Five Ways to Protect Your Organization Against Social Engineering
Five actions that can be taken to reduce your exposure.
While it would be counterintuitive (and probably an impossible task) to ban social networking within SMBs, it makes sense for SMBs to maintain an awareness of the latest attack vectors that makes use of social networks. A couple of articles published on Ars Technica in November put the spotlight on Facebook and how social networks can be leveraged as part of a social engineering attempt. I briefly highlight the two of them below.
In "Researchers show how to "friend" anyone on Facebook within 24 hours," Sean Gallagher reported on how a security officer successfully utilized a range of social networks such as LinkedIn, Facebook and Amazon to convince a Web security expert to accept a friend invite from an imposter account. The experiment was conducted by Nelson Novaes Neto, who sent out 436 invites to direct friends of the user he was impersonating. Fourteen of them accepted within an hour; the target also accepted within seven hours, no doubt buoyed by a false sense of security by the existing network.
Neto summed up the situation this way: "People have simply ignored the threat posed by adding a profile without checking if this profile is true." Ultimately, this technique can be used to abuse Facebook's "Three Trusted Friend" password recovery feature; by controlling the accounts of the requisite number of friends, a hacker can essentially hijack a legitimate target for further social engineering attacks.
As Facebook users are no doubt aware, most users typically configure their accounts to make more information available to "friends" than being published on their "public" profiles. According to the article, this works out to be 71.8 percent (from 2.4 percent "unfriended") and 19 percent (from 0.9 percent "unfriended"). The disturbing trend of how users were willing to befriend total strangers aside, the growing network of these bogus users meant that occurrence of mutual friends is but an eventuality, significantly bolstering the success rate to 60 percent.
The conclusions obtained by the latter experiment were disputed by Facebook, which argued that its Facebook Immune System (FIS) would have flagged such spider-like activities as originating from bots. This was not the case here, however, because the experiment was conducted from an IP address known to be from a university. My personal opinion is that this merely reflects the lowered effectiveness of FIS against bots that run from such networks -and represents a realistic "real world" environment.
Ultimately, two lessons stand out from the realistic experiments conducted on Facebook: Be careful of whom you befriend on Facebook, and do not post anything on Facebook - even if it's flagged as private - that you are not prepared for the whole world to see.