It is 2015, and social media is everywhere. It is embedded in your smartphone, and its logos are printed on nearly every product packaging. A few years ago, having an online presence by way of a website for a company was enough. Today, consumers expect a company to have a presence on the App Store, Play Store and every social media platform out there. It has become a way of social proof for both ends of the spectrum – companies and consumers. On the consumer end, you expect to be able to interact with your favourite company on Twitter, Facebook and even Snapchat and Periscope. Meanwhile, organisations are faced with enormous challenges that stem primarily from the lack of security architecture of most social media platforms. Even the bigger players like Facebook and Twitter do not have mechanisms for integration with your internal account management systems that come out of the box.
Social Media Conundrum
Users these days are technology-aware and are looking to use or are already using new systems and services within the network that will simplify their lives and benefit their employer. IT security is either unaware or can't keep up with such deliberate actions. It should be noted that users don’t have malicious intentions but rather lack education. However, the implications that arise from such employees' deliberate use of social media constitutes a rather multifaceted problem. I have listed some of my findings below ranging from technical to behavioural components.
The Beauty of Accessible Technology
These are several exploits that have been used online and have made their way into social media services. A paper written by SANS in 2011 details exploits that have been used with social media, and sadly these have not been addressed until today.
1. Account Management
- Many social media platforms begin as start-up companies that focus on creating a cheap, fast, agile SaaS or application. Implementing security frameworks is not affordable upfront and is therefore neglected. Their architectural implementation is scattered across third-party suppliers, raising further compliance headaches with IP stored outside your borders.
- Popular platforms like Facebook and Twitter were designed with consumers in mind, and even today don't address account management within organisations. A great example is Facebook requiring a personal Facebook account to be able to create a Business page.
- Another platform that is gaining ground fast is Instagram. To sign up for Instagram, you have to use your personal Facebook account or sign up with another email account that could be your corporate email address. Even when signing up with a company email address, in the case of a marketing department, there is no centralised user management and account credentials sharing is inevitable. To avoid having additional accounts to manage, the use of the existing Facebook account becomes preferable. That leaves the organisation exposed and dependent on that personal email address that initially signed up for Facebook.
- Although there are hundreds of social media services available today, I'm only talking about Facebook and Twitter mostly because of their "Domino effect." These not only are the highest used but also provide single sign-on services to the rest of the web.
2. Identity Theft – Phishing
A corporation ignoring social media will cause more harm than good in the not so distant future. If you are not expanding your real estate online with information that reflects your brand, someone else can take advantage of that. An example would be an attacker registering social media accounts under your brand and guiding your customers into SPAM and C&C servers. It is a bit different than phishing as the attackers can use the actual name in the account.
3. Social Media & Account Management Policy
Social media policies within organisations tend to either disallow the use of such services altogether or allow partial access for business use. The caveat is not specifying any controls within the account management policy regarding external accounts.
4. User Awareness
Staff sharing information on their personal social media accounts about their organisation can have an adverse impact on their employer's reputation. Since these platforms are outside their jurisdiction, takedown requests will involve legal proceedings and will take time. Raising awareness about social media use within your company is essential.
Conclusion
As it happens with most products, social media services come in a neat packaging and require minimal interaction from the user to start transmitting information over the network. Anything from your location to your IP addresses to your footprinting data is out there. It is very enticing for users to sign up and agree to the T&C. As security professionals, we know that it is our job to inform and educate our users about the pros and cons and offer solutions. It is crucial for IT security to act as an enabler. Also, having a proactive stance on new services either by testing or reading whitepapers can equip us better to respond to threats. It will also safeguard our organisation from impact to the CIA (Confidentially, Integrity, Availability) of our key services.
About the Author: Peter Skaronis (@Peter_Skaronis) works for an Insurance company in Milton Keynes, UK. He has been in the Information Security and Business Continuity industry for the past 4 years and has over 15 years of IT Support experience in various roles within Central Government and overseas. Peter is also a Strategic Intervention Coach following training by Tony Robbins and working as a Life Coach at Life Mastery Coach. Peter is fascinated by viewing IT Security from the lens of psychology and believes the future of preemptive measures lies in the intersection of psychology and Security. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
