Social networking sites are online platforms that allow people to connect with each other and build interpersonal relations. They have become a vital part of our modern life and their use is increasing rapidly. Examples of such sites include LinkedIn, Facebook, MySpace, Twitter, Pinterest, Google+, Instagram and so on.
This has revolutionised the information and communication ecosystem, broken down barriers to traditional means of marketing goods and services, as well as redefined how individuals, churches, organised groups, and organisations reach out to families, friends, customers and the general public – hence their widespread adoption by organisations and individuals in their daily activities.
Benefits accruing from the use of social media are enormous, and one cannot underestimate its potential and usefulness. Each social networking site has its own purpose and features. For example, sites such as Facebook, Twitter etc. may connect friends, family and so on, while another site such as LinkedIn helps users to share professional profiles for employment or job opportunities etc.
To many organisations, social networking is an amazing marketing tool that enables them get their names out in front of established and potential customers without spending a lot of money. A lot of organisations turn to interns to create Facebook posts or to send out regular tweets on Twitter; or they will hire a freelance social media expert who can keep the company’s name in the public eye for a fraction of the cost of a full-time employee.
Individuals, likewise, are using it to market their goods and services in addition to helping bridge the gap in communication created by geographical and location differences etc.
Educational organisations have adopted the widespread usage of social media by forming social media groups for courses, classes and study groups wherein assignments, information are shared among students, lecturers etc.
Again, through social media platforms like LinkedIn, organisations are able to scout for talent whereas individuals are able to land lucrative jobs through the platform based on the personal information and other data uploaded by the individuals in their profiles.
However – just as a coin has two sides- similarly, social media can be an organisation or individual’s worst security nightmare.
According to research by security software firm Trend Micro, 91% of cyberattacks begin with a ‘spear-phishing’ email aided by social media. Again, research by the SANS Institute indicates that 95% of all attacks done on corporate networks are because of successful spear-phishing.
Attackers or crackers have been leveraging social media to spread malicious software(malware) as well as circumventing organisations’ security defence perimeters, firewalls and anti-virus by baiting individuals (a term known as social engineering) within the organisation to click on malicious links, opening malicious emails to get access to the organisation’s internal network – and once they land inside the network, they do lateral movements, escalate their privileges and do the damage, and thereafter cover their tracks upon completion of their missions.
As a participant at a recent cybersecurity event organised by CyberLab Ghana (CyberLab Ghana Cybersecurity Conference held in Accra, 26th March 2019), I watched in awe during a presentation by a penetration tester (pentester) demonstrating how he is able to breach his targets during pentesting assignments against organisations that boast of being ISO 27001 certified, compliant with all the cybersecurity regulatory frameworks et cetera, secured their perimeters with firewalls, latest antivirus updates and with all the fine security policies and mechanisms in place.
These were all accomplished by phishing individual employees of those organisations with the help of social networking, where he’s able to harvest and mine information about individuals working in the organisations and profile them for his exploits and attacks.
I have come to accept how powerful a tool social media can be as a Cyber Security Practitioner, and would describe it as a Swiss Army Knife and a Gold Mine to the Hacker or Attacker in the pursuit of exploiting his prey and attacking his targets.
Hence, the writer in this context is wearing the cap of a hacker, a cracker or the bad guy as it is perceived, to shed light on social networking from the perspective of the Hacker, Cracker, Attacker and the Cybercriminal – so as to educate individuals and organisations about their activities on social networking sites and how they are arming the adversary with data and information to be used against them, as well as proffer solutions to enable them ‘browse smart’ and stay safe on the Internet and social networking sites.
I must emphasise that every hacking or penetration testing assignment begins with footprinting and reconnaissance, which involves discovering the technical environment of the target. This is the stage where the attacker does all the research to collect information needed to penetrate your network and unleash exploits to perpetrate their crime.
This is achieved through the use of search-engines like google, people search engines, job sites, Internet archives and social media and social engineering users et cetera. The social media or networking sites or platforms have proven to be effective and a great source of personal and organisational information to the adversaries, thus becoming a preferred source of information. This is the first in a series of articles on this subject. Watch out for more revelations in the next two or three issues of this newspaper.
The author is a Member of Institute of ICT Professionals Ghana, Network Engineer, (National Health Insurance Authority (NHIA))
Phone No: +233 244 503 883