Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Social media can provide hackers with access to corporate computer systems

Hackers implant software to steal data from corporate computers

Reprints

Social media, which already pose a series of risks for companies, have become the darling of hackers trying to gain access to corporate computer systems.

Companies that use Facebook, Twitter, LinkedIn and other social media networks for business functions that include touting new products, providing services to customers and managing a crisis also face the risk hackers will plant malware in social media communications to get at corporate data or to launch an attack.

Malware is malicious software used to disrupt a computer system and gain access to sensitive data.

“Social media have created an enhanced risk surface for corporations,” said James Foster, CEO of Baltimore-based cyber security consultant ZeroFox.

One reason hackers embrace social media as an avenue of attack is cost, Mr. Foster said, adding that the “one-to-many” nature of social media postings is economical and efficient from hackers' point of view.

“It's very inexpensive to attack a corporation through social media,” he said. “If I'm a hacker, I can go online and purchase 10,000 automated bots to attack an organization through social media for about $50.”

Another reason hackers turn to social media is response rate.

While ubiquitous spam email filters reduce the chance of a recipient receiving and clicking on a malicious link, the employer vulnerability to social media attacks is higher because most companies do not filter social media content, said Shawn Ram, San Francisco-based managing director and national technology practice leader at Aon Risk Solutions.

%%BREAK%%

Moreover, people still tend to inherently trust social media, Mr. Ram said. “For some reason, people associate malware with email and don't expect it from social media or message boards,” he said. “This is why hackers are taking advantage of it.”

Jerry Irvine, Chicago-based chief information officer of outsourced information technology adviser Prescient Solutions, said social networks have eased hackers' ability to plant malware in an enterprise because corporate websites that provide executive names and titles allow hackers to deploy classic “social engineering” techniques to manipulate unsuspecting employees into divulging critical information.

“One of the breaches that typically occur is when somebody sends you a fake invite to connect,” Mr. Irvine said. “Once you have accepted, they have an increased footprint for introducing malware into a network and can also view your contacts and use you as a reference to contact other people they want to get at.”

Spoofing attacks, where a hacker assumes a false identity on a social network, also are a growing threat, said Kenneth Geers, Washington-based senior global threat analyst at network security provider FireEye Inc.

“It's very easy to copy pictures and names,” Mr. Geers said. “A lot of hacking is about creativity and good timing.”

Hackers are keenly aware that otherwise cautious people will let their guard down if they think a message is from someone they know, Mr. Foster said.

“Not surprisingly, the most impersonated person in any organization is the CEO,” Mr. Foster said. “If an employee is using a mobile device and gets a friend request that has a picture of their CEO and a single sentence asking them to connect and perhaps take a survey, they are more likely to click on a link.”

Compounding the challenge is that common security tools such as firewalls, antivirus and detection software are ill-suited to ferreting out social media-launched malware intrusions.

%%BREAK%%

“(Computer) perimeter security is pretty much obsolete today,” Mr. Irvine said. “Traditional antivirus programs only clean existing infections and may detect only 30% of malware.”

Despite the rapid increase of social media communication, Mr. Foster said it may take the data security industry several more years to develop the proper mitigation technology to thwart social media-based malware.

“Think about how much time, effort and money went into securing email,” Mr. Foster said. “The same effort will be needed for social media.”

So what can risk managers do in the meantime?

Mr. Irvine suggested a “defense in depth” strategy, in which companies use several types of vulnerability and application software that scan data for potential risks.

He also said companies should make good use of encryption from the individual documents level to the database level to the hardware level.

Read Next