Thwarting attackers in their favorite new playground: Social media
For years, LinkedIn has been utilized by threat actors looking to refine their attacks. From simple spear-phishing attacks to reconnaissance, the professional networking site has provided a fertile field to harvest data and enhance criminal tactics, even as a jumping point to other platforms like Facebook Business.
Given how reliant employees are on their own “brand” and contacts to thrive in today’s economy, the drive to use social media at home and work isn’t likely to diminish, leading to potential compromises for the organization from their employees’ online activities.
As we constantly adapt and improve our technology and techniques for countering and responding to attacks, attackers are doing the same from the other side of the fence. However, there are key actions that company IT departments can take to counter the risk considerably.
Minimize human risk
The first line of defense against phishing or social engineering attacks will always remain user awareness and training. If a victim doesn’t click on that malicious link or download a malicious attachment, nothing will happen; it’s not magic.
Every employee could be a potential victim, but employees that have to interact with the external world daily, like sales, PR, and HR, might be the most vulnerable to targeted attacks through social media. While their profession might not call for it, it’s vital for the company to provide adequate training and awareness to ensure that incidents are nipped in the bud before they happen.
For instance, running periodic training courses and conducting real-world simulation tests should be high on your organization’s list.
Don’t fall victim to the duck test
The duck test – if it looks, swims and quacks like a duck, then it probably is a duck – no longer applies! In the same manner that a website with a green icon and HTTPS doesn’t mean it’s legitimate, a convincing profile on social media with the correct name, photo, history, and title doesn’t either.
When it comes to external communication, you should train employees to always verify an individual’s identity over trusted channels when in doubt. Received a friend invitation on LinkedIn from a work colleague? Message them internally via their e-mail address, phone number or any other contact information that you have already established as trusted.
But what if it’s an unknown individual? Always ask for communication via official channels, such as asking them to contact you through their company e-mail address; something that you can verify. Never, ever reveal any information (these can be used for conducting reconnaissance or social engineering) or accept (click any links/download attachments) until you are certain the individual/company is trusted; and even then, double check.
Constantly review your defenses
Security and convenience have always been viewed as a balancing act (the more secure, the less convenient), but it doesn’t have to be this way. If you’ve designed a cyber security strategy that the whole organization can rally behind because it protects and supports what they want to achieve, you’ve won.
Still, you should have the right security policies set in place. For instance, to restrict the damage radius, you should always review access controls (“who has access to what”) and utilize security features like Local Administrator Password Solution (LAPS) and multi-factor authentication (MFA) to further beef up your posture.
The right security solutions can also support your existing cyber security strategy. For instance, solutions such as endpoint protection and detection and response products can help detect and protect when someone falls victim to malicious operations that contain a host compromise (malware) stage in their attack lifecycle.
Create and foster a culture of shared responsibility
Security is always a shared responsibility. It’s the employee’s responsibility to follow the company’s security guidelines and to report security violations or vulnerabilities upon encountering them, but also for the company to create the guidelines, culture, and mindset. You should avoid creating a culture of fear, where employees are afraid to report security incidents because of the possible fallout.
The sooner an incident is reported, the less likelihood of irreversible damage being done. For instance, if a phishing operation is going on against your organization through social media platforms and a single employee that fell victim to the attack felt something was off based on their training and reports it right away, you can quickly investigate and spread awareness to the rest of the employees that are at risk while limiting the damage.
Even the most seasoned eye can fall victim to spear-phishing attacks, and security incidents are still bound to happen, so it’s more a matter of when not if. And while you may have a level of control internally, you should accept that you can’t control what employees do in the digital world, especially outside of work. Therefore, constantly reviewing and improving your security posture becomes an absolute must.