March 16, 2013
Introduction
The
last few years have seen an extraordinary amount of growth in what’s been
referred to as Web 2.0 technologies.
This concept refers to innovative uses of the Internet and is embodied
by the phenomenon of social networking sites.
Companies use these tools to promote new products and government
agencies employ them for publicity campaigns and recruiting events (Kim, 2012). An increasing number of organizations allow
or even require employees to use these sites on the job. From Facebook to LinkedIn, more people each
year join social networks to connect with friends, collaborate with colleagues,
and post an increasing amount of private information online. By their very nature, social media sites
invite users to disclose personal data.
Although the concept of online interaction suggests anonymity, much of
this information is openly available for anyone to see and collect. This opportunity has not escaped the
attention of cyberattackers. From
nation-states seeking back doors into government facilities to criminals
trolling for credit card numbers, social media has proven to be a major
security threat to organizations and individuals alike. The following paper outlines three of the
biggest vulnerabilities inherent to social media sites: Authentication
Controls, Web Browsers, and Employees; as well as their corresponding
threats. Finally, mitigation techniques
are discussed taking into account organizational policies and procedures that
employees are most likely to follow.
Authentication
Controls
Employees
of HBGary setting up their display at the 2011 RSA security conference were
shocked to find a note in their booth left by the notorious hacker group,
Anonymous. The note and other threats of
violence to HBGary’s employees, eventually forced the company to withdraw from
the conference (Anderson, 2011). The
battle between the two organizations began the week prior after the CEO of
HBGary Federal threatened to release the names of Anonymous members he had
collected. Anonymous responded with a
swift and effective attack on the digital infrastructure of HBGary and their
affiliate, HBGary Federal. Key systems
of both companies were accessed, causing a significant amount of damage and
embarrassment to the company’s reputation as a premier technology security
firm. The potential implication of this
type of attack is even more serious considering HBGary Federal provided
computer security services to the U.S. federal government.
Vulnerabilities
Although
extreme, the cyberattack on HBGary was not groundbreaking. Anonymous used publicly available techniques
to exploit authentication vulnerabilities within HBGary’s network. While the
cyberattack on HBGary began with a website vulnerability known as an SQL
Injection attack, the majority of the damage was facilitated by inadequate
authentication protocols. Two members of
HBGary Federal’s senior management, CEO Aaron Barr and COO Ted Vera, used weak
passwords for their corporate accounts and then reused them for their social
networking sites. This provided members
of Anonymous with an effective social engineering tool as corporate servers
allowed password-based authentication (Bright, 2011). Inadequate authentication procedures remain a
serious vulnerability for organizations relying solely on password-enabled
security. In addition, social networking
sites like Facebook and LinkedIn provide rich targets for hackers employing
phishing techniques. This type of attack
often utilizes social media to steal passwords through the use of fake logon
pages (Bamnote, Patil, & Shejole, 2010).
Even if passwords and usernames cannot be obtained through phishing
efforts, users will often post enough personal data online to enable hackers to
guess logon information.
Threats
Authentication
vulnerabilities on social networking sites are leveraged by virtually every
type of cyberattacker. As membership on
social media increases, these sites represent attractive targets to a variety
of nefarious groups. Threats exist from
identity thieves and hacktivists to nation-states alike. Criminals use these pages to steal lucrative
personal information. Nation states
troll websites looking for weaknesses into protected networks. In the case of HBGary, the hacktivist group
Anonymous used social media to protest the release of group member’s names.
Although they did not seek monetary gain from the attack, the financial damage
to HB Gary and its affiliates were still significant.
Likelihood
According
to security experts, the probability that illicit groups will continue to
circumvent authentication vulnerabilities is high. The Secure Enterprise 2.0
Forum publishes an annual report compiling the details of social media usage of
Fortune 500 companies. In their 2009 report,
one of the eight main threats to social media discussed were “insufficient
authentication controls” (Chi, 2011).
All too often, employees and organizations choose convenience over
security in creating weak passwords and employing single sign-on technologies.
This vulnerability is compounded when looking at the amount of actual attacks
that take place. Microsoft’s semi-annual
Security Intelligence Report recorded a 1200 percent increase in phishing
attacks used on social networks in 2010 (Fisher, 2011). Ultimately, this threat remains one of the
most cost effective methods of illegally acquiring logon information and is
estimated to continue increasing in frequency.
