Social network era: how safe is your information assets
Below is part 1 of the presentation I made at Infosec2014 seminar on 20th August 2014 at Hotel Africana Kampala, about the risks posed by social media. This is a must read to improve your security online.
The answer is: “your data is not safe” as I will demonstrate in the following five part series. Below is part 1.
“How many of you know of a person who has ever died of a snake bite?” Great attempt. No one has ever died from a snake bite. They all die from the snake Vernon or poison that circulates in their bodies after a snake bite. If the snake is not poisonous, victims of snake bites do not die.
Social media is like a snake bite. On one hand there is you – the user, who keeps on updating your statuses with lots of personal, business and all kinds and types of data and there are people out there, crawling the internet looking for this kind of information about you – some are hackers, others are intelligence people – looking for public data. Just like a snake, collecting information about you off the Internet is not bad. It is what they use this information for that kills.
Do they sell it to the underground economy so that someone may steal your identity both on or off line? Do they sell it to spammers and Internet marketers so that you receive lots of unsolicited mail which negatively impacts your productivity through slowed speed of your machine, lots of time spend deleting junk emails from your inbox or they package the information and sell it to your competitors or enemies to bring your career and life down?
The bad news is that the bad guys (hackers) are winning the good guys (IS security managers). Here is why I say so:
The bad guys are highly motivated. Either they have a cause – hacktivists or have a financial motivation to gain once they succeed exploiting your system. On the other hand, the good guys are lazy, laid back folks in their offices waiting for the next salary increment. In fact, these guys are just complaining about a salary increase.
The bad guys have time and are patient. “As Tsan Tzu puts it: in any war, whoever has more information has better chances of winning the war. More information is gathered during the planning stage, than actual fighting. The bad guys have more time to plan and collect more information about their targets than the good guys in offices. Plus, the good guys have little information about the bad guys. It is easier to annoy a good guy, and for that reason, they are impatient and have little time.
The good guys can easily be caught off guard. The good guys have so many obstructions. They also have limitations as they work in a very bureaucratic environment. The bad guys, on the other hand, are swift and very skilled. Their location is not defined and is very coordinated. They work together at a low cost unlike the good guys who are restricted in terms of information sharing due to sensitivity of their operations and company policies and procedures.
These and more reasons make social networks very risky. The guys with the critical information are not well educated. Take a case of a CEO, with an official company mobile device (iPad). This person has a son or daughter at home fond of playing iTune games. When the CEO gets home, the daughter takes over the iPad and starts downloading any software of interest oblivious of the dangers therein. In the end, targets attacks like key loggers are easy to find their way on the CEO’s iPad and before you know it, they are victims of cyber-attacks.
Social engineering makes it easy to collect information about targets and use it to develop specific attacks based on their interests, hobbies or user activities on line. Are the CEO’s gamblers, gamers or YouTube addicts? Specific attach vectors will be developed and targeted at them based on the information they have posted on line. When you post a movie, document or photo on the Internet, they have specific metadata which a cyber-investigator or hacker is able to access and examine for critical data about the author.
To be continued.
Copyright Mustapha B Mugisa, 2014. All rights reserved.