social networking has exploded in popularity so quickly, companies and individuals have not had much time to deal with the problems the technology has brought to bear. Surveys taken in recent years have found that many companies either do not have a policy in place regarding social networking or are unaware of the risks. Recently, however, people are slowly starting to become aware of how big the danger is and that they need to take steps to protect themselves. Company policies should touch on appropriate usage of social media and networking sites at work as well as the kind of conduct and language an employee is allowed to use on the sites.
Currently about 40 percent of companies have implemented a social-networking policy; the rest have either suggested doing so or are not doing anything. Many individuals and companies have been burned or heard about someone else getting burned and have decided to do something about the issue.
Social networking can be used relatively safely and securely as long as it is used carefully. Exercising some basic safety measures can substantially reduce the risk of using these services. As an ethical hacker and security professional, consider recommending and training users on the following practices:
- Discourage the practice of mixing personal and professional information in social-networking situations. Although you may not be able to eliminate the company information that is shared, it should be kept to a bare minimum.
- Always verify contacts, and don’t connect to just anyone online. This is a huge problem on many social media networks; users frequently accept invitations from individuals they don’t know.
- Avoid reusing passwords across multiple social-networking sites or locations to avoid mass compromise.
- Don’t post just anything online; remember that anything you post can be found, sometimes years later. Basically, if you wouldn’t say it in a crowded room, don’t put it online.
- Avoid posting personal information that can be used to determine more about you, impersonate you, or coax someone to reveal additional information about you.
To avoid problems with social networking, a company should exercise many different countermeasures. As a pentester, consider recommending the following techniques as ways to mitigate the threat of social-engineering issues via social networking:
- Educate employees against publishing any identifying personal information online, including phone numbers; pictures of home, work, or family members; or anything that may be used to determine their identity.
- Encourage or mandate the use of non-work accounts for use with social media and other types of systems. Personal accounts and free-mailers such as Gmail and Yahoo! should be used in order to prevent compromise later on.
- Educate employees on the use of strong passwords like the ones they use, or should be using, in the workplace.
- Avoid the use of public profiles that anyone can view. Such profiles can provide a wealth of information for someone doing research or analysis of a target.
- Remind users of such systems that anything published online will stay online, even if it is removed by the publisher. In essence, once something is put online, it never goes away.
- Educate employees on the use of privacy features on sites such as Facebook, and take the initiative in sending out e-mails when such features change.
- Instruct employees on the presence of phishing scams on social networks and how to avoid and report them.