Rich Ronston of Deltek uses social media-sourced intelligence to understand new options and apply them to the business’s risk appetite. Photo courtesy of Lauran Cacciatori/Deltek
Picture this – in 20 minutes, one enterprising hacker at the 2012 Defcon conference in Las Vegas learned one Wal-Mart store’s physical logistics – from the janitorial contractor to where employees go to lunch – key details about the make and version numbers of the Wal-Mart manager’s PC, browser and anti-virus software, and got the manager to upload the address of an external website into his browser – no questions asked. The hacker, Shane MacDougall, had captured every data point in the convention’s annual “Capture the Flag” social engineering contest, and Wal-Mart was the victim. That’s social engineering.
After the event, MacDougall told reporters that “Social Engineering is the biggest threat to the enterprise, without a doubt… I can see all these (Chief Security Officers) that spend all this money on firewalls and stuff, but they spend zero dollars on awareness.”
But security leaders are paying attention now – especially Mark Arnold, Security Engineering Manager at TJX, the parent company of retailers HomeGoods, TJ Maxx and Marshalls. He joined TJX two years ago and wanted social engineering (or “Human Hacking”) training since then, but – after the Defcon debacle – he got the resources he needed.
“It’s becoming a reality that these spaces provide more targets,” Arnold says. “Malicious actors are looking to take advantage of people now, not just networks. They see humans as ‘nodes’ in the system. They look for low-entry employees – easier entry points. They want to compromise as many of these ‘smaller prizes’ as possible.”
Arnold is using social media to obtain a better picture of who would be targeting – looking for predictable data that TJX can use in future security and marketing campaigns.
Rich Ronston, Lead IT Security Architect at Deltek, is using the open-source data found on social media to determine where resources are most needed. Deltek supplies project-based solutions on-premise, as well as in the Cloud, so Ronston has to stay up to date on the changing landscape.
“Twitter has cutting-edge information that could impact our SaaS applications and Deltek’s IT department,” Ronston says. “We like the immediacy of information and ability to find deeper intelligence. You can get what you need to know quickly and take it directly to the CIO. Then, we apply the scenario – such as a new patch or possible vulnerability – to our risk appetite and decide what to do.”
Messages, conversations, links and detailed vendor information form the basis of security research on social media, Ronston says: “It puts you into the center of the conversation.”
Merely searching for basic hashtags or metadata tags on Twitter, such as #Security, can produce a depth of information to help security professionals better perform their functions. For example, a quick search under that term could produce security metrics, risk management data, security news stories, chatter about business continuity trends or even hints at possible security risks.
In Arlington, Texas, the Arlington Police Department is monitoring social media to pick up on specific risks and threats pertaining to the city’s Entertainment District – a close-knit area that contains Cowboy Stadium, Rangers Ballpark and Six Flags Over Texas. These venues are also the site of events – not just sports games, but controversial speakers or meetings – that could be targets of attacks. By searching social media venues, such as Twitter or Reddit, for specific keywords or tags that could be related to a specific event or a certain issue of concern, the intelligence unit can investigate threats further.
“It’s all open source information, but we have to have a criminal nexus to pursue a specific statement,” says Sgt. J.P. Rogers of the Arlington PD Intelligence Unit. “We have to determine that it’s a legitimate public safety issue before looking into an incident or a person, and we have civil rights and civil liberties training to ensure we follow that rule.”
For example, Rogers says, general or conditional statements (“If this team loses, I’m going to drop a bomb on the stadium”) would not be investigation-worthy – the speaker does not demonstrate the intent or the capability to follow through. However, a statement of “There is a bomb in the stadium now” demonstrates an imminent threat that requires action and investigation.
“You have to manage the difference between free speech and a threat,” Rogers says.
Once a threat is declared serious enough for investigation, law enforcement works across state lines to track user information to the statement’s source. In the two most recent cases, Rogers says, the offending Tweeter was out-of-state and entirely incapable of following through on the threat, but it pays off to be sure.
Arnold reacts to social media threats the same way his team would respond to a cyber attack – he informs the legal team and upper management to spur a coordinated incident response.
Uncovering threats is not the only use for social media monitoring, however. Many private industries are using it to foster an active dialog with customers as a value-added marketing tool.
Customers can spur a lot of online buzz about what they like or dislike about a company, and social platforms such as Yelp or Twitter can supply businesses with the opportunity to reach out to specific, vocal customers who provide real-time reviews of your service.
“You can have risk or IT security groups leverage social media channels to broadcast specific information to product subscribers or customers,” Ronston says. “Outside of the IT department, you can use it for marketing or for getting your company message out. It’s as much a marketing engine as a listening tool.”
Professional networking sites such as LinkedIn offer security professionals another set of tools, Arnold says. He uses LinkedIn for cultivating details and profiling, including vetting new individuals and checking connections to current associates.
“Interconnections add to predictability,” Arnold says. By knowing who knows who on social media, he can better understand what kind of target that person is to outside threats.
“We’re trying to use the whole network security model, the life cycle of security, to manage these threats,” he adds. “The whole entity is being targeted now – not just devices, but specific people.” And, by monitoring the footprint that an enterprise’s human element leaves on social media, security can better predict who will attack where, and be prepared for it.