What Should You Know and be aware of when using social Networks?

Social networks have been spreading widely since the middle of the last decade. Alemán, A. M., & Wartman, K. L (2009, p. 20) defined social networking “ A medium and an engine of social relations in which community associations occur and are ordered in some way, and in which distinctions between what information is private and what information is public is imprecise”. She also stated that individuals and groups on those sites have created a new meaning for culture and traditions of sharing information which is an evolution for the traditional real physical world. Although they have changed the way people communicate, socialise, and share their lives with others, they have been accompanied with several controversial privacy issues. Many people’s lives were compromised because of their online behavior and the content they had been sharing with others in online societies.
Not only do they expose individuals to security risks but they also threaten the privacy of well-structured organisations. The security implications of social networks reside in two main categories; technical and non-technical. In fact, a modern phenomenon called Social Engineering has evolved steadily in the contemporary digital age. “It is the art or better yet, science, of skillfully maneuvering human beings to take actions in some aspect of their lives… it is the act of manipulating a person to take an action that may or may not be in the target’s best interest and it includes obtaining information, gaining access to certain materials” according to Hadnagy (2011). Social engineering is considered as a form of human penetration rather than a traditional technical hacking due to its reliance on information gathering techniques and human attitudes to accomplish its attacks. This essay is intended to cover the non-technical dangers which originate from human behavior and the way of interacting with others in online communities such as Facebook, Twitter, Google, and LinkedIn.

The concept of cyber communities came in the late 1990s with two major sites “Classmates” and “SixDegrees” with the idea of connecting students and keeping ties between them (Alemán, A. M. & Wartman, K. L, 2009). However, when Facebook and other new social networking sites were lunched last decade, they have broken the barriers of paid memberships and thus, started to spread globally with hundreds of millions of users. As reported by Brenner (2012) the percentages of adult internet users who participate in online communities have increased significantly from 8% in 2005 to hit 64% in 2011 and 80% of teen users are currently using one or more social media sites.
Despite the fact that online networks have helped individuals make friends easier, the vast numbers of users, especially young users, indicate that there is a limitless amount of information being posted publically every day. Based on the research done by Pew Internet & American Project (2011), most of Facebook users do not update their status regularly; however there is a tendency of commenting on other users’ photos, posts, or “like” each other’s more frequently than sending private messages.
Furthermore, companies and organisations have found social media cost-effective and the best medium for targeting consumers or audience due to the great numbers of users. Nevertheless, those organisations still use social media to share news, and information about the company itself. For instance, LinkedIn’s idea is to share work experience, professional career, current employer, and even the position of the user. In addition, many employers check any candidate’s profiles in order to have a clear image about them which in turn affects the decision of hiring them, (Alemán, A. M. & Wartman, K. L, 2009).

