At a recent financial services event, leading cyber security experts explored how employees using social media can enable a cyber-attack at your firm. Greg Ruppert, Senior Vice President, Chief, Financial Crimes Investigations Group, Charles Schwab & Co., Inc. moderated a panel of
Malcolm Palmore, Assistant Special Agent in Charge, Federal Bureau of Investigation, Patrick A. Westerhaus, Director, Cyber Crime Intelligent Unit of Enterprise Information Security, Wells Fargo & Company and Dan Nadir, VP of Product Management, Proofpoint to discuss the risks of social media and how fight back. (Contributor’s note: Dan Nadir is my colleague at Proofpoint.)
2017 Cyber "Bank Robberies"
“There's nothing new under the sun. Faxes to social, it's the same scams, just delivered in a different way” said Nadir. The others agreed. According to Palmore, “Cybercriminals spend their entire day trying to figure out how to exploit consumers and business personnel. They are the most diligent criminals on the planet. Whether its social engineering (using deception to manipulate your employees into divulging personal or proprietary information for fraudulent purposes) or putting someone on the ground to conduct surveillance, they figure out the best way to exploit your vulnerabilities. There are entire nation states engaged in the theft of intellectual property by trying to gain information from your business systems. They actually put on a uniform, sit in front of a terminal and are given a set of requirements such as ‘break into this company’, or ‘figure out a way to deliver a malware to this particular company’. Westerhaus added, “It takes multiple parties to carry off these high end, and extremely lucrative, 2017 cyber ‘bank robberies’.”
Cybercriminals Are Taking Their Time
Nadir added, “We used to see someone's email get compromised and the next day, or the next minute, it was used to send out a bunch of spam. Not anymore. Now, nothing will happen right away. Then a week later, your employees will receive a highly targeted email. They might click on a link and get infected, or be asked to wire money.” Cybercriminals are taking the time to reconnaissance, read your email, watch your activities on social media and understand what you're doing, so they can craft the perfect message to trick you into giving up information. Given the open nature of social media, and the volume of information being shared, the ability to social engineer people is now much higher. The rewards of success are so high, they take their time to get it perfect.
Social Media Creates New Opportunities For Cyber-Attacks
Angler phishing is something new we are seeing. That’s when someone tweets at your customer support account about not being able to get into their bank account or a lost pin for example. Before the real account can reply, the "@BadBank _Support" fake Twitter account will reply to that user. Cybercriminals posing as the bank will apologize that you are having trouble and offer to solve the issue. They tell you to ‘click this link, enter all your personal information’ to get you squared away. Because consumers have reached out for help and expect this type of service, they do exactly as instructed.
There are problems with LinkedIn too. Because anyone can create an account, your LinkedIn account can be cloned. Invitations are then sent to all your contacts saying that you lost your account and asking to reconnect. Two days later, they send you a white paper or something else. After that, your contacts receive a message that they’ve been breached and are at risk, so they are asked to ‘click this link’ and enter all their information. And they do because they believe it. It’s so hard for someone to tell the difference between a legitimate account and a fake account these days. It’s a problem” said Nadir.
In short, social media is being harnessed to target your employees to get data from them and off your network. “If a stranger came up to you on the street and asked for a list of every place you ever worked, the schools you attended and all your contacts, you’d walk away. But, on LinkedIn, you are sharing that information with anyone you connect with. That enables social engineering" added Ruppert.
What Do The Regulators Say?
On a federal level, both the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) acknowledge that cybersecurity threats are one of the most significant risks that financial firms face and included cybersecurity as a priority for their exams in 2017. Additionally, effective March 1 of this year, the New York State Department of Financial Services issued the first cybersecurity regulation of its kind in the nation. This regulation is designed to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks. In short, all three regulators expect firms to maintain and demonstrate a robust cybersecurity program, including if you've added the additional risk of social media.
9 Tips to Protect Your Organization From Cyber Risks From Social Media
The panel agreed that a social media presence is necessary to do business. However, given the risks, how can a bank protect itself, its employees and its customers?
- Create strong governance and cybersecurity policies and programs. Reinforce policies with technology to put up defenses to mitigate the risk of opening the firm and its employees to fraudulent activity via social media.
- From a risk management perspective, the information security group should pay close attention to forward-facing threats to the enterprise, specifically from social media. Make sure the organization is safe now and going forward across whatever networks the business needs to use.
- Create broad-based business continuity plans and be prepared for attacks. Don’t enable the bad behavior of cybercriminals who may demand Bitcoin to release your data. Instead, make sure your data is backed up to avoid being ransomed.
- Create a corporate communications plan to prepare for a social media crisis, such as someone hijacking your Twitter account. Map out who and how and when you will respond.
- Financial services firms rely on third parties. This provides the perfect mechanism, or ‘cover’ for penetration of firms. Be particularly careful when working with third party vendors. Understand the reliance that you have on your ecosphere in order to fully protect yourself.
- Carefully weigh the risks of using Facebook and other social media sites for your firm. Monitor comments and activities on your corporate pages. Be aware of the dangers and surveille for ever-increasing fake accounts. On Twitter, look for employees and corporate accounts being compromised, and monitor for hashtag hijacking.
- Social media expands the “threat attack surface” and presents more opportunities for being exploited. Therefore, educate employees about all the potential dangers of social media. Employees are the foundation of the entire information security program. It starts with the person working on the computer, the mobile device, the tablet, or whatever it is connected to a social media platform.
- Train your employees to be smart about social media. Teach them to use good “internet hygiene” and become suspicious of unusual interactions from people they don’t know, from outside your business, who might reach out to them without prompting. Ask them to hesitate before accepting LinkedIn requests to connect from strangers. Warn them to be aware of people who may target them and to err on the side of caution to avoid connecting with someone who might have a malicious intent. And finally (of course),
- Use strong, complex passwords on corporate social media accounts. Consider password management applications, especially for accounts accessed by a team. Use two factor authentication when possible.
This blog appeared previously on Forbes.