Social media is the new weapon
Classical war involved nations fighting nations, with two clearly demarcated sides. Contemporary war, in contrast, may pit one against the many, or a nebulous network of alliances fighting for a cause rather than a geo-political territory or economic interest.
And unlike its predecessor, contemporary war includes cyber warfare which may take many forms, including the Oct. 21 widespread denial of service attack that affected more than a thousand websites and tens of millions of users.
Cyber warfare is not new, although it is hardly publicly acknowledged by nations. The British Military, however, has recently stated that it is disrupting mobile communications in the city of Mosul as part of its efforts to fight ISIS.
But cyber criminals do not need a particular reason to go to war against the enterprise, and now they have more weapons in the arsenal. Cyber criminals can use social media tools to gather intelligence, access assets, and disseminate misinformation, or in other words “control the narrative.” Social media has been weaponized.
“Most realize cyber security is a major issue but do not associate social media as relevant to that overall position,” said Nick Hayes, an analyst with Forrester Research, in an interview with the Journal. Organizations in the U.S. are actually all over the map, Hayes said, when it comes to reducing online exposure.
There are currently four ways to exploit social media, he explained, and companies have to be aware of these tactics:
Reconnaissance. Cyber thieves will gather intelligence about specific leadership such as senior level executives or key personnel to run social engineering campaigns. At the very least, such info can help criminals understand behaviors of the individual in question, for use later on.
Deliver technical exploits. Social media is a prime channel of sending out malware and payloads (viruses).
Brand hijacking. Impersonators take over accounts, and wreak havoc. Example: replying to customer complaints in inappropriate ways, or creating fake promotional content, making a situation worse for the company, and potentially liable.
Threat coordination. Using messaging apps to recruit, raise funds, and plan an attack is not uncommon. This is not the dark web either. Hundreds of groups are currently operating in broad daylight, on popular social media sites.
Hayes advises companies to first Identify their social media and digital assets that are publically facing (brand accounts, points of presence, locations, key personnel, etc.) and then implement different types of controls, including technical and policy related rules. What are employees allowed to post, for example? Restrict access to social media accounts and monitor for malicious or suspicious behavior.
The friendly enemy within
Cyber threats are both external and internal. And while there are known malcontents that turn against their employers — Edward Snowden comes to mind — many employees are simply unaware of how their public profiles may inadvertently, yet negatively, affect the company.
“The issue is even when you have employees trying to do the right thing, their public behavior can make the organization vulnerable,” said Hayes.
He offered Anthem as an example. In 2015, the healthcare provider was hit with the largest data breach in history, affecting close to 80 million individuals. As Hayes explains, a large data breach like this can start with something simple: collecting data on key IT personnel.
Even if a company has a strict social media policy in place, rules which limit employees from discussing their job functions online in any capacity, a cyber thief can still piece it together. How? Via online resumes: comparing what that person was responsible for in the past with current job titles.
Cyber criminals can then figure out who to target in order to gain credentials for privileged accounts. A majority of cyberattacks involve these types of accounts which grant the ability to access and alter sensitive and strategic info, intellectual property, customer data, and other pieces of proprietary information.
Privileged accounts are an attractive target, yet companies do not manage them well, some do not even know how many they have, said Steve Kahan, CMO, Thycotic, in an interview with the Journal. Thycotic is a Washington, D.C.-based security solutions provider with clients around the world.
Once attackers get their hands on passwords, they can operate laterally and unnoticed, to cause great damage and harm, Kahan stressed. Businesses must therefore manage and control what employees have access to, track enforcement and ensure that employees understand the policies in place.
A business unaware of its online assets, and who may be exploiting them, is a company at risk. Yet commonly, and frustratingly, employees are often still sharing passwords, using the standard 1234 defaults, or the same password for every account. (In the Oct. 21 attack, the botnet relied on accessing devices with default passwords.)
Stephanie Prokop can be reached at [email protected].