Mitigation
To
help manage the risk associated with this vulnerability, a combination of
policy, training and technology should be employed. Organizations should ensure they have in
place a policy that outlines the authentication requirements for their
employees. This involves educating
employees on authentication safeguards such as not reusing passwords and
ensuring they are of sufficient strength.
Had HBGary’s executive staff followed such a recommendation, Anonymous
would not have been able to gain access to their email accounts. Companies should also consider technology
solutions to protect their authentication information. Software should be configured to specify
password requirements for employees as well as to securely store these secret
keys. HBGary made Anonymous’ job that
much easier by storing passwords as MD5 hashes.
A more secure option would have been to use a stronger key like the SHA
family of encryption (Thomas, 2011).
Customer
Acceptance
Often
times, security must be balanced with convenience when it comes to safeguarding
digital infrastructure. Defenses used to
protect authentication mechanisms are no exception. Rather than remember different passwords for
each personal and business account, individuals often choose the less secure
route. This involves reusing passwords,
picking easily guessed words, or even writing them down. Organizations seeking to alter this behavior
must increase employee awareness on the dangers of such practices. Ultimately any changes must begin at the
top. If an organization’s leadership is
viewed as unsupportive to enhanced security practices, employees will not be
motivated to change their behaviors (Cisco Systems, 2008). As with the case of HBGary Federal, when the
CEO and COO do not follow proper authentication measures, how can employees be
expected to?
Web
Browsers
On
November 14, 2011, Facebook users were shocked to receive explicit and violent
pictures on their newsfeeds. Later
determined to be a Cross-Site Scripting (XSS) attack, the incident lasted for
24 hours leaving Facebook administrators helpless. Attackers rely on the sheer number of social
media memberships combined with user’s trust of these websites. This allows them to trick individuals into
downloading malicious software or entering personally identifiable information
into fake sites (Rashid, 2011). As more
public and private organizations turn to social media to advertise their
presence, the risk from this type of attack will continue to increase.
Vulnerabilities
According
to the National Security Agency (2009), XSS attacks and malicious content are
two of the most pervasive threats to web browsers. These threats take advantage of
vulnerabilities in the software web browsers run on. Generally, flaws in the host user’s computer
are exploited to allow for JavaScript code injections. This provides hackers with the ability to
compromise computer systems in order collect financial or password information
or control the system for use in subsequent cyberattacks. Perpetrators of the 2011 Facebook attack also
employed social engineering to create a self-XSS exploit. This provided hackers with an even more
effective attack by further convincing users to enter
“…the code necessary to execute the attacks, as opposed to other types of
XSS-based attacks where the perpetrators inject the code on to the Website”
(Rashid, 2011).
Threats
Attackers
incorporating XSS attacks into social media sites have the potential to infect
hundreds of millions of users. Although
the Facebook incident seemed purely malicious in nature, XSS attacks generally
incorporate some form of financial scam.
While the historic goal is often the collection of personal financial
information, this technique can also be used to collect passwords or social
engineering data for additional attacks (Nemey, 2011). From nation-states to criminal enterprises,
cyberattackers often seek the path of least resistance into a protected
network. XSS attacks can provide this
access into a hardened defense contractor or classified government agency’s
computer systems.
Likelihood
The
probability that cyberattackers will continue using XSS attacks is high. From
private industry to the government sector, this vulnerability routinely makes
the list of top organizational risks.
Symantec’s latest Internet Security Threat Report identified compromised
hyperlinks on social networking sites as one of the most common threats in
2011. The report also estimated that
with malware authors continuing to increase their use of social networking
sites, this trend was estimated to increase even further in 2012 (Symantec,
2012). Symantec’s report was further
reinforced by the secure cloud hosting company, FireHost. Based on web application statistics, FireHost
reported a 160% increase in XSS attacks between the 3rd and 4th
quarters of 2012 alone (FireHost, 2013).
Mitigation
With
the probability of XSS attacks continuing to increase, social media
organizations and users alike should consider a holistic approach to
mitigation. Although Facebook
implemented a number of technical safeguards post-attack, individuals using
these sites also have a responsibility to protect their information. Safe message handling and browsing practices
are recommended for anyone visiting social media sites. This involves scrutinizing suspicious
messages and hyperlinks prior to opening them (Chi, 2011). The National Security Agency also recommends
a list of technical best practices which includes users installing the latest
patches on their operating systems and browsers, updating virus scanners, and
installing firewalls or intrusion prevention systems (National Security Agency,
2009).
