William Brandon, CISO at the Bank of England, has noticed the risks associated with LinkedIn profiles. He’s quite correctly pointed out that telling the world what you do, which systems you look after and whom you work with is a bit of a goldmine for hackers and social engineers. In other news, RBS is the first major bank to sign up for Facebook at Work, because over-sharing is only an issue outside the perimeter, right? Never mind the inevitable Carter-Silk/Proudfoot moments that will inevitably ensue, or the potential for productivity damage, how brilliant will it be for the enterprising internal villain to be able to know not just when the Head of Treasury is going on holiday, but where, and with whom? Or just how hard Bob in Investment Banking is working on that M&A deal that’s supposed to be kept secret from the prop desk? I fear compliance officers will have a great deal to do – or, alternatively, that Facebook at Work will be a complete flop.
I’ve explained before why sharing information on social media presents a security risk. The more you tell the world, the easier it is to exploit you, or pretend to be you. The issue for business is that the information presenting the problem is apparently quite anodyne. You may not think that including your responsibility for RSA, Citrix and VMWare on your LinkedIn profile is dangerous, but it tells hackers more about your company’s systems than you’d volunteer if you knew why they were asking.
It’s all about correlation. If I know your company’s username policy – usually easily gleaned from a lock-screen at a presentation, and easier still if I work there in the first place – and your name, then I know your username. Add in your personal interests from Facebook and a decent password dictionary and I’m on the way to compromising your account. Get your job-title, your position in the hierarchy, and the systems for which you’re responsible from LinkedIn, and I know if it’s worth it. Now I look at public web content – like vendor case-studies and conference appearances – to get a better sense of your attack surface, and to find strategies for gaining your trust. Put it all together and it’s spear-phishing in a barrel.
My point? I don’t have to be an outsider to have an interest in doing this. If you have an active social culture at work, and you’re seriously thinking of supporting it by building out an internal social network, you’d best think now about how you’re going to police it.