• United States




Social media, the gateway for malware

Aug 29, 20166 mins
CybercrimeSecuritySocial Networking Apps

Why the Common Vulnerability Scoring System (CVSS) doesn't give an accurate picture of the security risks from social media sites

Easy to access, widely used, and outside of enterprise control, social media sites are gold mines for malicious actors. People share a lot of seemingly innocuous information, which is exactly the kind of data that hackers love to collect and use in phishing or spear phishing campaigns. 

A recent NopSec 2016 State of Vulnerability Risk Management Report found that organizations use inadequate risk evaluation scoring systems. The report claimed that social media — which often isn’t included in any risk evaluation system — is now a top platform for cybersecurity.

So, what’s the correlation between social media and the rise in malware?

Steve Durbin, managing director at Information Security Forum, said that correlation is a bit of a strong word. “Social media use has increased. Once someone is onto a site like LinkedIn, Twitter, or Facebook, there is almost an assumption that the way you are interacting with others is without risk. Psychologically, your guard is down.”

As a result, social media sites have become a useful channel for those who want to spread malware through social engineering.

“From a hacker standpoint, social media is rich picking. We have an environment where by nature the people have very low guard. They will quite readily engage with a third party. It’s a great opportunity to gather information that you can make use of from spear phishing to social engineering to push out malware,” Durbin said.

According to the NopSec report, “Twitter is becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits. Vulnerabilities associated with active malware are tweeted nine times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities.” 

Social media is both a lure and a gateway for malware. The sites are attack vectors that are outside of end point security, which suggests that relying solely on the CVSS score makes it difficult to prioritize risks. “But its subscores combined with other factors such as context, social media trend analysis, and data feeds deliver a better risk evaluation and prioritization,” the NopSec report said.

In the sixth annual Smarsh 2016 Electronic Communications Compliance Survey, 48 percent of the respondents cited social media as the number one channel of perceived compliance risk.

“Even when a firm has banned social media channels, risks remain if employees do not adhere to the ban. In fact, the percentage of respondents who claim to have minimal or no confidence that they could prove the policy of prohibition is working ranges from 30 percent for LinkedIn to 41 percent for Facebook and 45 percent for Twitter,” according to the Smarsh report.

The problem for cybersecurity teams is that there is little to no visibility into social media sites because these sites exist outside the network perimeter. Mike Raggo, chief research officer, and Evan Blair, co-founder and chief business officer of ZeroFOX said, “Social media represents one of the largest, most dynamic risks to organizational security.”

If security practitioners are not incorporating social media into their risk assessment, they are leaving a blind spot. In order to understand the scope of vulnerabilities, “They need to leverage social media to identify changes in the threat landscape,” said Raggo.

Mike Raggo, chief research officer, and Evan Blair, co-founder and chief business officer of ZeroFOX

“As social media becomes a major platform for business communication, cyber criminals are exploiting its inherent trust and widespread connectivity to target employees and customers.”

Raggo said that many enterprises are starting to understand the problem and more are looking to know not only how social media leads to compromise but also what security teams can do to solve the problem.

Jared Semrau, manager, vulnerability and exploitation at FireEye, said, ” At its core, social media enables people to connect quicker and more widely than they otherwise would.”

Though seemingly harmless in its intent, social media contributes to the spread of information that can help facilitate malicious activity, “Such as information pertaining to vulnerabilities, exploit or proof-of-concept code, and attack methods,” Semrau said.

Malicious actors have leveraged these social media platforms to bolster their existing operations. Semrau said, “They are using these platforms to expose their social engineering schemes to a wider audience or lending credibility to existing activity by creating social media profiles, activity, and networks (as was the case with Newscaster), these platforms are having a direct role in malicious activity and the threat landscape as a whole.”

If there were an easy answer to what enterprises can do to avoid these risks, everybody would be free and clear of the threats posed by social media sites. Unfortunately, there is not a lot that can be done to completely avoid the risks.

“That being said,” Semrau said, “the first step to minimizing your risk is to understand the threats to you and your organization. You can spend millions of dollars implementing tools or countermeasures, but if you do not have a comprehensive understanding of your threat environment, that money may be wasted.”

Understanding and prioritizing will raise awareness and hopefully change user behavior, which will consequently strengthen security. “Understanding the threats, prioritizing those that impact you and your organization the most, and implementing specific mitigations or countermeasures to deal with those specific threats will probably offer you the best chance of success,” said Semrau.

Since it is difficult to improve the reliability of any given tool, Semrau recommended that organizations get a better understanding of what their tools or services were designed to do. “Understand what information is used to support those offerings, and ultimately decide whether those tools fit their specific needs,” Semrau said.

It’s important for security practitioners to assess security tools and understand exactly what it is they want a tool or service to provide. Semrua said, “Make sure those tools or services are able to deliver on those needs, and verify that the information being used to power those solutions are rooted in quality and reliable information.”

Those that are quick to see security tools as an answer to a vulnerability score are potentially being too simplistic, Durbin said. “The whole risk arena is becoming more complex. They need to be rethinking how they measure vulnerabilities, not just complying with compliance.”

In addition to anticipating threats, enterprises also need to grow more resilient. “It’s not as simple as what we have done in the past,” said Durbin. Assessing the value of the assets will shed some light on where the vulnerabilities might reside.

“We need to be doing a business impact assessment to understand the threat environment and how that is changing. Then we can understand the risk associated with that and the risk appetite related to a particular vulnerability,” Durbin said.

Security needs to become more sophisticated, which means having a working awareness of the value of the business assets and the impact of loss or down time. The risk isn’t only in the ability to deliver service. It’s also the impact on brand and reputation and the way the enterprise is viewed against its competition.

Enterprises that suffer a breach can be sure to see their name not only in headlines but also in tweets and Facebook feeds.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author