From a personal standpoint, there have been cases where burglars created fake Facebook profiles and then would be able to get a number of people in their area to accept friend requests. Then once someone posts that they are going to be on vacation for a week, that is when the burglars would strike. And now with Geo-location features on various apps and social media sites, your "friends" and followers can track your physical movements, which will automatically tell bad actors when you are not home. For your personal online footprint, the FBI has recently released tips for giving out too much information on social media. Rather than restate these tips, below is the URL:
https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/fbi-tech-tuesday-building-a-digital-defense-against-the-dangers-of-using-social-media-while-traveling
For businesses, it can be more difficult to reduce the amount of information about your business online as that is contrary to your goals of customer acquisition and increased sales. So for businesses, not for profit organizations, and municipalities, below are my 5 tips on how to better defend yourselves:
- Limit your information leakage to the public - Over the years, one of the things that drove me nuts was the amount of company specific details that Human Resources and/or hiring managers would put in job postings online. If you are hiring a Database Administrator, it is sufficient to say "Experienced with Oracle". You do not need to put the version and release number you are currently running in the job posting. Also many medium to large companies may have in-house developed applications. Stating in the job description, "Experience with the STARS loan system" not only serves no purpose (As only your current and former employees would have experience with it.), but now you just let every cyber criminal know the name of your loan system, which could be used in a social engineering attack on your company.
- Train Employees - If Mary in accounting is the person who wires money to pay vendors and performs your organization's online banking activities, please train Mary not to put that little tidbit of information on her public LinkedIn profile. Give employees security awareness training, and tips on how to state their job duties on LinkedIn so that it doesn't make them a phishing target. On the subject of phishing, train employees how to recognize phishing e-mails, not to click on e-mails from people they don't know, and not to click on attachments they were not expecting. It may seem like a little thing, but the untrained employee is still the best asset a cyber criminal has.
- Mis-information - This can be one of the most effective strategies I've seen used. As an example, the one company I worked for would always include the official name (as it is stated on the Deed) of our headquarters building on their website and in press releases. It was the Kent Building. The interesting thing is that internally, all the employees had a nickname for the building, and it wasn't shared outside the organization. So as you would imagine, we would get a number of calls and e-mails from bad actors saying they were a contractor, or a new employee and needed to get their password reset. When the help desk would inquire which building they were in, sure enough, they were in the "Kent Building". That would be one of many signs that this request was a scam. So think of something that you can put out there that is not key to your business, but could mislead an attacker, and signal your employees on the front line that it's a scam.
- Social Media & Communications Policy - Have a company policy on who can post on the companies social media and websites, a review process to ensure that what is posted is appropriate and not leaking any internal information. Also the policy should include what employees and contractors can and cannot post on their personal sites regarding the organization. Believe it or not, but I've seen an IT Ops guys take selfies in the Network Operations Center of himself, with monitoring consoles in the background showing every major system in the company on the photo, and it was posted to his Facebook page as "Tim at work". A policy won't prevent anyone from doing something stupid, but it does at least let them know upfront that it is not allowed and what the consequences are if you violate the policy.
- Authentication Procedures - I'm not talking about entering your user id and password here, but taking that concept and employ it with any type of front line points of human contact, ie. phone calls, e-mails, chat, texts, etc.. (In other words, defend against Social Engineering) Employees who are responsible for servicing your customers, deal with vendors, perform banking activities, or administer security should have written procedures on how to make sure that e-mail instructions are authentic, or that the person on the other end of the phone is who they say they are. Too many times organizations have had their security compromised because of the "new employee" on the phone that got locked out of the VPN, or the CEO e-mailing Mary in accounting to send a wire for $1 million to a bank overseas to fund a new project. Your employees need to have procedures, and be trained on them, so that they can verify these seemingly normal requests before they act. If left unchecked, this could could cost your organization big time!
