Social Networking Vulnerabilities and Threats
Essay by Woxman • March 17, 2012 • Research Paper • 2,184 Words (9 Pages) • 2,440 Views
Social Networking Vulnerabilities and Threats
Clay B Reis
CSEC 620 Individual Assignment Two
University of Maryland University College
March 4, 2012
The vulnerabilities and threats associated with social networking open doors to an array of situations the everyday person does not think about. With social networking, some people end up putting so much personal information out on the internet. This becomes an attacker's playground to gain valuable insight on an easy target. This information not only becomes valuable in the criminal mind, but also to those who are trying to do more than gain access to financial interests. This information becomes a useful tool or weapon to manipulate a person into doing what is needed by the "criminal" in order to carry out their end goal. This could be as simple as financial, as broad as corporate espionage, or to the extreme of gaining access to something related to national security.
When a person puts their personal information on the internet, it is no longer "personal". The source provider of the place this information is placed is now an "owner" of the data. There is usually some type of privacy policy related to the source providers system. These privacy policies are supposed to provide detailed explanations of how the information will be used, and who will end up having access to it. I can only imagine the actual percentage of people that actually "read" those policies. This excerpt taken from a pretty detailed survey on privacy policies gives some reasoning as to why it is hard to figure out exactly how many people are actually reading privacy policies; "we tracked whether the subject opened the policy page. We cannot, however, ascertain how much of the policy was read or how carefully."(Jensen, Potts, Jensen 2005)
The two sources I will be using for examples on internet social networking accessible to the public today are "Facebook", and "LinkedIn". Almost everyone knows what "Facebook" is. It is asocial networking site that allows people to add friends, post pictures, and "blog" about their everyday affairs. There is much more to this site for a registered user. "LinkedIn" is a social networking site where you can network in the employment realm of life. Most people use it to broadcast their employment history and status to "contacts". Employers of companies can also use this as a tool for recruiting. This of course, brings in the "other" entity of the criminal using it to exploit a person in order to carry out some devious plan of attack.
Cybersecurity vulnerabilities of Social Networking
The security concerns of social networks continue to be a "thorn" in most organizations side. Many government contractors and corporations are trying to make the most of social networking. At the same time, they are trying to keep employees happy. They are unfortunately between a rock and a hard place in this due to having to limit the exposure of personal and sensitive information. Attackers use code which can use social networking sites to disseminate the event is still a high concern. Often preceded by research and reconnaissance is the targeted attack. Attackers have the ability to construct conceivable trickeries by infiltrating the victim, and using the publicly available information off of social networking sites and other sources. One tactic known as spear phishing can be highly effective by sending one or many malicious files to an employee. These files can be embedded as a link to a malicious site or attached in an email messages.
Social networking users can often list details such as employment of the company they work for. They can even go in more detail by providing the actual department they work in. Some social networking clients provide information on other peers. To some, this information probably seems harmless, and the person does not think about the end result of divulging it. This is often an easy way for an attacker to discover a company's email address (i.e., firstname_lastname@company.com). The attackers use this information to arm themselves with a very creative and convincing scam to deceive the victim. For example, it allows for the finding of other friends of the victims which will allow the attacker to "spoof" an email. This might be presented as an email message from a co-worker who is also a friend. That email could contain a link with pictures from a recent vacation that was posted on the social networking site. A subject line that is believable due to the "known" friend could allow the attacker to "kick off" the scam, which will be difficult for most people to resist. After all, social networking sites are for sharing personal photos and information.
In order to attack a corporate enterprise, an attacker can use social networking sites to gather additional information they could use. For example, an unknowing employee could "blog" about the upcoming deployment of a software package on the company's system. They could inadvertently reveal the hardware which is being used, such as what type of switches and routers are on the system and the service pack or firmware installed on such hardware.
The implementation of a more robust privacy setting will more than likely reduce the ability to "spoof" a profile, but an experienced hacker can still be successful by the exploitation of an employee's friend who is not as security educated. This is the main reason that anyone providing access to the internet should be proactive in instructing their users about the threats and vulnerabilities exposed by posting sensitive information. There should be very detailed and easy to understand security policies implemented for every level of experience in the workforce.
"Spear-phishing attacks can target anyone. While the high profile, targeted attacks attempt to steal intellectual property or cause physical damage, many of these attacks simply prey on individuals for their personal information. In 2010, for example, data breaches caused by hacking resulted in an average of over 260,000 identities exposed per breach--far more than any other cause. Breaches such as these can be especially damaging for enterprises because they may contain sensitive data on customers, as well as employees, that even an attacker can sell on the underground economy or use to harm the brand's reputation. Companies are advised to use data loss prevention (DLP) solutions in order to monitor the
...
...