Realising the dangers behind the excessive and unconscious usage of social networks is a critical issue nowadays. The information available openly on those sites can draw a whole picture of one’s life which is scary to some extent when being thought about. There are numerous parties interested in collecting data about cyber users. The list includes governments, criminals, terrorists, security professionals, and organisations. In fact, the collection of information goes into two paths; offensive and ethical.
There is no doubt that any government has its own methodologies of defending their countries, but most of today’s methods are reliant on the information available about certain cases or people. In their report, Forian Schaurer and Jan Stroger (2010) emphasised that taking advantage of publicly available information has always been essential part of intelligence and clandestine operations and a tool that enhances the job of the government in decision making as well as domestic security. Moreover, the “open source intelligence” became a major source of information about military capabilities, and political intentions as stated by a Central Intelligence Agency’s (CIA) analyst in the report. In addition, countries like the US and Britain have established dedicated centers for such missions; “Open Source Center (OSC)” in 2005 in the US, and “BBC Monitoring” in the UK. Accordingly, the information shared publicly on social media is considered as a form of “open source intelligence” due to the potential of having full image of a country’s local matters and cultural aspects by only surveying a group of cyber communities’ users from the targeted country. Britain has already made its plans towards lunching a massive project that aims to screen online communities to tackle the terrorism and vandalism threats, said Murray Wardrop (2009). Furthermore, Evgeny Morozov (2011, p.155) showed how the KGB (State Security Agency) in Belarus had been tracking an anti-government activist throughout his social network profile resulting in interrogating him for his suspicious trips to Poland and Ukraine, and his posts on the social media. Evgeny Morozov also detailed how the Vietnamese government banned Facebook in the country and created their own social networking site which would give them better control and surveillance of its users.
Industrial spying has always been a sensitive area that dragged companies into losing huge amounts of money. According to Ira Winkler (Unknown year), the FBI estimated that American corporations lose more than 100 million Dollars a year because of “corporate espionage”. For centuries, the job of information reconnaissance about rival manufacturers had not been easy as it is in the current circumstances. The cyber space has affected the whole process and made it few clicks on a computer system to obtain most of the required facts about any company. For instance, getting information about the core organisational structure of companies can be accomplished by first collecting the profiles available on LinkedIn, then simply observing the feeds from Twitter and Facebook for employees and managers from the same company. What is worse is that the operations coordination, instructions passing, projects and equipment, and how workers are being incentivised were found in some cases, reported Zeljka Zorz (2011). Moreover, a survey in India discovered that employees’ social networking activities are being tracked by their former managers and chief executives in order to spy on the new employers and companies news, (Villarreal, R, June 19, 2012).

In Social Engineering, information gathering is a core phase for any attack or security audits. The process of information gathering utilises different sources such as observations, and Internet. The Internet has become an important source for information because of the creation of social media which has introduced a new dimension in the open source intelligence field. According to Hadnagy (2011, p.37) and Jamey Heary (Nov 15, 2009), social media sites have become a main source for getting information about targets due to the numerous corporations taking part in virtual communities. Nonetheless, getting information is not limited to reading profiles and screening people activities, as online societies have given the service and support for building new relationships with anonymous users. It has become easy to fake identities to have better chances in holding private conversations with others, misleading many users to trust those online partners and reveal more private concerns about their real lives. Those services could lead to child abuse and delusion by taking advantage of their innocence, (Harrison, A, October 22, 2007). Mark Sweney (Aug 3, 2012) reported that there are 83 million fake profiles on Facebook with 14 million of them being used for spam and misleading intentions. Such conversations are a form of what is known as “Elicitation” in which a social hacker uses previously gathered information to make a conversation that is within the target’s interest pulling them into divulging more data of whatever the professional engineer ask them for, but yet without sensing the real threat of giving away sensitive answers. The FBI website defines elicitation as “The strategic use of conversation to extract information from people without giving them the feeling they are being interrogated” and has warned about the tactics of social engineering on social media by listing elicitation as one of the top techniques used.

The nature of social networks and the way they function assessed the extensive spreading of them for intelligence purposes. Additionally, it is widely believed that human are the weakest factor in any security measures. The way people perceive emotions, speech, gestures and communication gave social engineering an opportunity to evolve. Fortunately, there are a set of procedures and techniques if followed would provide higher levels of securing people’s cyber and real daily lives.
It is vital that every user online has to be aware of the risks associate with the usage of social networks and the internet generally. Children awareness must be raised by their families to have safer surfing and avoid any abuse of their childhood honesty, (Harrison, A, October 22, 2007). Additionally, individuals must reconsider their social activities and ask themselves about the importance and the value of information prior to sharing them on their profiles.
Apart from the technical security which may not be affordable by all organisations, human training and education must be provided to the workers. The FBI and Zorz (2011) stressed that raising user awareness is the most important step in the prevention process. Furthermore, Hadnagy (2011, Ch. 9) pointed out a group of practices to follow when aiming to promote the non-technical security. Starting with learning how to identify tactical attacks is critical, and a sort of security awareness program has to be created for individuals. In addition, the kind of information that social hackers usually seek must be clarified for employees so they become more conscious about sharing anything. What is more is that there should be a process of regular updates for any software in the networked systems. Furthermore, scenarios and scripts are best methods to build up a vivid image of potential attacks. Lastly, learning comprehensively from previous security case studies is vitally important.

