In 1990, from behind his extremely large computer, Tim Berners-Lee wrote the first web browser computer program, and thoughtfully named it the World Wide Web. Few could imagine that the Web would waterfall into this brave new world of invention and complexity that we live in now.
With the arrival of the Web, we connected with the world. We bought plane tickets with a click, checked our bank accounts, engaged in meetings across the world, and sent letters to friends, all from the comfort of our office chair. Life was becoming simpler, or was it?
Yet we lost something very important in the Web process, and we’ll never get it back with the naïve beauty it once held: Privacy.
Although it still exists, the word “privacy” takes on a hollow connotation. Kids born over the past 20 years will never know what “privacy” meant to us who lived prior to the nineties. Before 1990, if our phone was private, no one could reach us. Our birthdays were found from a birth certificate. We guarded our social security cards with our life – no one knew that number.
But privacy changed after 1990. I remember around 2001 I made a simple call and retrieved 20,000 people’s information containing first and last name, phone number, social security, and credit card numbers for $5,000. You read that right: that’s a mere $.25 for a person’s life. But, none of us focus on that side of the Internet. It’s the risk we accept for ease. Although we’ve seen the close calls, they haven’t happened to us, so we have this feeling that we’re immune from the “bad guys.” Often, it’s too late before we take heed to safety up.
However, auditors are lucky. Your profession is inherently a principle that teaches life lessons. As an auditor, you probably already think of the dark side of the Internet more often than others. You consider risk, data privacy, how to increase security, and how to educate those around you. You’re the perfect candidate to help others and your company to arm them with skills to improve their privacy (even when privacy seems fleeting).
Put on your red-team jersey
A red team is often used to refer to an external group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view. In other words: think like a hacker. If you’re going to audit social media, then develop a method. Kate Mullin, a social engineering expert, shares a formulaic approach to begin thinking like a hacker and doing the reconnaissance a hacker would do so that you can protect your organization. The audit starts with your company’s homepage. Here are five things to do or consider when using social media in an audit:
#1: Get started on the Company website
First, get online. Start your audit by going to the company website. What can you find there? Find out the names of the CEO, CFO, and other executives. Is there information that a hacker can use to elicit additional information? Based on the names that you read about on your company website, go find them on social media.
#2: Gather information from LinkedIn
Once you get a list from the company website, head to LinkedIn. See who the executives and other key employees found on the company website are linked to find more information about them. What you’re looking for on LinkedIn is where the person went to school and any organizations they are following. For example, a hacker might send these people an email as an alumnus or create a fake profile that looks like they’re alumni also.
Also, note LinkedIn connections. Often executives will be linked up with employees within the company. Find out who their contacts are and what they’re posting. Search for other employees on LinkedIn as well.
Employees in IT are considered the “crown jewels” in a hacker’s collection. Mullin notes, “You would be amazed at how much information people give away on LinkedIn (as part of their resume or as comments) that could endanger their company. I’ve known “security” people who literally have posted that they updated their security application and provided the manufacturer as well as the old and new version number.”
What is important to do is to teach what bad guys can do with the information you find so people can protect themselves. “For example,” says Mullin, “if I can find out who’s in a payroll department, that’s the person a hacker is going to target with a W2 scam. Or they are going to spoof, impersonate, the CFO to get the accounts receivable listing from the Finance department.”
LinkedIn provides a great place for networking and so we want to list our professional qualities. It is okay to note that you’re certified in things, but you never note the version of an application or model number of equipment. Recruiters won’t use the version as a search term, but hackers will pick up on it, so don’t specify a specific technology or version. For example, there are different types of Cisco firewalls, so you can say you have experience in Cisco firewall without mentioning the version.
#3: Head to Facebook
You’ve now gathered information on the company website, headed to LinkedIn and now you’re going to your third stop: Facebook. You can see at this point, you have this natural progression where you’re building your own auditor’s social media map.
Hackers can read between the lines to discover specific technologies a company is using just by viewing a resume, friend connections, comments, posts, and questions. Within Facebook lies the information to create a Phish or to call your company and Vish for information. Frequently, all of the information to perform a password reset will be on Facebook, including high school, favorite bands, favorite color, names of children, and more.
#4: Check the Chat rooms
See if you can find things on chat groups. Discovering chat room threads can be a little more work, but you’ll see employees occasionally asking for help having problems configuring a technology. If they do it on a chat, then anyone in the world can see they’re looking for help and take advantage of configuration errors.
#5: Make sure employees are civil, even on social media
That’s right, bullying isn’t just a school-age thing. Make sure employees are civil to others on social media. Disgruntled individuals will start targeting the company and individuals. A classic example is when Iranian hackers took down Sheldon Adelson’s casino empire. Poor behavior can wreak havoc not just on a company or individual’s reputation but can cause deeper damage.
If you think of a web, not only does it sprawl out in glistening beauty to occupy its space, but it also does something more sinister: it captures insects as prey. And we are those insects, caught in the web.
Like those insects, we walked right into this web willingly. The comfort of the Web has lulled us into a false security that what we do each day won’t garner the attention of the “bad guys.” But maybe it will, so the best thing we can do is safeguard ourselves, our company, and educate others that what goes on the Web, stays on the Web.