This post is the fourth in a series of what I consider the top ten topics for any security awareness program.  Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start.  For the fourth topic I like to focus on social networking.  I feel this is the future for many social engineering based attacks.  If you think about it, social networking is designed to get as many people as possible to share as much information as possible, the perfect breeding ground for human based attacks.  In addition, even if your organization forbids or blocks social networking sitespeople still use them in their personal lives which can impact your organization.  As such there are some key risks we need to identify and respective behaviors we want to change to mitigate those risks.
  1. The first risk is posting too much personal or private information.  Cyber criminals can harvest this data for identity theft, password guessing (Sarah Palin anyone), or even in some cases to determine the best time to burglarize your house.  We need to change end user behavior and get them to think before posting.  One way to do this is teach them that whatever they post the whole world will see.  Even with privacy controls, people often make mistakes or privacy policies can change.
  2. Even if people are aware and careful what they post, they must understand that others can post private information about them.  A common example would be friends posting pictures of a person having one too many beers at a rather wild party. Make sure end users monitor what their friends are posting about them.
  3. The third risk is scams/attacks.  This is nothing new, we discussed scams in topic #3 Email and IM.  The easiest way for criminals to steal someone's money or infect somone's computer is to simply ask the victim. In social networking sites this is commonly done when criminals hack into one account, then post as that person to their trusted friends.  The scams vary, but a common post is that the person was traveling in London and was mugged, they need money right away to get back.  Other attacks try to entice people to click on malicious links or install infected software.  The key behavior here is that when suspicious posts like this are posted with a friend's account, call the friend to confirm if they are legitimate (do not message them back).
  4. Just like operating systems and smartphones, users should be careful of the 3rd party apps they use.  Can the 3rd party applications be trusted, are they vulnerable?  Privacy issues seem to be the latest problem with 3rd party apps.
  5. Finally, end users need to be taught no confidential organization information may be posted (such as publicly posting raid plans the day before a military action).  One good rule of thumb is if the information is not already on the company public website then don't post it.
PREVIOUS POSTS #1 - You Are The Target #2 - Social Engineering #3 - Email and IM