Malware delivery methodology
We have known for some time that one of the most effective methods of malware delivery is via email spam. We have also come to learn that 40% of that spam now contains ransomware (IBM/CNBC research), so training staff in recognising spam and phishing that can lead to infection, is vital. However, Social Media posts, such as Tweets, are also used as delivery methods for malware. This malware is propagated in a similar way to broad stroke spam/phishing; indiscriminate scattering of Tweets, with a link embedded, sent by a bot usually. This might be via a Direct Message or on surface Twitter, where anyone could pick it up or potentially click the link. It might be disguised as a link to a money off voucher, holiday discount or freebie offer. Very attractive to many users, not all of whom will think twice about clicking on it. But what if this is a colleague in your business and they accidentally go on to infect your network, not to mention social media connections who may be clients, suppliers or other stakeholders? The thing about this kind of infection is that it rarely stays in one place; look at how fast WannaCrypt spread. Making sure employees know whether or not they are allowed to access their own social media accounts on work devices, is crucial. Enforcing this with site blocking may be necessary along with the other sites businesses should be blocking access to. Limiting access to corporate social media is a must. More of this further on.
Devices you don’t know about
Something to consider is the array of devices connected to your network that you may not know about. We know from research (Ovum) that a very high proportion of employees (70%) use their own devices on corporate networks and some (21%) do so without their employers knowledge or sanction and 16% without the knowledge of IT security. Sometimes, this is because those personal devices are acting as ‘shadow IT’ and employees feel their own device is preferable, more convenient or better in some way. If you do not know these people are connecting to your network and you have no idea of their devices’s security settings or of what they are doing, you have a huge blind risk. If they are also accessing their own social media via their devices, then potentially the infection could come through one of these non-corporate devices and you blind-side security. Worryingly, sometimes it is senior management, who very frequently are not held to account for their digital behaviour in the same way other employees are, who are introducing this risky behaviour. The additional concerns here are that they may be able to access very valuable or sensitive information and so the company could be increasingly compromised by an infection via someone at a senior level. More…Click
Who is accessing what and when?
Setting strong policy and enforcing around social media it, is vital. You need to know who is accessing corporate social media accounts and issuing guidance as to what they can and cannot say, share or open. You need to make sure they are not using tools that allow you to add more accounts to a client platform such as Tweetdeck, in order to add their own account (if this is considered too risky), thereby allowing them to click on links they might not click from the corporate accounts. Tools that offer this combined approach to social media are very useful and can be of huge benefit, using them securely and in a fully informed way means that you are getting the benefit and managing the risk. So access to these accounts and platforms should be carefully approached. There is a great argument for allowing diverse social media posting from within an organisation; real people, talking about what they are doing and offering advice or thoughts are popular posts and a good balance to professional or business-staple tweets issued by a social media team or consultant. But who and how you go about enabling this should be carefully thought through to make sure any risk is managed and that everyone knows precisely what they can and cant do.
What are employees posting on social media that could impact you?
Alongside the rise and rise of ransomware, phishing and other threats to organisational security, there is our old favourite, social engineering. It has been a while since we posted a blog on this topic so its worth mentioning here. Spear phishing or highly targeted attacks containing malware downloads, have increased in popularity and are greatly aided and assisted by the information people post on social media. Whilst they may be perfectly legitimately posting to their own account, criminals who have targeted an organisation may well stalk its employees’ accounts. This is done in an attempt to gain knowledge on the workings, employees or practices that may help them develop a successful spear phishing attack or CEO scam (this is when unwary employees are tricked into handing over money or information to someone they believe to be a senior member of staff, management or boardroom team). Raising awareness of this kind of threat should also form part of training and be carefully explained as a protection for all. It is much the same as knowing you should not post on Facebook precisely when you are going on holiday in order to reduce the risk of burglary, for instance. Seeing the kind of personal information and inadvertent ‘work’ data people post online, could provide a rich seam of information for those whose intent is criminal. We also need to make sure that employees are not posting or sharing things that are valuable or sensitive to a business or perhaps in the case of a disgruntled employee, harmful to the employer or its staff. (Perhaps a glance at your Employee Handbook and Leavers Policy might be a good idea at this juncture too.)
- Define who can access what, how and with rules around online behaviour via an explicit policy and enforce the policy to make sure it becomes culture.
- Have explicit policy on Bring Your Own Device and again, carefully enforce it. If you have no policy, deal with this straight away. If your employees are acting on social media posts on their own devices while connected to your network, it is risk you do not even have sight of.
- Train staff who use corporate social media accounts to recognise bots, spam content and dangerous links and encourage them to share warnings with staff in general.
- Do not leave senior management out of scope of policy or training. Research from Thomson Reuters tells us they are some of the worst offenders in poor data handling practices, bringing them into the management of risk as a source of risk, may be one of the best improvements to your training and response you can make.
People will do whatever they think best or most convenient in the absence policy and that becomes culture and as we know, culture eats strategy for breakfast. It will also become policy if left unchecked. Leaving any of the behaviors above unchecked, could increase risk not only to the organisation but to its connected ecosystem too. We have a responsibility toward our supply chains to be resilient and secure.
Take a look at your Social Media policy today and any connected policies such as BYOD and perhaps think about ways to harden them.
- Posted by Ellie Hurst
- On 30th May 2017
- 0 Comments