If you’re planning to take the Security+ SY0-501 exam, you should understand the importance of general security policies. This includes policies, plans, and procedures related to organizational security. From a general perspective, an organization may implement personnel management policies that affect other areas of an employee’s life. Some examples include behavior on social media networks and the use of email.
For example, can you answer this question?
Q. Security personnel recently released an online training module advising employees not to share specific personal information on social media web sites that they visit. Which of the following is this advice MOST likely trying to prevent?
A. Spending time on non-work-related sites
B. Phishing attack
C. Cognitive password attacks
D. Rainbow table attack
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Social Media Networks and Applications
Millions of people interact with each other using social media networks and applications, such as Facebook and Twitter. Facebook allows people to share their lives with friends, family, and others. Twitter allows people to tweet about events as they are happening. From a social perspective, these technologies allow people to share information about themselves with others. A user posts a comment and a wide group of people instantly see it.
However, from a security perspective, they present some significant risks, especially related to inadvertent information disclosure. Attackers can use these sites to gain information about individuals and then use that information in an attack. Organizations typically either train users about the risks or block access to the social media sites to avoid the risks.
Users often post personal information, such as birth dates, their favorite colors or books, the high school they graduated from, graduation dates, and much more. Some sites use this personal information to validate users when they forget or need to change their password. Imagine Maggie needs to reset her password for a bank account. The web site may challenge her to enter her birth date, favorite book, and graduation date for validation. This is also known as a cognitive password and, theoretically, only Maggie knows this information. However, if Maggie posts all this information on Facebook, an attacker can use it to change the password on the bank account.
As an example, David Kernell used Yahoo!’s cognitive password account recovery process to change former Alaska Governor Sarah Palin’s password for her email account. At the time, Yahoo! asked questions such as her high school and birth date and Kernell obtained all the information from online searches. Of course, it didn’t turn out well for him. A jury convicted him of a felony and he served more than a year in prison.
In some cases, attackers have used personal information from social networking sites to launch scams. For example, attackers first identify the name of a friend or relative using the social networking site. The attackers then impersonate the friend or relative in an email, claiming to have been robbed and stuck in a foreign country. Attackers end the email with a plea for help asking the victim to send money via wire transfer.
It’s also worth considering physical security. While vacationing in Paris, Kim Kardashian West was regularly posting her status and location on social media. She also stressed that she didn’t wear fake jewelry. Thieves robbed her at gunpoint in her Paris hotel room. They bound and gagged her and took one of her rings (that is worth an estimated $4.9 million) and a jewelry box (with jewelry worth an estimated $5.6 million). After being caught and arrested, one of the thieves later admitted that it was relatively easy to track her just by watching her online activity.
Banner Ads and Malvertisements
Attackers have been delivering malware through malicious banner ads for several years now. These look like regular ads, but they contain malicious code. Many of these are Flash applets with malicious code embedded in them, but others just use code to redirect users to another server, such as one with a drive-by download waiting for anyone who clicks.
Although these malvertisements have been on many social media sites, they’ve also appeared on mainstream sites. For example, attackers installed a malvertisement on the New York Times web site where it ran for about 24 hours before webmasters discovered and disabled it.
Similarly, malvertising has appeared on the Yahoo! web site. Users who clicked on some Yahoo! ads were taken to sites hosting fake antivirus software. These sites included pop- ups indicating that users’ systems were infected with malware and encouraging the users to download and install it. Users who took the bait installed malware onto their systems. Some of these ads sent users to sites in Eastern Europe that were hosting CryptoWall, according to research by Blue Coat Systems, Inc. CryptoWall is a malicious form of ransomware that encrypts user files and demands payment to decrypt them.
Attackers have used two primary methods to get these malvertisements installed on legitimate web sites. One method is to attack a web site and insert ads onto that web site. The second method is to buy ads. They often represent an ad agency pretending to represent legitimate clients. For example, one attacker convinced Gawker Media to run a series of Suzuki advertisements, which were actually malvertisements. Similarly, it’s unlikely that Yahoo! was aware that it was hosting malvertising, but instead, these ads likely appeared as a result of attacks or by being tricked.
Q. Security personnel recently released an online training module advising employees not to share specific personal information on social media web sites that they visit. Which of the following is this advice MOST likely trying to prevent?
A. Spending time on non-work-related sites
B. Phishing attack
C. Cognitive password attacks
D. Rainbow table attack
Answer is C. A cognitive password attack utilizes information that a person would know, such as the name of a first pet or favorite color. If this information is available on Facebook or another social media site, attackers can use it to change the user’s password.
This advice has nothing to do with employees visiting the sites, only with what they post.
Although attackers may use this information in a phishing attack, they can also launch phishing attacks without this information.
A rainbow table attack is a password attack, but it uses a database of precalculated hashes.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on personnel management policies.
