• United States



Social Networking Sites = Social Engineering and Corporate Information Bonanza?

Jan 23, 20082 mins
Core Java

This entry was prompted by a recent study by which showed, among other things, 63 percent of employers who reviewed applicants’ social networking profiles decided not to hire them based on what was discovered in those profiles. Reading this, it occurred to me to take a random walk through some of the social networking sites, including personal blogs, to get a feel for the type of information available. In taking that walk, I used several new search engines that focus on just these types of sites:,,, and The point of my research was to see what, if any, information was available through these sites that would be of use to, say, a social engineer. What I found greatly surprised me.

These sites, particularly employee blogs, provided an amazing range of information that could easily be exploited by a social engineer in gaining access to an employer’s systems and data. Employees freely talked about their supervisors by name, the buildings they work in, their co-workers, and even the projects they were working on. To my surprise, there was also much information regarding the specifics of their employer’s business plans, products, and services. Some of this information seemed clearly to be confidential to the business, even constituting trade secrets. It occurred to me that a potential hacker would not even need to engage in social engineering, but only review the relevant sites to obtain valuable information about the companies the hacker was targeting.

While businesses cannot, in general, legally control the information employee’s post on these sites, they can emphasize to employees their contractual obligations to protect and preserve the confidentiality of the business’ information and to sensitize employees about the risks of posting company specific information on public forums. Employees need to understand hackers have been actively trolling these sites. Given the exponential growth of networking sites and blogs, businesses should consider implementing training on these issues as soon as possible. At minimum, it would be time well spent to invest a few hours one afternoon running your company name through these search engines. The results may surprise you.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author