Customer
Acceptance
A
2008 study by Cisco found that employees disregard security procedures because
they fail to understand the implications of their actions. Unless security is an individual’s primary
job function, employees do not naturally possess a sense of ownership over
shared corporate assets. These findings
show that employees must be motivated to take a staked interest in the defense
of their organization’s information technology.
Moreover, because many employees visit personal websites at work, the
overlap between personal and business security practices no longer exists. To combat this apathy, organizations must
create effective security policies that are simple enough for customers to
utilize. This involves clearly
communicating the security policies and how not adhering to them can affect each
worker. Acceptable use standards and
security procedures should be streamlined for maximum compliance and aligned
with business processes and job requirements (Cisco Systems, 2008). Associating performance evaluations and
bonuses with security compliance is one way to achieve policy compliance and
customer satisfaction.
Employees
Robin
Sage was an attractive young woman with an impressive resume of academic and
security credentials. Her profiles on
various social networking sites attracted the interest of security
professionals working for the NSA, DOD and Fortune 500 companies alike. After a month online Robin Sage had collected
300 contacts and was offered jobs, speaking engagements, and had been
inadvertently provided with operational security (OPSEC) data for various companies
and federal agencies. Unfortunately 28
days later, her contacts were shocked to find out they had fallen prey to a
social engineering experiment; Robin Sage never existed. The creation of security professional Thomas
Ryan, Robin Sage was only a fictitious identity and attractive profile picture used
to entice security professionals. As
Ryan explains in a Black Hat talk entitled “Getting in bed with Robin Sage”,
the experiment was meant to demonstrate the considerable vulnerability that
exists from social engineering through networking sites likes Facebook and
LinkedIn (Goodchild, 2010).
Vulnerabilities
The
Robin Sage experiment exposes one of the biggest and most exploitable
vulnerabilities in the field of cybersecurity: Employees. Generally regarded as the weakest link in the
security chain, human error is often responsible for or helps facilitate numerous
cyberattacks each year. Combine this
flaw with the misguided tendency to trust social media, and hackers and thieves
alike are provided with an effective tool to attack protected networks. As Ryan points out, some of the most
security-minded individuals in the public and private sectors were fooled into
delivering a social engineering goldmine.
The haul from LinkedIn alone provided personal email addresses, cell
phone numbers, and whether contacts were out of town (Goodchild, 2010). This information can be exploited by any
number of individuals or groups as part of a larger attack on an employee’s
organization.
Threats
According
to Nemey (2011), two of the biggest threats to social media are social
engineers and employees. Nation-states
and criminals alike have used active social engineering tactics to breach
hardened networks. From espionage to
financial motivations, hackers often use this approach to leverage employee
trust and mistakes. If this was not a
serious enough threat, often times attackers do not even need to resort to such
methods. Passive approaches like the
Robin Sage experiment or inadvertent employee disclosures on social media sites
can often be collected to provide an attacker with enough information to breach
an organization’s digital infrastructure.
Likelihood
The
Secure Enterprise 2.0 Forum lists phishing and information leakage as two of
the biggest threats posed by social media sites (Chi, 2011). The likelihood that this trend will continue
is high. With technical defenses
advancing as quickly as information technologies, hackers will continuously
seek the least defended points of entry into networks; which often involves
employee carelessness. Social
engineering attacks through sites like Facebook create an impression of
familiarity. This illusion gives users a
false sense of security and provides a medium to post seemingly private information
about home and work. Although these bits
of personal data are not necessarily secret, they can be collected into useful
components of a cyberattack.
Mitigation
Humans
represent both the vulnerability and the safeguard against social engineering
attacks through social media. Although
technical safeguards provide some measure of security redundancy, the ultimate
defense for this risk is effective policy and training to increase employee
awareness. According to the
IT-compliance organization ISACA, “the greatest risks posed by social media are
all tied to violation of trust” (ISACA, 2010).
The very nature of social networking encourages the open disclosure of
information. To mitigate this risk,
organizations should establish acceptable use and technical security
policies. According to a global security
study commissioned by Cisco, many instances of data leakage occur in
organizations with ineffective or nonexistent standards (Cisco Systems,
2008). Effective security policies
should include a maximum amount of employee participation, be widely
disseminated and they should receive the full support of all management levels
within an organization (Kabay & Kelley, 2009).
