In an experiment by Stephanie “Sn0ww” Carruthers, the chief people hacker at IBM X-Force Red, she attempted to enter a secured work area of a company using a fake employee badge. She was able to do this by using the social media posts of the company’s interns. Social media is a treasure trove of information for attackers. It acts as a public record for the user’s contacts, location, and even business activities. Attackers can use this information, posted by companies or individuals, to develop targeted advertisement campaigns, spear-phishing attacks and even physical security breaches. Presently, the younger generation is a prime user base for social media. According to Pew Research, Gen Z users (between the ages of 18 and 24) 75 percent use Instagram, 73 percent use Snapchat, 76 percent use Facebook and 90 percent use YouTube. People use social media to chronical life events such as new jobs or internships and can easily be found on different platforms. Selfies or videos made inside company premises can potentially expose sensitive information in the background that goes unnoticed to the general public, but attackers can exploit them. However, the younger generations are not the only source of potentially damaging social media posts. Social media teams or senior managers also like to post team pictures, badges from a new promotion, video blogs, job boards or selfies are also sources for hackers. All of this shared information could be used by an attacker to duplicate security badges so that they can gain physical access to the building. Attackers can also use social media to gain familiarity with a specific employee so that they will allow them access to sensitive areas, or use other methods to gain access to the company’s buildings.
Analyst Notes
Employers should train all employees, interns and third-party agencies on keeping company assets secure to refrain from posting badges or other access control devices on social media. Educating employees through common scenarios of protecting information and securing company data is essential in enterprise security. Training should also include scenarios that show how attackers can gain access to company buildings through social engineering techniques.
