Staff Ego’s & LinkedIn Oversharing Introduce A Massive Corporate Security Risk

socsec-linkedin-leaking

Everybody loves to boast and brag about their work achievements, what they do, where they work and people they have worked with. Professional networking sites like LinkedIn & Xing are hotbeds for industry professionals to list their skillsets, connect with bosses, co-workers, ex-colleagues and future employers.

Typically, members accounts contain a list of companies they have worked at, job titles and descriptions of software, technologies and products they’ve used. This is great for demonstrating your experience and relevance for new positions and for attracting recruitment agents.

Unfortunately, this is a perfect feeding ground for hackers and social engineers. With very little effort, it is very easy to see who holds what position at what company, what department they run and the names of other staff that work for them in that department. If it a large corporation, sending a short email to the marketing or investor relations depart asking about shares etc and the email you get back will disclose the format of the email addresses used (e.g. karen.molker@bigcorp.com).

This is the very root of a multitude of Business Email Compromise (BEC) attacks on companies and introduces a massive corporate security risk. No amount of spending on multi-layered firewall architectures, Intrusion Detection Systems (IDS), Data Leak Prevention (DLP) technologies can defend against an employee openly (and unwittingly) listing all your internal platforms on a networking site so they can look good.

Using the information above, looking at the department staff we can see they probably detail what software and products they use. This immediately tells you what packages are used on the internal corporate network (PeopleSoft, SAP, Oracle etc), if you look at the staff woking in the IT Dept. you can soon find out what firewall products that company uses too.

The habit is called “oversharing“. In this business scenario, the worst culprits are commonly management level staff – the ones that should know better. 

An interesting side attack vector here, is the random / sudo-random connection requests. Most employees love to be contacted by recruitment agents or product sales from a supplier looking to connect on LinkedIn or Xing, but as with other social media platforms not all requests are friendly – if a scammer was looking to connect to an executive, it helps if they have lots of mutual connections before they send off that request. This means, often these random requests are scammers / hackers looking to use you as a validity when hunting a bigger fish.

socsec-post-worker

Solutions

So what can be done about this ?

Strong education for employees is certainly the best option, but the company doesn’t own a private individuals social media profile, meaning enforcement of more draconian measures can be tricky (depending on your local laws).

Key Business Social Media Security Tips:

  • Ensure you have a clear, easy to read & well communicated section in your Company Security Policy
  • Educate rather than punish staff – enlighten them to the dangers of “oversharing” in their personal lives as well as the impact at work
  • Make sure that staff have a facility and an easy to follow process for them to report suspicious behaviour on platforms outside the corporate systems 

About the Author: Reggie Pelz