Engineering Social Security – Why people loom large on the IT threat landscape

0

Like the mythical Hydra, IT threats form a many-headed beast, and once one is conquered, two take its place. It’s a frustrating time for IT security companies that must deal with several moving targets such as the creation of evolutionary malware, the complications of bring-yourown devices and the responsibility handball that is cloud computing security. Beyond these threats, however, is one even harder to nail: the social side of IT security.

Once upon a time, the biggest issue around employees and the internet focused on dealing with reduced staff productivity and high network bandwidth consumption. These are now considered “old world problems”, according to Arun Chandrasekaran, research director of ICT Practice, Asia-Pacific, at Frost & Sullivan, a global business research and consulting firm. He says security issues now account for about 80 percent of all the enquiries Frost & Sullivan receive from customers and service providers.

People, not a lack of technology, rank as the biggest threat to any network. Cybercriminals have always relied on the ignorance of people to profit—think Nigerian email scams. The worrying trend is that this scattergun approach has given way to targeted attacks. Criminals aren’t just after money: identity and intellectual property theft are high on the list too.

The Social Network
In 2010, more content was created and sent via social media than by email, according to Chandrasekaran. “Social media has been taken up so rapidly across the region. A lot of enterprises want to use it actively and they’re looking for secure ways to interact,” he says. “How do you forge a social media strategy? Is this a purely technical issue or a technology, process and people issue? How do you create the right processes and training for employees?”

While data loss and identity theft compete for the spotlight, Chandrasekaran adds that the legal implications of reputation damage and the loss of intellectual property through social media also requires attention. Consultation to set policies and arrange enforcement should be crossdepartmental, he advises, involving the legal, human resources and IT departments.

Social media also opens a double door that makes it easier for data to leak out and threats such as malware to creep in. Apart from deliberate data leakage, information can escape in any number of ways through social networking, particularly identification details that may lead to breaches, and malware can enter through links individuals could click in the course of their social networking.

“Social media has made it cleaner for hackers. They don’t have to do the whole dumpster diving thing any more where
you go out and find the information about individuals,” notes Sean Kopelke, director of Security & Compliance at Symantec, one of the world’s largest IT security vendors. “You can pretty much find a large amount of information about individuals through social engineering and social networking and combining the two.”

Human Nature
Social engineering is the ‘soft’ side of IT attacks and, unsurprisingly, many of the techniques work well through social media. Social engineering is the referral marketing of the threat world, the pseudo word-of-mouth recommendation you receive from a friend whose account has been compromised, for example. Cyber criminals use social engineering techniques to appeal to human nature because we tend to trust a link or a website if someone we know has posted it in their status or recommended it.

“We have seen scenarios where people impersonate someone’s friend online to gather more information about them and post links into their stream or their social network that they may click on,” says Kopelke. “That whole social networking space has actually made it a bit faster and easier for people to reach into organisations by finding out that targeted information about them.”

His colleague, Symantec’s vice president of Strategic Sales in Asia-Pacific/Japan Bjorn Engelhardt, agrees. “People
naturally trust any type of message or interaction that comes through social media. I know I do, and sometimes I’ve had to question myself—spend a little bit of time researching to find out if a person exists.”

Engelhardt says that because social media creates different types of content, there are different types of risks in each context as well. That makes it harder to create risk profiles, because methods for data harvesting vary depending on whether the attacker is after identification details or clicks on a bad link.

Add the fact that social media is all about sharing, and the tension between using social media and avoiding attacks is clear, Engelhardt points out. “In social media—whether you’re Twittering, whether you’re on Facebook or any form of social media—you’re constantly sharing information. How do you control that information flow, how do you prevent
information from flowing in and out of your organisation?”

Bring it
Engelhardt says while attacks through social media are largely preventable if an organisation has adequate web security, or a computer or network has been blocked from using sites like Facebook, the increase in personal mobile devices in the workplace often makes this difficult…

To read the rest of the article, make sure you subscribe now! Go to http://www.australiansecuritymagazine.com.au/subscribe/ and purchase either a 1 year or 3 year subscription today!

Share.