Social media, the gateway for malware

Why the Common Vulnerability Scoring System (CVSS) doesn't give an accurate picture of the security risks from social media sites

Easy to access, widely used, and outside of enterprise control, social media sites are gold mines for malicious actors. People share a lot of seemingly innocuous information, which is exactly the kind of data that hackers love to collect and use in phishing or spear phishing campaigns. 

A recent NopSec 2016 State of Vulnerability Risk Management Report found that organizations use inadequate risk evaluation scoring systems. The report claimed that social media -- which often isn't included in any risk evaluation system -- is now a top platform for cybersecurity.

So, what's the correlation between social media and the rise in malware?

Steve Durbin, managing director at Information Security Forum, said that correlation is a bit of a strong word. "Social media use has increased. Once someone is onto a site like LinkedIn, Twitter, or Facebook, there is almost an assumption that the way you are interacting with others is without risk. Psychologically, your guard is down."

As a result, social media sites have become a useful channel for those who want to spread malware through social engineering.

"From a hacker standpoint, social media is rich picking. We have an environment where by nature the people have very low guard. They will quite readily engage with a third party. It's a great opportunity to gather information that you can make use of from spear phishing to social engineering to push out malware," Durbin said.

According to the NopSec report, "Twitter is becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits. Vulnerabilities associated with active malware are tweeted nine times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities." 

Social media is both a lure and a gateway for malware. The sites are attack vectors that are outside of end point security, which suggests that relying solely on the CVSS score makes it difficult to prioritize risks. "But its subscores combined with other factors such as context, social media trend analysis, and data feeds deliver a better risk evaluation and prioritization," the NopSec report said.

In the sixth annual Smarsh 2016 Electronic Communications Compliance Survey, 48 percent of the respondents cited social media as the number one channel of perceived compliance risk.

"Even when a firm has banned social media channels, risks remain if employees do not adhere to the ban. In fact, the percentage of respondents who claim to have minimal or no confidence that they could prove the policy of prohibition is working ranges from 30 percent for LinkedIn to 41 percent for Facebook and 45 percent for Twitter," according to the Smarsh report.

The problem for cybersecurity teams is that there is little to no visibility into social media sites because these sites exist outside the network perimeter. Mike Raggo, chief research officer, and Evan Blair, co-founder and chief business officer of ZeroFOX said, "Social media represents one of the largest, most dynamic risks to organizational security."

If security practitioners are not incorporating social media into their risk assessment, they are leaving a blind spot. In order to understand the scope of vulnerabilities, "They need to leverage social media to identify changes in the threat landscape," said Raggo.

Mike Raggo, chief research officer, and Evan Blair, co-founder and chief business officer of ZeroFOX

"As social media becomes a major platform for business communication, cyber criminals are exploiting its inherent trust and widespread connectivity to target employees and customers."

Raggo said that many enterprises are starting to understand the problem and more are looking to know not only how social media leads to compromise but also what security teams can do to solve the problem.

Jared Semrau, manager, vulnerability and exploitation at FireEye, said, " At its core, social media enables people to connect quicker and more widely than they otherwise would."

Though seemingly harmless in its intent, social media contributes to the spread of information that can help facilitate malicious activity, "Such as information pertaining to vulnerabilities, exploit or proof-of-concept code, and attack methods," Semrau said.

Malicious actors have leveraged these social media platforms to bolster their existing operations. Semrau said, "They are using these platforms to expose their social engineering schemes to a wider audience or lending credibility to existing activity by creating social media profiles, activity, and networks (as was the case with Newscaster), these platforms are having a direct role in malicious activity and the threat landscape as a whole."

If there were an easy answer to what enterprises can do to avoid these risks, everybody would be free and clear of the threats posed by social media sites. Unfortunately, there is not a lot that can be done to completely avoid the risks.

"That being said," Semrau said, "the first step to minimizing your risk is to understand the threats to you and your organization. You can spend millions of dollars implementing tools or countermeasures, but if you do not have a comprehensive understanding of your threat environment, that money may be wasted."

Understanding and prioritizing will raise awareness and hopefully change user behavior, which will consequently strengthen security. "Understanding the threats, prioritizing those that impact you and your organization the most, and implementing specific mitigations or countermeasures to deal with those specific threats will probably offer you the best chance of success," said Semrau.

Since it is It is difficult to improve the reliability of any given tool, Semrau recommended that organizations get a better understanding of what their tools or services were designed to do. "Understand what information is used to support those offerings, and ultimately decide whether those tools fit their specific needs," Semrau said.

It's important for security practitioners to assess security tools and understand exactly what it is they want a tool or service to provide. Semrua said, "Make sure those tools or services are able to deliver on those needs, and verify that the information being used to power those solutions are rooted in quality and reliable information."

Those that are quick to see security tools as an answer to a vulnerability score are potentially being too simplistic, Durbin said. "The whole risk arena is becoming more complex. They need to be rethinking how they measure vulnerabilities, not just complying with compliance."

In addition to anticipating threats, enterprises also need to grow more resilient. "It's not as simple as what we have done in the past," said Durbin. Assessing the value of the assets will shed some light on where the vulnerabilities might reside.

"We need to be doing a business impact assessment to understand the threat environment and how that is changing. Then we can understand the risk associated with that and the risk appetite related to a particular vulnerability," Durbin said.

Security needs to become more sophisticated, which means having a working awareness of the value of the business assets and the impact of loss or down time. The risk isn't only in the ability to deliver service. It's also the impact on brand and reputation and the way the enterprise is viewed against its competition.

Enterprises that suffer a breach can be sure to see their name not only in headlines but also in tweets and Facebook feeds.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOFacebookFireEyeTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts