You have 1 new hack request

Social has arrived, but it took time. The crowds of people fluttering around the IT industry claiming to be social experts because they can define a 'retweet' and have 700-plus friends on Facebook has frustrated many, with companies struggling to get a real grasp of how social media and networks can effectively help power businesses into the next generation of trade and success.

What social media does do is collect an impressively large amount of customer data -- positive and negative. It offers a constantly reachable platform of customers and partners from across the globe. It allows casual engagement and coherent communication channels. All-in-all, social networking is a powerful tool when businesses realise its potential. reported that there are 3,370,780 Facebook users in the United Arab Emirates alone, making it the 48th highest country in the world for users. The survey also suggested that 35 percent of Internet users in the region do so for business purposes. In the UAE, that suggests that around 1,179,773 of these Facebook accounts are businesses -- that's a large database which is instantly reachable and easily contactable.

Saudi Arabia represents the highest percentage in the region; 43 percent of the 35 percent is driven from there.

The danger of numbers

So what do these numbers mean for security? It's been said that nearly 80 percent of Internet users have the same basic email address, username and password for social media as they do for critical accounts such as online banking, and business databases.

Consider this idea with the numbers mentioned above; if 3,370,780 UAE residents use Facebook, and 80 percent of those replicate their passwords for other accounts, then the opportunity for cyber theft and hackers to infiltrate personal accounts is extremely high.

"Answers to the simple questions you get asked when logging securely into financial sites -- like when were you born, where were you born, what's your mother's maiden name, etcetera -- can be found easily on Facebook if you're a sophisticated attacker. It's very easy for someone to hack you using your social activity," says Justin Doo, Director of Security Practices, Symantec.

This is a basic risk for employers who now have the added concern of BYOD -- with many devices being constantly logged into social sites on an operating system which is also hosting the company's applications.

"Maybe it is not so much BYOD that has changed this, but more that social media is available on the smartphones that we all now possess. Today any smartphone will have Facebook, Twitter, Tumblr and other services installed -- to some extent, social media has been one of the major drivers for smartphone adoption," says Nicolai Solling, Director of Technology Services, help AG.

"With that, organisations needs to understand that most of their employees have a device in their pocket which connects them to social media, which the organisation may not have any control over. Again this means that social media usage is closely linked to acceptable usage policies and, very importantly, the acceptable communication policies which should apply to the individual both on and off work as long as they are under the employment of the organisation."

Khalid Abu Baker, Corporate Sales Director, Kaspersky Lab Middle East, adds: "Staff are now 'always-on', working from a range of different locations and using a variety of devices. This has widened the attack surface that a cyber-criminal can aim at. Staff may access a corporate Facebook or Twitter account using an insecure public Wi-Fi network.

"This introduces the risk that information sent or received could be sniffed by a stranger on the same Wi-Fi network. It's also very easy for mobile devices to be lost or stolen; and if data isn't encrypted, and there's no passcode set, corporate data -- and automatic access to social networks -- is wide open to whoever takes the device. BYOD further adds to the complexity because staff are combining personal and corporate activities on the one device -- and companies may not have technology to 'containerise' personal and business data."

Behind enemy lines

Once in, the effects can be harshly damaging. As Abu Baker explains here, many elements must be taken into account when attempting to limit post-breach consequences.

"There are several risks. First, if the security on the account is weak -- for example, a weak password -- and it's hacked, the attacker can post things that could seriously damage the company's reputation. An attacker could post something embarrassing, or post misinformation about the brand, or use the account to spread malware. If the account is a shared account (e.g. a corporate Twitter feed), with a shared password, there's a greater risk of the account falling into the wrong hands -- people are more likely to choose an easy-to-guess password, so that everyone accessing the account can remember it easily. Second, information posted by employees in social networks can be used to gather information that can be used to launch a targeted attack."

And according to Solling, despite the obvious risks and publicly noted cases of breaches and compromises, employees still have a very relaxed approach to social security.

"In June of last year, over 6.5 million user passwords were leaked from LinkedIn's database. And earlier this year, as many as 250,000 of its user accounts may have been compromised by the online conglomerate known as Anonymous. It is shocking that, despite the widespread media coverage that such events have received, users still choose to believe that they will not fall victim to the effects of such attacks," he says.

On top of this, LinkedIn itself has spoken out and claims that as much is being done as possible to protect its users and secure their data.

"LinkedIn are constantly looking for ways to improve the security of member accounts. All LinkedIn accounts are already protected by a series of automatic checks that are designed to thwart unauthorised sign-in attempts. Now, LinkedIn are introducing a new optional feature that adds another layer of security to LinkedIn sign-in-- two-step verification," a spokesperson said.

"Most Internet accounts that become compromised are illegitimately accessed from a new or unknown computer (or device). Two-step verification helps address this problem by requiring users to type a numeric code when logging in from an unrecognised device for the first time. This code will be sent to users' mobile devices via SMS. When enabled, two-step verification makes it more difficult for unauthorised users to access user accounts, requiring them to have both personal passwords and access to the user's mobile phone."

Social malware

The challenges faced by LinkedIn should highlight the need for a far sterner view on social security risks. The multi platforms from which we access these certainly increases those risks, but the fundamental issue is always the same.

Mahesh Venkateswaran, Managing Director, Social, Mobile, Analytics and Cloud, Cognizant, explains that subtle and common attack methods are effective when targeted at social networks. And as we evolve our communications, the threats evolve to counteract this. Though the given names might not be terrifying, the consequences certainly are.

"Phishing is one of the key threats, even more so with variants such as Vishing -- the social engineering approach that leverages voice communication -- and Smishing, a form of social engineering that exploits text messages," he says.

"Short URLs can readily become a destination of malicious links -- users do not know the links are malicious unless they click them. There is also the risk of malware spreading through mobile devices to others on the contact list. Access to online shopping accounts through mobile devices is another potential threat."

Jamil Ezzo, General Director of ICDL GCC Foundation, concludes, suggesting that public awareness must improve to better promote safer use of social media channels. But the attacks will continue to come, it's a simple case of having the correct steps in place to react to post-breach, as well as the awareness to recognise potential threats.

"The lack of control over the use of social media in the workplace could cause irreparable damage to the person and the company he or she represents. To avoid this, we encourage the promotion of public awareness in order to eliminate the misuse of this technology," says Ezzo.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joe Lipscombe

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place