Education is needed to convey to your network users that the stakes here are high. Even if the intruder isn’t seeking a dime from your company, the potential cost with respect to response, data loss and reputation can be crippling. As indicated, the vast majority of these incidents are the result of your users’ social-media behavior. Actually, the exploitation of social media for the purpose of malware attacks is growing at the same or at an even greater pace than the overall use of these sites. Online tools – like the popular, URL-shortening ones for Tweets – are very handy in masking malware threats, and a lack of security-savvy on the part of users establish social networks as a virtual playground for cyber criminals.

In seeking to avoid fallout from this that would impact your business, we at Cyveillance strongly advocate the following five-point plan for our customers a plan that has helped us earn recognition by industry-research leader Gartner Inc. as a top provider of the surveillance/collection/analysis of social-media activity for commercial-organization networks:

1. Launch a social-media policy. We realize that many of our customers already have a policy in place. We examine it, however, to get a sense of whether it’s up to date. Social media changes all the time. Legal documents do not. We look to see whether the policy addresses “real” modern-day concerns about social media, or if it’s really just a copy/paste of some antiquated HR form. Here as some questions to consider within the policy: Is it OK for employees to say that they are representing the company on Facebook, Twitter, etc.? If so, what are the guidelines as for appropriate content to post?

2. Train everyone. As stated before on this blog, your weakest link can be your most uninformed employee. Printing and distributing a policy is fine. But reinforcing it with training is even better. Don’t lecture them. Instead, engage in interactive workshops or computer-based training sessions to test their awareness of the latest social engineering attack techniques. Too many organizations put all of their focus on firewalls and passwords. These days, hackers don’t necessarily need to know how to get around these measures to do damage. They just need to get a single user within the network to trust them via a cleverly disguised email.

3. Establish the significance. Meaning, make sure your users realize how important it is to remain informed and alert. If your logo is used to support some kind of malware scheme, for example, your future relationships with customers and partners will suffer. As conveyed previously, there’s tangible, bottom-line value in a company’s reputation. Within minutes, a successful intrusion can crush the good reputation that an organization has been building for years.

4. Don’t try to do it all on your own. Social media is a very, very large universe. In fact, nearly 56 percent of Internet users in the U.S. use some type of social media, according to the Pew Research Center. That translates to a lot of traffic to monitor. Consider tools such as social media monitoring solutions and protection appliances to address this need for you.

5. Keep it current. No matter what tools you use – as well as intrusion techniques you share with users – make sure everything is up-to-date. The entire landscape of social media and the methods used to exploit it are in a constant state of rapid transformation. What worked this month won’t necessarily work the next. Your security team needs to stay on top by constantly educating and re-educating itself and company staffers on the latest trends.

The bottom line is that – in the “share more, not less” world of today criminals can easily obtain the information needed to craft emails that can fool even the most savvy of users. With no “silver bullet” solution to thwart all intrusion attempts, the best practice is to educate users to make decisions, and equip yourself with the best monitoring tools to detect attacks in progress.

James Brooks, Director of Product Management, Cyveillance

Question to consider: What essentials do you feel are needed in a social-media policy?

Two Australian girls, ages 10 and 12, got stuck in a storm drain. To get help, they whipped out their smartphones and posted Facebook status updates to say they were lost in a local drain, and someone needed to call 000 (Australian 911).

Now, if you read that summary and concluded, “OK. So what? That’s what I’d do in the same situation,” consider yourself as part of a generation in which social media remains fully immersed within practically every facet of your life.

If you’re like me and say, “Wait…What?! They had phones in their hands and they posted Facebook updates asking someone to call the rescue brigade?!,” then you’re clearly a degree or two removed from this typically younger demographic.

Ironically, however, it’s members of the older generation – the ones who would call 911 instead of asking Facebook friends to do it for them who are often the biggest targets for socially-engineered attacks. That’s because higher-level executives with more access to valuable data tend to fall into this category. This, in turn, makes them more vulnerable. They may be connected to social media (or not, see here for an interesting case of what can happen then), but they’re often not as sophisticated in using it as younger employees are.

Think about it: For many in their 20s, social media is like running water or electricity. There is simply no conception of technology as distinct from daily existence, nor a comprehension of living, working, playing or socializing without it. For older users, technology is a topic, a tool, a discipline. They didn’t grow up with all of “this stuff.” Some are happy to use it, but don’t see it as integral to every aspect of their personal or profeesional lives.

This generational gap – where the least social-media savvy employees are most likely to be the prey in a highly targeted attack – presents a significant risk to corporate and government organizations. One need only read the details of the penetrations of Google, Conoco or RSA to see how public information and social media have become the tools of choice for achieving significant penetration and data exfiltration.