Customer
Acceptance
Finding
equilibrium between security and employee access to social media has proven to
be a difficult balance for companies in the modern era. According to a Forrester Research report,
companies should consider a number of areas when establishing an acceptable use
policy for social media. This includes
deciding what level of access employees need, should individuals be allowed to
download software, what information can be posted, and what are the
consequences for policy violations (Burnham, 2010). According to ISACA, any defense against the
risks posed by social media usage should begin with employee behavior (ISACA,
2010).
Conclusion
According
to the computer security firm Sophos, cybercriminals will continue using social
media as a platform to launch cyberattacks for the foreseeable future (Lyne,
2012). With more organizations allowing
employees access to social media from work, the potential for this medium to
compromise organizational resources remains a very real threat. Personal information posted to these sites can
be used to deduce corporate passwords, providing hackers with access to
otherwise protected networks. The only
way to defend against this risk is a defense-in-depth approach that
incorporates technical, personnel, and administrative defenses. Not only must organizations ensure effective
training and policies are in place, but employees must also take a vested
interest in protecting shared network assets.
Just as individuals often represent the weakest link in security, they
can also become the greatest defense.
References
Anderson,
N. (2011). Anonymous vs. HBGary: The aftermath. Ars Technica. Retrieved from
Bamnote,
G., Patil, G., & Shejole, A. (2010). Social networking-Another breach in
the wall. AIP
Conference Proceedings, 1324(1), 151-153.
doi:10.1063/1.3526180
Bright,
P. (2011). Anonymous speaks: the inside story of the HBGary hack. Ars Technica.
Retrieved
from http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/2/
Burnham,
K. (2010). Social media safety: Acceptable-use policies are critical. CIO. Retrieved from http://www.cio.com/article/590113/Social_Media_Safety_Acceptable_Use_Policies_Are_Critical
Chi,
M. (2011). Reducing the risks of social media to your organization. SANS Institute
Reading Room. Retrieved from
http://www.sans.org/reading_room/whitepapers/policyissues/reducing-risks-social-media-organization_33749
Cisco
Systems. (2008). Data leakage worldwide: The effectiveness of security
policies.
Retrieved
from http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-503131.pdf
FireHost.
(2013). Cross-site scripting attacks up 160% in final quarter of 2012, reveals
FireHost.
Retrieved
from http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012
Fisher,
G. (2011). Phishing, social networking attacks on the rise. Threatpost. Retrieved from
Goodchild,
J. (2010). The Robin Sage experiment: Fake profile fools security pros. Network
World. Retrieved from http://www.networkworld.com/news/2010/070810-the-robin-sage-experiment-fake.html
ISACA.
(2010). Top five social media risks for business: New ISACA whitepaper.
Retrieved
Kabay,
M. E., & Kelley, S. (2009). Computer
security handbook (5th ed.). Hoboken, NJ: John Wiley
& Sons
Kim,
H. J. (2012). Online social media networking and assessing its security risks. International
Journal of Security & Its
Applications, 6(3),
11-18. Retrieved from http://www.sersc.org/journals/IJSIA/
Lyne,
J. (2012). Year in Review: 2011. Sophos.
Retrieved from http://www.sophos.com/en-us/security-news-trends/security-trends/2011-year-in-review.aspx
National
Security Agency. (2009). Social Networking Sites. Retrieved from http://www.nsa.gov/ia/_files/factsheets/I73-021R-2009.pdf
Nemey,
C. (2011). 5 top social media security threats. Network World. Retrieved from
Rashid,
F. Y. (2011). Facebook Pursuing Attackers Who Exploited XSS-Flaw in Massive
Spam
Attack.
EWeek. Retrieved from http://www.eweek.com/c/a/Security/Facebook-Confirms-XSSFlaw-in-Web-Browser-Led-to-Massive-Spam-Attack-780251/
The
Associated Press. (2012). Number of active users at
Facebook over the years. Retrieved
Thomas,
K. (2011). 8 security tips from the HBGary hack. PC World. Retrieved from
Symantec.
(2012). Internet security threat report. Retrieved from http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf
Hey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return. smm panel
ReplyDelete