Cybersecurity: Risks with Social Media Oversharing
Editor’s Note: This article was written in collaboration with Allscripts cybersecurity experts Sean Hall (Expert Security Engineer) and Rodney Dunson (Associate Security Analyst).
Social media is now a mainstay of living in modern times. Initially used as a way for people to stay in touch and find long lost friends and relatives, it now influences our everyday life. It has even become commonplace in politics, business, and, of course, malicious social engineering.
As we have incorporated services such as Facebook, Twitter, and Instagram into daily activities, we have become desensitized to the inherent risks of sharing too much information. What you post may seem innocent, but scammers can take small pieces of information from your posts to use against you in social engineering in both online and offline attacks.
For example, Facebook may reveal your birthdate for people to send birthday wishes. A birthday photo on Instagram reveals your age. That same photo may contain metadata (known as EXIF data) that gives away your exact location via geotagging. Considering these examples, potentially anyone on the internet may obtain your full name, date-of-birth, address, names of family and friends, and more. By sharing hobbies and interests, schedules, vacation plans, and tagging family members, you are providing a wide range of information to bad actors via social media.
Common password challenge questions include “What school did you attend in third grade?”, “What was your first car?”, “What was your first pet’s name?”; all these answers can be found simply by scouring social network posts. Scammers also may leverage harvested data by building targeted password lists using your hobbies, interests, pet names, and other snippets of your information against you in a cyberattack, increasing the probability of their success.
Work and tech-related social network sites also can add to a bad actor’s source of information. Cyber criminals leverage professional sites like LinkedIn for reconnaissance, just as they do with social networking sites. Posing as recruiters or industry colleagues by using their profiles, cyber criminals gain insight into your work environment, regardless of your role. Be aware that you may be giving away information about yourself and the company you work for as well.
By passively collecting vital information from unsuspecting employees, cyber criminals can avoid risky activities, like probing networks and computers hosting web applications. Cyberattacks are going to happen; don’t make it easy for them.
What Can You Do?
- Scan and remove from your social network accounts anything that could be a potential piece of information used against you: your birthdate, vacation plans, photos with geolocation, etc.
- Learn how to use and manage your privacy settings on social media sites.
- Disable geolocation data from phone camera settings, screen shot images to clear possible EXIF information.
- Always be suspicious; never take for granted that a person you are remotely communicating with is who they claim to be.
- While posting online, never talk about work protocols, accounts, or security measures.
- Avoid using social networking credentials to log into third-party sites. Not only are you giving the third-party website more information than you intend to, but if your social media credentials are compromised, now the attacker has access to third-party accounts too.
- Remove any contacts or “friends” you don’t really know. Anything you share with contacts may be shared with others. Keep your contact list limited to trusted friends and relatives.
- If you have children who have a presence on social media, help them manage their accounts as well.
Of course, social media isn’t the only way bad actors can target individuals and organizations. For more information on how what you can do to protect your personal information, visit the Cybersecurity & Infrastructure Security Agency’s website.