To make these well known cases more “real”, let me actually step through this hypothetical but otherwise very realistic scenario: Let’s say I’m a data thief and I know that executive Joe Smith works for a high-profile IT contractor that serves key DoD agencies. (The company here could just as well be a law firm, an accounting company or a widget maker.) I also know from an easy online search that he’s a big booster for his old college’s football team. So guess how easy it would be for me to come up with a completely believable email to send to Joe about the team, in anticipation that he’ll click my infected Web link to get more information?

The answer: incredibly easy, and that one click is often all I need to compromise the network of the company that employs Joe. (If you’re not sure why that’s true, see our White Paper here on A/V Detection Lag Times).

To mitigate these risks, organizations must come up with standard-operating procedures that allow the senior executives to anticipate, identify and avoid socially-engineered attacks. And all users on the enterprise should take a long, careful look at the extent of information they publish on sites such as Facebook, Twitter and LinkedIn. They need to “think like a data thief,” examining what’s posted “out there” relating to their job duties, associated customers/vendors/partners, building location, e-mail, phone and other details to get a sense of how vulnerable they could be and what information about themselves a hand-crafted attack would likely contain or leverage.

Consider educating your workforce – especially the senior members – about these scenarios as a “Safe Social Media Usage 101” ongoing seminar of sorts. It’s one that would provide great, lasting value, regardless of where your users fall within the generational divide.

Eric Olson, Vice President/ Solutions Assurance, Cyveillance

Question to consider: How up-to-date are your users – especially senior executives on socially-engineered attack methods?

And here’s another troubling wrinkle: These criminals aren’t gaining access to networks to exclusively steal money anymore. No, these days, your network’s data commands the big dollar signs.

To protect themselves, those overseeing enterprises must dispense of badly outdated stereotypes about would-be intruders. Especially the one in which the hacker is some pimply faced kid pecking away solo in his parents’ basement. This kid has grown up, now a member of a thriving, sophisticated organized crime ring – possibly with deep connections to international syndicates or rogue nations in Eastern Europe, the Middle East or Asia.

The mob once dealt in liquor, gambling and other vices. Now, it’s all about the black market for information. The organized cyber-crime syndicate could be on retainer to obtain secrets from the Pentagon or U.S. Department of State. Or the data of interest could be the molecular blueprint of a pharmaceutical company’s developing wonder drug – a valuable “purchase” for a competitor. Or a food retailer may be willing to pay a small fortune for details on the expansion plans of a rival. It could be one of these or any number of countless scenarios in which information commands an asking price.

Once the terms of an agreement are reached between the buyer and the criminal ring, the strategies of intrusion are deployed. As described in detail by Manoj, the most popular technique involves getting inside network users to unwittingly open an emailed link that’s really malware.

You may think that your network users are above that sort of ruse, but people use multiple ways to connect to your network (i.e. working from home, non-corporate or personal mobile devices); which only broadens the attacker’s vectors of access and points for trust. Keep in mind that the phishing scammer here simply needs one ill-advised click. That’s it. Even relatively savvy users can lapse into a weak moment, perhaps during an especially frazzling day when they’ve been multitasking for hours and are attempting to swiftly go through their in-box before heading home. That’s the kind of moment the hacker is waiting for, because mental fatigue + urgency = a ripe opportunity for that much-sought click.

Keep in mind that once in the network, it’s time to mine for the information. If the intruder keeps a low profile – not taking part in any activity that would raise any suspicions among those monitoring the network – he can settle in for the long haul and keep gaining access to data. And consider the wealth of information within that can be exploited for ill-gain: intellectual-property, sensitive financial reports, R&D innovations, hiring plans, salary structures and other confidential personnel information.

Because so many users are combining “work” with personal tech, hackers can further expand their market reach. Information about corporate executives, for example, is highly valued because they usually have a “clean” background record and such a record is valuable for black-market operatives. These operatives will use the records to create bogus passports, visas and driver’s licenses to allow dubious characters from foreign countries to arrive here while avoiding a watch list.

All it takes is one bad click to unleash all of this access. If you’re not taking pro-active steps to thwart these data thieves, are you prepared to deal with the consequences?

Terry Gudaitis , Ph.D., Cyber Intelligence Director, Cyveillance

Question to consider: What are you doing to pro-actively monitor and prevent unauthorized access to information on your network?

I tell them that it’s not really about some highly advanced but ill-intended technological strategy. It actually boils down to a simple concept: building and exploiting trust.

That’s right. Yesterday’s hacker spent all of his time looking for holes in the network to exploit, to penetrate and trigger a malware attack. They cultivated legendary status as whiz kids of the tech underground who routinely outsmarted corporate IT security pros at their own game.

Today, these would-be intruders still command a high level of technological aptitude (not to mention unsavory attitude). But they are cultivating another highly useful skillset: the ability to manipulate the human behavior.

