The risk associated with the digital explosion
Among the multiple elements of risk that companies currently face, some keys are related to the expansion of the cybersecurity perimeter beyond the office.
In this area, there is an element of notable importance to which special attention must be paid. It is about the digital exposure of people. We often see how such exposure determines in many cases the probability of an information security incident occurring that affects the employee in the first place and therefore the organization.
Kymatio’s digital exposure module allows, with a highly agile approach, to determine the digital exposure of the employees to social networks. Determining the level of individual exposure enables automated delivery of fully personalized recommendations for use and information pills for each individual. In parallel to the automatic awareness activities, the company obtains the necessary information to know its exposure and can plan individual, departmental or corporate awareness activities.
Kymatio respects the employee’s privacy at all times, does not analyze their networks or access their published content, respecting the GDPR guidelines at all times.
Example. Attack based on digital exposure
Cybercriminals find a huge amount of elements available to orchestrate attacks on employees of all types of companies. Let’s stage the situation with an assumption that is based on the most painful reality.
Preparation for the attack
A group of cybercriminals decides to attack the company ACME and for this they rely on information posted on social media by their employees.
Searching professional networks such as LinkedIn, they discover that Pedro Smith works at ACME in a position with critical functions , in this case making international bank transfers.
Through Pedro’s personal social networks, such as Facebook, he discovers that he has friends among his co-workers. From there, cybercriminals similarly collect information about Peter’s co-workers, the organization of ACME departments , and other useful information.
This allows attackers to build a credible scenario to fool Peter and execute a Spear Phishing (Targeted Phishing).
Execution of the attack
Pedro receives an email from a supplier that ACME usually works with, indicating that his help is needed immediately because his partner Juan, from the billing department, with whom they usually work, is on vacation. All this information has been constructed by the attackers from information posted on social media.
Due to his high verisimilitude by using real information that Pedro himself knows, he lowers his guard and trusts the message by answering the attackers.
The criminals decide to create a ransomware to attack the organization and attach it to one of the messages they send to Pedro, who does not hesitate to open it and, unknowingly, installs malware on his system. Suddenly, all the files are encrypted and the company’s workstations display a rescue note requiring payment in twenty-four hours, or else all company information will be deleted.
Conclusion
In the example above, we see just one of the many possible cases in which employee information on social media can put your company at risk and not just themselves.
If enough information is posted on social media, cybercriminals can analyze the best way to design the social engineering strategy against the staff of organizations in order to start phishing, vishing or smishing activities and install their own malware on the company systems.
This is just one of the many risks associated with using social media. However, the fact that there are threats on social media does not mean that their use should be prevented, although intelligent and data-driven awareness is needed.
Threats related to social media
The information published by Pedro and his colleagues demonstrates a common type of threat to the organization. However, there are many more for the business that can arise when using social media.
Social media oriented phishing
One of the most popular trends has been brand impersonation. In the past, companies have had to deal with e-mailing or selling counterfeit products.
However, now, through social media, companies’ customer service can be more credibly supplanted.
This provides a certain illusion of convenience to unsuspecting customers who can then submit their personal data and credentials.
Even employees themselves may be susceptible to this fraud.
Hacktivism
Hackers with political or socially motivated ends are often called hacktivists. We are talking about hacktivists exacting revenge on someone they disagreed with on social media, and the company got caught in the crosshairs.
These hacktivists often act with the intent of sabotage or exposure (Like the Panama Papers or the NSA leak). There is a clear trend here, is not slowing down and will increase over the next years. Malicious hackers with financial motivations are one threat, but hacktivism poses a whole other set of challenges. Online brands must be careful to avoid political landmines or they can fall victim to very targeted attacks
Dangerous files and links
People show a lot of confidence in social media and almost everything that is uploaded or posted on them. Most websites now allow shortened URL links, which often mask where the user will actually be taken. These links have the ability to take a user to fake websites or even activate an automatic download.
As for the malicious files, there was a case of ransomware last year nicknamed “ImageGate” that spread the ransomware with an image uploaded to social media. The sites that were attacked were Facebook and Linkedin. Locky, the ransomware, spread through these sites for some time before major platforms could patch their networks.
Breadcrumbs, the digital trail
Each post, tweet, compliment or “like” leaves clues about who we are and how our organization operates. All a smart hacker has to do is extract data from social media accounts to get information about the company.
For every major social networking platform there are third-party applications that give any user the ability to get information from any account they want. Also, on websites like LinkedIn, adding any user gives you access to email accounts when you download the data as a csv file. These data gradually leave the organization exposed to continuous analysis until the potential cybercriminal finds the exact internal knowledge it needs.