At the RSA Conference in San Francisco, I sat in on a panel that raised an interesting question in the insecure big data world that we live in. Ian Amit of Zerofox gave a talk on how social media usage could be leveraged by cybercriminals to target individuals to infiltrate a company.
The theory is quite simple — we put a lot of personal data out there that can be accessed by pretty much anyone. This includes cybercriminals and it is a variable that they can leverage to help infiltrate a company.
What makes you a target?
In theory this idea is quite plausible. We already know that social media sites are prime targets for phishing schemes, and if we know that, so do the criminals. By leveraging the big data, they can look at people who they feel could be easy prey, or a prime target for attack.
— Kaspersky Lab (@kaspersky) December 12, 2015
In the talk, Amit noted that some factors that could increase the risk for someone being targeted is to look at people who actively post on polarizing topics like sports, politics, religion and certain social causes. In some of these areas, you could see a person who is highly interested in a given politician, we’ll call him Bernie Trump, potentially clicking on or sharing links from accounts that could be a spoof of the real one with similar posts, but instead of campaign messaging they are sending a phishing link.
You could also be a target if you are in your company’s IT, Corp Communications or Finance department as all have ties into sensitive corporate information. High ranking executives and board members can also be potential targets.
What can you do?
The quick and easy answer to this is to follow basic cybersecurity best practices. This means no clicking on links that you are unsure of, only opening files that you know are verified and also knowing sender. The last one is perhaps most important as we recently learned with Snapchat falling victim to phishing.
— Kaspersky Lab (@kaspersky) February 29, 2016
You should also be careful of who you follow back on social sites as spoof accounts could really come back to hurt you.
Should companies use this type of profiling?
This use of big data to assess risk seems to be a little bit of too soon for the market. Many companies do not fully leverage the power of big data while having millions of customers, so it seems unlikely for mass adoption when it comes to companies looking at thousands of employees.
I am sure that there are plenty of use cases and companies doing this, but think that these would fall into highly sensitive or controversial industries.
How can I keep my social profiles safe?
The team at Kaspersky Daily has you covered with these articles on best practices from a security standpoint for social networks: