Information security is not just about protecting our data through technology. Only through a holistic approach, using technical, administrative, and physical controls to ensure defense in depth can individuals and organizations hope to avoid costly compromise. Education, policy, and governance can help organizations improve their security posture across the enterprise. This article will approach security from the individual’s role and responsibility to data protection through thoughtful, deliberate information sharing.
Open-Source Intelligence (OSINT): Handing Data to Bad Actors
As our society continues to expand its social presence online, the amount of data available about individuals increases exponentially. That is not mere hyperbole. Consider that most people who have a social media account, likely have multiple. The lines between professional discourse on the likes of LinkedIn and personal opinions shared through Twitter, Instagram, and Facebook have become blurred. Add to this the fact that for most, there is no distinction in persona between platforms. The result is a correlation field day for those would-be attackers that seek to infiltrate organizations and do harm. Data is one of the most valuable commodities available today. With enough identifiable information about an individual or organization, it is only a matter of time before that commodity is used to do harm.
One root cause is open-source intelligence, known broadly as OSINT. The value of this information stems from three primary facts: 1) it is freely available, 2) it is not illegal to collect it, and 3) we give it up willingly day in and day out.
Consider the following scenario: a young, motivated tech worker lands their very first job in IT. They have been working their way through school, picking up whatever certifications they can along the way, and FINALLY ace the interview with a mid-sized private organization. Being adept at social media—not to mention over-the-moon about their first tech job—they post a quick self-affirmation Tweet: “I GOT THE JOB!! #NewJob #Tech.” Many likes and interactions ensue. Shortly after, they create their very first LinkedIn profile and list their new position and employer proudly. They immediately begin to seek out their new co-workers on the platform, follow them on Twitter and connect on LinkedIn. They discover a private Facebook group for their employer in someone’s profile and send a quick request to be added.
This all seems—and is, on its face—pretty innocuous. It is also a very common series of events for young professionals who have grown up as digital natives. Most of our friends and colleagues are also leveraging social media; and for geographically diverse (and now mostly remote) workforces, these platforms provide connection and collaboration on a global scale. The problem is the information that is being shared can be quickly aggregated and correlated to create targeted campaigns to compromise and exploit an organization. Let’s take a look at some of the possible vectors that could lead to a bad actor gaining access.
Making ourselves easy targets via social media: What data are you sharing?
First, the new employee has just spent 4 years in college, sharing lots and lots of personal accomplishments, challenges, and more than a few not-so-professional photos over that time. No judgment about that. It is a time of learning and, frankly, acting like a kid without adult supervision. So, we know from some older Twitter posts that our new employee was a member of some social groups at their school. We also know the name and location of the school. Additionally, their Facebook page links them to several family members and friends from their hometown—which is not the same location as the college they attended. We have a plethora of personal information about this individual. But we also have information about people they know. This brings us to the second phase of our intelligence gathering: LinkedIn. Now that we know about the individual personally, we can dig into their professional data. Since we know they just got a job (and from the level of enthusiasm, it was probably their first career-focused gig), we should be able to narrow them down quickly on LinkedIn (even if they have a super common name). Profile pictures from various social media can help pinpoint the account, and we can start collecting data on this person and their employer. Being proud of a new job is not a bad thing, but it also means that they likely put a lot of detail into their profile: job title, immediate supervisor, and other useful information. A quick check of the company and we can likely trace the chain of command from the CEO on down. Somewhere along this line, we can probably find an e-mail address of someone at the company. That gives us the format of e-mail addresses for employees. If it is name-based, we now have direct contact information for just about anyone that works there, including our new employee who has unwittingly provided us with a clear path to what they might consider private information.
What does our haul of data look like so far? Here is a quick list of possible information we could have gathered to this point:
- Name
- College attended
- Siblings and parents’ names
- College major / degree(s) earned
- Social history (college and maybe even high school)
- Interests, hobbies, travel background
- Proud moments from their past (and maybe a few not-so-proud)
- Hometown (maybe even an address)
- Company (along with general contact information)
- Head of company
- Direct supervisor
- Team members
- Job title
- Professional e-mail address
That is an awful lot of information for what probably takes an hour or two to research. Digging deeper into any one of these areas will likely reveal more personal information (private e-mail addresses, phone numbers, significant other(s), and more).
So how is this relevant if I am a nefarious social engineer looking to infiltrate this individual’s organization? Let’s walk through how I might exploit this newfound knowledge to weasel my way through the gates.
Common Cyber Security Attacks Using OSINT
My first vector might be direct contact through e-mail. Spear phishing (that is, malicious e-mail sent to a specific group or individual) is a very effective means of gaining trust and entry. Clumsy though it might be, spoofing a manager—or, more likely, a member of senior leadership—e-mail address, I could send a direct message requesting information about something confidential. This is a vector I have seen time and again in the wild. The message might go something like this:
Hi {name}. {Fake CEO type} here. I’m in a sales meeting and I need some client information for last month. Go get the contract values for our top three clients and just text it to my mobile phone—{Burner Phone Number}. I can’t talk right now, but this is urgent!
