Social networking services like Facebook and Twitter foster a false sense of security and lead users to share information which can be used by cybercriminals and social engineers. The very concept of social networking is based on connecting and sharing, but with who?
A recent study found that many users simply accept requests to connect even if they do not know the person they are connecting with. The actual numbers found that 13% of Facebook users and a whopping 92% of Twitter users simply connect with anyone who asks.
Users share too much information and often vent on social networking services. Little tidbits of information about being out on vacation, or complaints about the new desktop operating system, or announcing an upcoming business trip to meet with a foreign competitor all offer tiny sparks of information which can be combined with other sparks to form a light that exposes more than should be shared.
There is a similar debate in the security community regarding out-of-office auto replies from email programs. Automatically sending an email to anyone that emails you including why you’re not available, how long you will be gone, and the names, email addresses, and phone numbers of other users to contact in your absence is more information than should be shared outside of the company. Newer versions of products like Exchange and Outlook actually allow users to create separate out-of-office replies for internal and external emails to address the problem of sharing too much information with outsiders.
Its virtually impossible to prevent all such disclosures of information. The reason is that these tidbits are generally useless and innocuous alone. By themselves they appear to be harmless, verging on nonsensical, and most of them are. But, each tidbit reveals some small piece of a larger puzzle and an industrious criminal can dedicate the time and resources to gluing the innocuous, nonsensical pieces together to reveal a larger secret.
Organizations should be aware of the pros and cons of social networking and should have established policies regarding the acceptable use of company resources in connection with social networking. It is also a good idea to provide some awareness training about the security issues of social networking and educate users to be more careful of whom they connect with and the information they share.