Social networking sites are online platforms that allow people to connect with each other and build interpersonal relations. It has become a vital part of our modern life and its use is increasing rapidly. Examples of such sites include LinkedIn, Facebook, MySpace, Twitter, Pinterest, Google+, Instagram and so on.
It has revolutionized the information and communication ecosystem, broken down barriers to traditional means of marketing of goods and services as well as redefined how individuals, churches, organized groups, and organizations reach out to families, friends, customers and the general public hence its widespread adoption by organizations and individuals in their daily activities.
Benefits accruing from the use of social media are enormous and one cannot underestimate its potential and usefulness. Each social networking site has its own purpose and features. For example, sites such as Facebook, Twitter etc. may connect friends, family and so on, while another site such as LinkedIn helps users to share professional profiles for employment or job opportunities etc.
To many organizations, social networking is an amazing marketing tool that enables them get their names out in front of established customers and potential customers without spending a lot of money. A lot of organizations turn to interns to create Facebook posts or to send out regular tweets on Twitter or they will hire a freelance social media expert who can keep the company’s name in the public eye for a fraction of the cost of a full-time employee.
Individuals, likewise are using it to market their goods and services in addition to helping bridge the gap in communication created by geographical and location differences etc.
Educational organizations have adopted the widespread usage of social media by forming social media groups for courses, classes and study groups where assignments, information are shared among students, lecturers etc.
Again, through social media platforms like LinkedIn organizations are able to scout for talents whereas individuals are able to land lucrative jobs through the platform based on the personal information and among other data uploaded by the individuals in their profiles.
However, just as a coin has two sides, similarly, social media can be an organization or individual’s worst security nightmare.
According to research by a security software firm Trend Micro, 91% of cyberattacks begin with a “spear phishing” email aided by social media. Again, research by the SANS Institute indicates that 95% of all attacks done on corporate networks are because of successful spear phishing.
Attackers or crackers have been leveraging social media to spread malicious software(malware) as well as circumventing organizations security defense perimeters, firewalls and antivirus by baiting individuals (a term known as social engineering) within the organization to click on malicious links, opening malicious emails to get access to the organization’s internal network and once they land inside the network, do lateral movements, escalate their privileges and do the damage and thereafter cover their tracks upon completion of their missions.
As a participant at a recent cybersecurity event organized by CyberLab Ghana (CyberLab Ghana Cybersecurity Conference held in Accra , 26th March 2019), I watched in awe during a presentation by a penetration tester (pentester) demonstrating how he is able to breach his targets during pentesting assignments against organizations that boasts of being ISO 27001 certified, compliant with all the cybersecurity regulatory frameworks et cetera, secured their perimeters with firewalls, latest antivirus updates and with all the fine security policies and mechanisms in place. These were all accomplished by phishing individual employees of those organizations with the help of social networking where he’s able to harvest and mine information about individuals working in the organizations and profiling them for his exploits and his attacks.
I have come to accept how powerful a tool social media can be as a Cyber Security Practitioner and would describe it as a Swiss Army Knife and a Gold Mine to the Hacker or Attacker in the pursuit of exploiting his prey and attacking his targets.
Hence the writer in this context is wearing the cap of a hacker, a cracker or the bad guy as it is perceived to shed light on social networking from the perspective of the Hacker, Cracker, Attacker and the Cybercriminal to educate individuals and organizations on their activities on social networking sites and how they are arming the adversary with data and information to be used against them as well as proffer solutions to enable them browse smart and stay safe on the internet and social networking sites.
I must emphasis that every hacking or penetration testing assignment begins with foot printing and reconnaissance which involves discovering the technical environment of the target. This is the stage where the attacker does all the research to collect information needed to penetrate your network and unleash exploits to perpetrate their crime.
This is achieved through the use of search engines like google, people search engines, job sites, Internet archives and social media and social engineering users et cetera. The social media or networking sites or platforms have proven to be effective and a great source of personal and organizational information to the adversaries thus becoming a preferred source of information. This is the first of a series of articles on this subject. Watch out for more revelations in the next two or three issues of the newspaper.
Author : John Dadzie, Member, Institute of ICT Professionals Ghana, Network Engineer, (National Health Insurance Authority (NHIA)