This article is based around a real case study. We’ve changed some of the details to ensure confidentiality.
Organisations and individuals embrace social media and use it for a variety of reasons. For Pear Ltd, it helps raise brand awareness, engage with customers, and get key messages to the market in a rapid and effective manner.
However, social media is a key cyber security risk. Employees can post controversial content which misrepresents the company and harms the brand, or they might even use social media to exfiltrate intellectual property. In this case study, we’ll see how Barbara from HR turns out to be Pear Ltd’s weakest link.
Before we start, what is a social engineer?
A social engineer is someone who wishes to compromise Pear Ltd for financial reward, to obtain confidential information, or to inflict reputational damage.
Rather than launching a technical hacking attack, they will obtain access to confidential data or systems by using manipulation techniques. As an example, they could convince a Pear Ltd employee to disclose their log-in details by pretending to be someone inside the organisation, like IT Support.
Barbara from HR likes Astrology
Barbara, a trusted Pear Ltd HR employee doesn’t cause too much trouble on social media. She’s professional and considerate, using her Facebook profile to follow the latest Astrology trends and share photos of her pets.
Barbara was in charge of an important HR database. The database held information on security cleared staff who worked on sensitive government projects.
This information would be valuable to some foreign intelligence agencies, and in this case, it was targeted by a nation-state actor which we’ll call ‘Fancy Pear’.
Fancy Pear began their attack by gathering information and identifying Pear Ltd staff who had access to the targeted HR system. Barbara was identified and they began reconnaissance around her identity.
Her Facebook profile uncovered an interest in Astrology. Further research revealed Astrology interest groups and forums, of which she was a member.
To compromise Barbara, Fancy Pear developed a fake website related to Astrology and offered ‘new members’ a free ‘sky mapping tool’.
Next, they crafted a spear phishing email. The email was crafted to make it look like it was from the admin of one of her astrology groups. It contained the link to the fake website and the free download.
Within 5 hours of the email being sent, Barbara had clicked the link and downloaded the “tool”.
Unfortunately for Barbara, the download was, in fact, a Trojan Horse (Malware disguised as safe or legitimate software). The malware was a sophisticated key logger.
The key logger covertly recorded Barbara’s keystrokes and sent them back to Fancy Pear. Fancy Pear successfully obtained Barbara’s login information and accessed the HR system initially targeted.
How to Protect Barbara and de-risk social media
OK, you’ve just been hired as a cyber security consultant at Pear Ltd and it’s your job to manage their cyber security posture and the associated risks.
How do you identify and reduce the risks related to social media?
Prevention & Resources for you, the future cyber security professional
1. Develop a clear policy on social media. The policy should confirm answers to whether people can represent themselves as employees online, what the standards of conduct are, whether they should have separate work and personal profiles.
2. Consider having rules on disclaimers. For example, if a person is going to make a statement about company business, a disclaimer may state that the views are not that of the company (useful in liable cases).
3. Ensure company employees are given thorough, interesting, and credible training regarding social media risk. Focus on teaching people how to protect themselves, not just the business, to increase engagement and retention.
One video to consider including in awareness training should be the Brussels Mind Reader: http://www.youtube.com/watch?v=F7pYHN9iC9I.
4. Test your employees, test the business. Consider hiring an external social engineer to make sure your employees have understood the training and to disclose other vulnerabilities.
Check out: Maltego https://www.paterva.com/web6/
Maltego is an open-source intelligence (OSINT) analysis tool for gathering and connecting information. It’s often used by social engineers.
5. Continue to consider the risks of social engineering when undertaking information security risk assessments. Remember that not all attacks are technical in nature and social engineering is always more likely. Why hack a system when you can obtain information through much simpler methods?
Valuable content? Share this article and let people know you’re serious about a career in cyber security.