Conversely, there are a number of challenges that mainly reside on the resisting behaviour of users in the company to follow the policies and the impossibility to control them once they are out of work. Martin Manjak (2006) stated that employees have ignorant disposition if they see no reason for a change and usually security professional underestimate the non-technical issues within the company. Hence, more security audits, surveys, and examination must be held at all levels including top management and cleaning team to achieve a secure work atmosphere.

To conclude, social networks have been considered as a form of modern “Open Source Intelligence” due to the vast volumes of publicly shared information available on them. Therefore, they have been used to compromise people’s private lives as well as industrial spying. Nonetheless, national security agencies around the world use social media to promote their defensive measures and have a strong database of security concerns. The security implications of using cyber communities originate from the lack of understanding and awareness of users and organisations which resulted in having the human being to be the weakest point to exploit through in security attacks. The co-operation between individuals, government, and companies must be established to prevent those social engineering attacks.

1. Brenner, J. (2012). Pew Internet: Social Networking (full detail). Retrieved from Pew Internet & American Life Project: http://pewinternet.org/Commentary/2012/March/Pew-Internet-Social-Networking-full-detail.aspx
2. FBI - Internet Social Networking Risks. Retrieved from FBI - Homepage: http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
3. Hampton, K., Goulet, S. L., Rainie, L., & Purcell, K. (2011). Social networking sites and our lives. Retrieved from Pew Internet & American Life Project: http://www.pewinternet.org/Reports/2011/Technology-and-social-networks/Part-2/Facebook-activities.aspx
4. Handngy, C. (2011). Social Engineering: The art of human hacking. Indianapolis, Indiana: Wiley Publishing
5. Harrison, A. (2007). When online friends spell danger. Retrieved from BBC News – Home: http://news.bbc.co.uk/1/hi/education/7046986.stm
6. Heary, J. (Nov, 2009). Top 5 Social Engineering Exploit Techniques. Retrieved from PC World Reviews and News: http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html
7. Manjak, M. (2006.). Social Engineering Your Employees to Information Security. Retrieved from SANS Institute: http://www.sans.org/reading_room/whitepapers/awareness/social-engineering-employees-information-security_1686
8. Martínez Alemán, A. M., & Wartman, K. L. (2009). Online social networking on campus: Understanding what matters in student culture. New York and London: Routledge.
9. Morozov, E. (2011). The net delusion: The dark side of internet freedom. New York: Public Affairs.
10. Schaurer, F., & Storger, J. (2010). OSINT Report. Retrieved from ISN: http://www.isn.ethz.ch/isn/Digital-Library/Publications/Detail/?id=122008
11. Sweney, M. (Aug 03, 2012). Facebook quarterly report reveals 83m profiles are fake. Retrieved from The Guardian: http://www.guardian.co.uk/technology/2012/aug/02/facebook-83m-profiles-bogus-fake
12. Villarreal, R. (June 19, 2012). India's New Booming Sector: Corporate Espionage. Retrieved from International Business Times: http://www.ibtimes.com/articles/354033/20120619/india-spy-corporate-espionage-assocham-social-media.htm
13. Wardrop, M. (25th Mar, 2009.). Facebook could be monitored by the government. Retrieved from Telegraph: http://www.telegraph.co.uk/technology/facebook/5046447/Facebook-could-be-monitored-by-the-government.html
14. Winkler, I. S. (Unkown). Case Study of Industrial Espionage Through Social Engineering. Retrieved from National Computer Security Association: http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper040/WINKLER.PDF
15. Zorz, Z. (2011.). Corporate espionage via social networks. Retrieved from Help Net Security:
16. Gill, P. & Phythian, M. (2006). Intelligence in an insecure world. Cambridge: Polity Press. Chapter 4, 5
17. Dinerman, B. (2010). Social networking and security risks. Retrieved from Viper The Antivirus: http://www.viperantivirus.com/business/whitepapers/social_networking_security_risks_letter_web.pdf