No announcement yet.

Social Networking - Information Gathering

  • Time
  • Show
Clear All
new posts

  • Social Networking - Information Gathering

    Information on both professional and personal networking websites is plentiful. Many people has personal profiles on sites like these and visit them regularly. Even though the goal of large businesses are different they do use these sites regularly. For the private person the social element is very important and for the business it is often about awareness and attracting new employees, business partners and a lot more. This makes these kinds of websites a target for malicious people looking to gather information on a potential target.

    Users usually keep profiles updated which gives an attacker current contact information, location and other useful information. They also connect to friends, chat and other similar things which some times hand friends lists and information on friends to the attacker. Some users share pictures, videos and other media that also gives the attacker information on friends and family members. Users may also join groups and play games which will help the attacker scope out interests which are useful in spear phishing, waterholing etc. When users join or create events an attacker may also be able to map activities the user may be involved in and may also hand over location information.

    Organizations may share a user survey which may give an attacker an overview of the organization business strategies. An organization may also use one of the benefits of networking websites by using them to promote products but this may aid an attacking in mapping the organization product profile. Some sites are also used for user support which may make it possible for an attacker to execute a social engineering attack. Recruitment is also fairly common on networking sites and this can sometimes aid an attacker in clarifying the organization software and hardware platform and reveal detailed information on technology in place.

    As with anything else - when the information is published on the Internet it is very hard to completely remove so it is well worth to spend some time to consider what information to share and decide if the information the organization or user is sharing is necessary to accomplish what is intended. If an organization is looking for a firewall expert is it then important to include the products already in place. Does it matter to the person looking to work with firewalls if the organization is using Cisco, pfSense, Juniper, Checkpoint or any other product? Could you let the applicant deliver the skill set in a CV and clear up information regarding the infrastructure during an interview? At minimum it is important to consider these points.
    Certified Security Geek