Repeat After Me: Users Still Are Your Weakest Link

I’ve been interested in mantras most of my adult life. The idea that a word or phrase can have both transformative power and be rendered utterly nonsensical by repetition tickles me.  

Our mantra in cyber security - and we say it over and over again - is this: Users are the weakest link.  But I wonder whether it is beginning to lose its meaning through repetition?  

Forensic analysis of the major breaches of the last few years are clear; the bad guys are going after users and zero days.  Even a cursory glance at the dark web shows that the gap between Zero Day bug bounties offered by reputable sources and those seeking to compromise is huge. However, credentials are more powerful and far cheaper to come by and interestingly, organisations are still not educating their users on private social media habits.

The social engineering departments of any of the well-organised threat groups can usually find what they need by surveilling the information that people share regularly on Facebook, LinkedIn, Instagram and other social platforms. This helps them to craft attacks that are so targeted and precise that users have little choice but to surrender credentials or remote access to their machines.  There seems to be a squeamishness among businesses to address this with users. 

Look at how quickly it can be done. Just find an organization on LinkedIn with a named contact. Then cross-reference to a profile on Facebook or Instagram, where it’s easy to exploit lax privacy settings to gather information about birth dates, names of relatives, pets, pastimes and even locations.  Then send a weaponized [email protected] to launch the attack.  Assuming the payload is already built, this entire process takes about ten minutes per contact.

Staggeringly efficient, and with a surprisingly high hit rate.

With users literally falling over themselves to share details of their personal lives to increasingly ‘unhygienic’ social networks, organisations need to recognize that this introduces real business risk. So few users are aware of even the most basic privacy settings in applications like Facebook, or the notion that a public facing profile picture can yield valuable information about a person.  

You can gain an understanding of tolerance for typos, political position, the manner they choose to express themselves, choice of language – and that’s before you get to their second and third level contacts who may also have similarly slack settings on their profiles.  Even users who are cognizant of security settings on their profile pictures may not realise that the comments and likes on a cover photo are also visible.

If any of this sounds like stalking, make no mistake – the criminal syndicates don’t care. They will use whatever information is available to get access to your resources, and social media are the richest of sources.  

An Ounce of Prevention

To counter, though, all it takes is an hour’s training for your users. Include some hard-hitting case materials about the costs of lack of attention to privacy and you will reduce your risk profile by a huge amount.  Even seemingly small behavioral changes pay off. If users stop sharing profile photographs between LinkedIn and Facebook, that will significantly slow down a social engineer. Ensuring that the default public setting for all new Facebook profile pictures is set to ‘Friends Only,’ or limiting the visibility of one’s posts and avoiding ‘Friends of Friends’ as audience visibility - this contributes to reducing risk.

The same goes for removing cover photos, limiting visibility to past posts or ensuring that recommendations on LinkedIn are only visible to professional contacts.  So few people get this right and so make it easy for cyber criminals to steal their valuable data.

Weak security settings on social media accounts is literally gold to the hackers. A well-resourced social engineer can unearth enough information to launch a coordinated, targeted attack at your user base.  This would give them not only a foothold into your network to begin a campaign, but also significant clues as to the credentials that will allow them to maneuver once they break in.  

I always use a statistic compiled by the Mandiant Red Team that it is possible to gain privilege escalation within three days of compromising a network.  Now imagine you’re one of the thousand or so truly elite hackers on the payroll of the criminal gangs - or even a solo gun for hire - who can work even more quickly.  Users are literally gifting access to your environment. The likelihood is that your median-level user recycles passwords and shares unbelievable levels of personal detail online, leaving them vulnerable to phishing attacks that reference specific personal details.

If you don’t specifically address social media habits and hygiene with these users, your attack surface proliferates exponentially along with your risk profile.  Training to address this doesn’t have to be an onerous task, and it can shore up user education in other areas.  

It bears repeating: Users are the weakest link. Let’s not let that phrase be diluted by repetition.