That’s because social media has changed everything.

Individuals and Organizations are now embracing the use of Facebook, Linkedin, Twitter and other outlets. As well they should. These sites are remarkably effective when it comes to peer networking and connecting with customers to get product feedback, test marketing strategies and build brand loyalty. However, not surprisingly, cyber crooks are flocking to social-media sites to plot their next attack. Why wouldn’t they? That’s where they can pinpoint executives and employees who hold key positions within the organizations that they seek to compromise. Because the very concept of social media encourages these professionals to display their business associations publicly, their corporate background is highly valued data that’s easy for the bad guys to find.

Once they zero in on which employees to target, they then work on the “trust” factor.

For certain, taking advantage of the human capacity for trust is nothing new. The term for the computer virus, Trojan, refers to the legendary deception of the city of Troy on the part of the Greeks, with that “gift” of a large, wooden horse. During Pontiac’s Rebellion, European soldiers were said to have given Indian natives blankets outside Fort Pitt, blankets that were intentionally infected with small pox. And Bernie Madoff is far from the first Ponzi artist to destroy personal fortunes by promoting a financial house of cards built upon the concept of trust.

Today’s cyber attacker – at least from a psychological standpoint – operates in very similar fashion. He’s a phisher who finds individuals who can lead him to where he wants to go within the network and emails them with some kind of message that, on the surface, brings something of value to the intended victim and raises sufficient curiosity to take some action. If that intended victim is a high-level finance executive, for example, the email could contain a URL to click on to find out about a new accounting regulation that’s in the works. A sales staffer could get an online invitation to download online coupons for discounts at a local golf club.

Only the URLs are simply disguised links to malware. Since anti-virus technology is typically based upon blocking signatures, it’s useless against this kind of tactic. That’s because the chances that the hacker’s signature hasn’t been seen before is greater than 99 percent. And if you haven’t seen it before, your anti-virus technology won’t block it. Web proxies are also generally ineffective as well. They’re intended to serve as gatekeepers to distinguish “good” URLs from “bad” ones. But they’re too often outdated, and it doesn’t take much effort for a phisher to come up with newer “bad” URLs that won’t get tripped up by the proxy solution.

Once inside the network, these hackers execute their intrusion in a manner very unique to the modern era. In the recent past, such intrusions were all about disruption. Today, they’re about stealth. The hacker doesn’t want to announce his presence. He’ll lay low for days, weeks and even months at a time, quietly looking for backdoor channels to gain credentials, so he can access more and further secure entry points within.

To fight this, education/training of enterprise users is necessary if not sufficient. They need to know how to spot suspicious messages, and to resist the natural inclination to click on a link that looks benign but really is a hidden front for malware. In addition to training, IT security staff must remain on top of phishing trends and pro-actively monitor their traffic for high-risk behaviors. And above all, next generation security systems must examine the content and context of the email along with the methods and behavior of embedded Web Page links to judge the trustworthiness of the emails

Ultimately, organizations need to realize that their weakest link is a curious employee who also happens to be a trusting one.

Manoj Srivastava , Chief Technical Officer, Cyveillance

Question to consider: How much training/education does your organization conduct with internal users on detecting and avoiding intrusion attempts?

The amount of attacks seen monthly is down compared to the first half of the year and could be related to the recent decline in spam, but the overall volume confirms that the problem of phishing is still easily one of the top threats on the Internet. Specifically, the use of more sophisticated and targeted attacks result in greater success and lucrative opportunities for online criminals. A recent story regarding socially-engineered attacks against High Value Targets (HVTs) in the Canadian government provides a great example of the danger this new breed of attack poses to organizations.

Organizations should continue to monitor for suspicious activity related to the attack described in the article above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Mind & Media took our content and subject matter expertise and packaged it in an engaging, interactive online training course that educates users on the risks found on the Internet. Knowing that employees are extremely busy, it was critical for us to present this information in comprehensive and efficient way to ensure the transfer of knowledge, safeguarding them and their companies. The fact that Mind & Media was able to pull together an exciting education program that incorporates the unique perspective our experts have acquired over the years in an easy to view presentation, should not be overlooked. Congratulations to Mind &Media for a job well done.

Companies can take proactive steps to strengthen their security posture and minimize potential damage from problems that arise in the social media environment. The steps start with addressing challenges effectively with a solid understanding of the authorized and vast numbers of unauthorized social media users within the company. Next, companies should have a formal education and training plan in place that meets the needs of all sides of the business. Further, documented social networking policies, ongoing monitoring and a strong organizational feedback structure are essential. For more information, see The Impact of Social Media on Corporate Security: What Every Company Needs to Know published by Cyveillance in Spring 2010.