Now, if this individual is young, looking to impress, and terrified at the prospect of being disciplined for ignoring an executive, there might be no hesitation. They would dutifully track down that information and send it off as quickly as possible, “Look what I just found! Not only do I know the organization’s top three clients, I also have the value of those contracts.” That is a simple, and maybe not terribly damaging, attack. However, it could have very real consequences if an attacker is looking to sell contract data to competitors.
Let’s try another attack using e-mail. The goal of this is to gain access information for the organization’s network:
Hey, {name}. Glad to have you on board! This is {Found Name of Network Engineer from LinkedIn} over in Network. We need to confirm your credentials for the VPN. Can you follow this link and test your username and password for me? {Malicious Link spoofed to look like a company intranet site} –Thanks!
Again, the success rate of something this blatant may not be high, but it is definitely not 0%. The saying goes, “Defensive security has to stop attacks thousands of times, but an attacker only needs to successfully breach the defenses once.” And, in this scenario, the name (and spoofed e-mail address) the attacker used was found using OSINT found on LinkedIn. All because the new employee was excited and motivated about the new job and wanted to share it with their friends and family.
What we share on social media is out there for the world to consume. This data is being aggregated non-stop by individuals, groups, companies, and governments. It is not always for nefarious purpose. Companies collect consumer data to gain an edge and better understand the market for their products and services. Special interest groups seek out new members through the collection and filtering of data. I recently had a coworker that was able to reach out and help a second-degree contact on LinkedIn who was in personal crisis by tracking down a direct relative of that individual to reach out. There are myriad good uses of OSINT. But it is extremely easy to see how it can be quickly and effectively misused and twisted for personal, financial, or even state-sponsored bad faith activity.
How to Protect Our Data on Social Media
So, what can be done about it? The easy answer is to just shut down all our social media accounts and never post anything personal online again. But it is not a realistic, or even practical, solution. We use social media for professional and personal collaboration. Over the past year-plus of quarantines and lockdowns due to the global pandemic, it has been a lifeline for many people and organizations to remain connected to one another and the world at-large. To simply “shut it down” would be foolish and unrealistic.
A much more pragmatic approach is to educate ourselves as much as possible. Recognizing that there is danger in sharing too much information is an incredible first step. Understanding that data aggregation and correlation can be used against individuals and organizations alike can help drive more responsible behavior on social media for all our staff.
One of the biggest steps anyone can take to protect themselves on social media is to be deliberate and thoughtful when posting any information. Notably, when we share images, we need to recognize that it is not always what is in focus that can be harmful. Take, for example, the U.S. Congressman who tweeted a photo of his monitor, complete with his Gmail password and PIN visible on sticky notes. In what could only be described as an escalated emotional state, this individual shared exceptionally sensitive, personal data. It was certainly not his intention to do so, and the notes were not meant to be the focus of the image. However, it was quickly recognized and shared tens—if not hundreds—of thousands of times on Twitter over the next few hours. Ultimately, it was picked up by major news outlets, and his emotionally charged statement became a footnote to the potential damage of sharing such information publicly. In a recent interview, a prominent social engineer made it very clear that posting without recognizing what data could be exploited is extremely dangerous. She, herself, says that she will likely never “feel safe online.”
It is also important not to make it easy to correlate personal information with professional. There are plenty of ways to use knowledge of an individual’s personal life (family, friends, history) to exploit their professional relationships. Consider the idea that our new employee from earlier may have had a long-term relationship in college with someone who now has managerial responsibility and a high-profile position with a large corporation. Because I was able to correlate all the professional social media accounts of the employee with personal accounts, this information is readily available to me. I could exploit this past relationship to gain trust and entry into that person’s professional life. Posing as a newer “friend” or even colleague of the employee, I could reach out to their former partner and gain immediate credibility. The fact that they are no longer together would decrease the chance that this person might reach out to verify my identity. This newly established contact could potentially lead to gaining deeper insight into their organization (possibly a much higher value target than the mid-sized firm where our original target works).
Stay Vigilant When it Comes to OSINT
What we share publicly matters. It may seem trivial to post a picture of your team in the training room having a grand time (maybe even just sharing lunch together), but the faces in that crowd can be tracked down and relationships can be exploited. The writing on that big whiteboard in the background can be easily read (and often may include things like Wi-Fi passwords). There appears to be little harm in sharing accomplishments like a new job or promotion on our social media accounts, but take care to avoid mistakes like linking information across personal and professional boundaries, or sharing photos and details that could be exploited by an attacker. Social media has entrenched itself in our culture as necessary and useful. And it very much can be that. Educating our staff and ourselves to the dangers of oversharing on these very powerful platforms is a critical step toward protecting our organizations and our own interests.