I recall (approximately 8 years ago) reading an impressive poster on Social Engineering at a well-known manufacturing company in Silicon Valley. The poster contained sensible advice for dealing with unsolicited phone calls, "chance" conversations, and the importance of discretion when discussing corporate matters on planes, trains and automobiles. Tail gating and the "risk of gallantry", the social and psychological tricks used by experienced practitioners to "project belonging", the need for vigilance in public spaces, and of course "clear desk policy" and appropriate security of corporate assets. Our workforces were equipped to deal with the primary aspects of exposure.
The advice (like all good advice) was clear, concise, relevant and accessible. With the advent and exponential uptake of Web2.0 however, I wonder what a similarly intentioned poster should convey today?
Linkedin, Facebook, Plaxo and the proliferation of associated groups provide a rich hunting ground for the Social Engineer. Companies can be significantly profiled, names, departments, reporting structures, nature of business, personal links, networks can be mined to provide a basic "mapped framework". It would not be difficult to sift these sites for information to use in "impersonation attacks", then Social Engineering additional information through email or telephony channels. Worse still, with no identity management (i.e. no established trust), it is simple to create fake pages, groups and details and use these to link the unwitting. A very interesting topic for future discussion (but perhaps of grave concern in terms of information freedom) would be creation of trusts and identities to "validate" the Web2.0 profiles (personal certificates for Web2.0 anyone?).
I don"t want to be alarmist. I am in fact one of the greatest evangelists of collaborative technology (having worked on groupware projects since 1993). Indeed I am resolutely against those who seek to ban access from corporate networks (this is not a solution). I think the ubiquity of these technologies and their genuine usefulness in conducting business and expanding networking possibilities is immense.
That said, does you business attempt in any way to train your staff on the potential dangers of these sites? Do you have a view of the key dangers that should be addressed? Do you have relevant corporate security policies? I provide some suggestions for areas of consideration:
1. Discussion of confidential information in a closed group could be extremely unwise (you do not really control the security of the group, despite the best intentions of the provider)
2. Fake groups or unofficial groups could be created for good or bad intention. Corporations finding unofficial groups using their name and branding should seek to intervene and gain some degree of control. Lambasting the group"s creators (assuming their intention is genuine) is foolish, as this simply indicates you were too slow to embrace Web2.0 in your corporate IT landscape. This is a wake up call that you have lost touch with an emerging and dominant demographic
3. How much of your business in terms of personnel, roles, responsibilities, professional activities can be profiled? Links to friends in the same business can be used to elicit and deduce further intelligence. Do you have any guidance for personnel identifying themselves as members of your organisation?
4. Public comments from identified staff could be detrimental to the reputation of the business. Marketing and IT Security need to work hand in hand with identification of "damaging" (or potentially damaging) material
The proliferation of Web2.0 opens a huge number of holes in the sieve of corporate intelligence. What are you doing to understand and mitigate your exposure? Do you have corporate policies, security guidelines and policies, underpinned by an auditing mechanism? Do you provide advice on safe and positive self-marketing?
Empowered employees can act as corporate ambassadors and an entirely new (highly scalable and highly distributed) channel can be leveraged for your marketing goals. Loose control of your employees in Web2.0 however, at your peril!