, spread lies and misinformation, and become an online resource without being vetted. Negative mentions that had been reserved for friends and family are now publicly shared online.

Employees Employees may inadvertently compromise the brand by saying negative things about the company, posting sensitive or confidential information, or allowing information to be leaked through social media.

Competitors A competitive attack can focus on your brand image or your customers, and competitors can even steal data from your company resources. These attackers can easily hide behind fake profiles and sources to seem legitimate or make determining who is launching the attack very difficult. Moral hazard alone is never a sufficient deterrent for unethical activity by competitors.

Threat Vectors

A number of different threat vectors, both internal and external, can impact your business. As we discussed in Chapter 3, once you have your monitoring solutions in place, you need to make sure you are looking at the right threat potential. Threats come from people, processes, and technology, and you have to understand the different groups in social media.

Users

The main threat to corporate social media usage is the user. The user is uneducated in security and most are untrained in social media security. Users go to inappropriate websites, click phishing links, and give away information about themselves and your company. The user is already authenticated to your network, which is another challenge for security: you already trust them to access and use your resources.

Customers

Although you undoubtedly need customers, they also pose a big challenge when it comes to social media. In traditional IT, you could restrict customer access by giving them very limited privileges to your ecommerce website and other customer-related IT systems. Nowadays, dissatisfied customers generate negative content, affecting sentiment about your company through communication channels you have no control over—just because they can. It used to be a quick rule of thumb that, on average, an unhappy customer would tell nine of their friends about their experience. If those nine shared with just two more each, you can see how bad it can get pretty quickly.

→ 9 → 18 → 36 → 72 → 144 → 288 → 576 → 1152 → 2304 → 4608 → 9216 bad mentions!

Human Resources

The Corporation itself can even create a threat vector due to a lack of knowledge, training, and common sense. As of this writing, only a small percentage of companies has implemented HR policies, guidelines, and training that cover social media use by employees.

Social Networking Worms

According to Internet security vendor Kaspersky Lab, “malicious code distributed via social networking sites is ten times more effective, in terms of successful infection, than malware spread via e-mail.”² Worms targeting social networks have an easy time taking over accounts, spreading across different users, and propagating. One reason is that users are now accustomed to having antivirus check their e-mails, but they are not used to getting attacked through web applications such as Facebook or Twitter. Statistics also show that people are spending more time on social networks than with e-mail. ComScore found that e-mail usage was down 18 percent in their 2010 US Digital Year in Review (http://www.comscore.com/Press_Events/Presentations_Whitepapers/2011/2010_US_Digital_Year_in_Review). People are more trusting of websites they frequently use, like Facebook, which leads to more easy attacks. For example, Koobface, a popular worm in 2010, was used to steal sensitive data on Facebook, MySpace, Twitter, LinkedIn, and Bebo. Koobface tricked users into downloading a Trojan that, once installed, opened access to important information from the user. These types of worms are spread virally through videos or links shared by unsuspecting users.

² “Kaspersky Offers Online Guide in the Wake of the Latest Facebook Phishing Attack,” PC World, http://pcworld.com.ph/kaspersky-offers-online-guide-in-the-wake-of-the-latest-facebook-phishing-attack/.

Botnets

A rogue botnet, in this context, is a controlled collection of malicious software and automatic agents on compromised computers that seeks to attack and steal information. Social media has enabled the spread of botnets, which have evolved to use social networks to obfuscate the malicious link. For example, most long URLs shared on Twitter are shortened through link-shortening services such as tinyurl.com or kiss.ly. With shortened URLs, people cannot easily make out what the original URL was and thus click a link that takes them to a site controlled by a botnet without thinking. Once on the botnet site, new links are generated that serve to compromise users’ computers.

Web Scraping

Web scraping has evolved into sophisticated automated programs that log into websites and automatically collect information. For example, a program can log into a discussion forum about healthcare and capture peoples’ comments about the problems they face and the drugs they take. Because social media is all about sharing, technologies can be used to collect and mine all that information for nefarious purposes, whether it’s to hack into your accounts or to send you targeted advertising for drugs the “scraper” has found out you use. A recent example is Nielsen’s scraping of the PatientsLikeme.com website for data about forum posters. Patientslikeme.com administrators saw that a new user was using software that was “scraping,” or copying, every single message off PatientsLikeMe’s private online forums. Nielsen was logging and gathering the data, capturing users health information, presumably to sell this data to marketing companies.³

³ Julia Angwin and Steve Stecklow, “‘Scrapers’ Dig Deep for Data on Web,” Wall Street Journal (October 10, 2010), http://online.wsj.com/article/SB10001424052748703358504575544381288117888.html.

Data Devaluation

Sharing may have been highly encouraged and praised in kindergarten, but it’s less laudable when putting your personal information online. Embarrassment is the least of your worries now. Think about all the questions your bank asks you for authenticating your account, such as your first school, your birthday, your dog’s name, your mother’s maiden name, the street you grew up on, or the best man at your wedding. All these bits of information are now available on social media sites as well, either through their own authentication questions or through the data and photos users share about their lives. It is far too easy to collect this information through web scraping. Once scarce and privileged information, which was used to identify and authenticate individuals, is now freely available online.

Phishing

Phishing allows attackers to simulate a legitimate site and attempts to entice users to give up their information, thinking they’re logging onto the real site. The forged e-mails you got from PayPal or Citibank asking you to reset your password information were phishing attacks. Now you get the same e-mails asking you to sign into fake Facebook or LinkedIn websites that look like the real thing. Applications in Facebook that look legitimate may, in fact, be phishing for your information. The evolution of phishing has further evolved into spear-phishing, or targeted phishing. The threat involves spam e-mails sent out to users, attempting to gain financial and banking information, confidential information, or intellectual property. Attacks usually are disguised as sources the victim trusts and, when clicked, will usually download malware onto the victim’s computer. Another regular occurrence is a 419 Operation (this refers to the relevant section in the Criminal Code of Nigeria). The target receives an unsolicited e-mail or letter asking for money, often needed for nefarious money-laundering purposes. After gaining access to someone’s account, the scam tries to entice the victim’s contacts to send them more money through Western Union, for example. An offshoot of the scam is to tell the victim that a person they trust is stranded abroad without their credit card and needs cash wired to them. Often, access to someone’s profile is gained in Internet cafés using keyloggers or when users forget to log out of their session. These scams prey on both the victim’s good faith that they are communicating with friends (a trusted source) and on the gullibility and good faith of the victim’s contacts.

Impersonation

How do you know who is really behind that social media profile? Is your employee or even your competitor saying things in another person’s voice or using another person’s account or profile? Has someone created an account specifically to attack you? Fake user profiles are a dime a dozen online.