Researchers are warning of a new security Achilles’ heel for enterprises, and it may not be what they expect. That threat is interns. According to researchers, interns are unwittingly posting confidential and valuable company insights via social media that pose a security risk to the companies that hire them.
While insider threats are nothing new and have often been linked to disgruntled employees, or hires who unintentionally click on malicious phishing emails, interns bring an entirely new threat to companies. Lax security training for company interns – coupled with the attachment of Generation Z to social media – is providing a lucrative opportunity for hackers to collect social engineering information, researchers said.
More disturbingly, the level of information posted online – including details about office layout, company data, and even badge information – was enough to allow researchers with IBM X-Force Red to actually create their own spoofed badge and physically breach an office while purporting to be an employee.
“From posting photos of their security badges to video blogging a ‘day in the life’ at the office, the social media habits of interns and eager young employees make them a rich source of information for hackers,” said Stephanie Carruthers, global social engineering expert with X-Force Red, in a recent post.
A New Threat
When it comes to collecting data for social engineering, “social media is a goldmine,” said Carruthers – and between Snapchat, Instagram, YouTube and Facebook, Generation Z is the most avid users of social media to date, according to a Pew Research survey.
“About 75 percent of the time, a social media search turns up the information I’m seeking within just a few hours,” she said. “This is especially true for large companies, where these posts are most often from interns or new employees.”
For instance, interns may post pictures to Snapchat, Instagram or Facebook, as well as videos to Youtube, of their office to social media, revealing internal office layouts, badge pictures, Outlook calendars and more in the background – an easy way for hackers to both collect social engineering tidbits or even breach company premises physically.
In fact, that’s exactly what Carruthers did – after discovering an Instagram photo of an intern revealing a new corporate badge, IBM researchers were able to produce a fake badge using photo editing: “The fake badge may not work on doors, but it could work for piggybacking when other employees enter a secure location,” she said.
Other platforms, like Glassdoor, offer troves of valuable information for phishing emails – including company organizational charts, salary ranges or typical interview information.
“Using this information, an attacker could develop phishing emails, preparing the subject and content according to what’s trending among employees of a given company,” Carruthers said. “Unfortunately, employees could easily fall for a well-crafted email, and they may forget to check the sender’s legitimacy.”
Added that that equation is a lack of proper security awareness training for onboarding interns and new hires at many firms, she said.
“For companies that don’t include security awareness training as part of onboarding, new employees may not be trained until the next round of companywide instruction, which could be up to a year away,” she said. “Excited new employees often post their #NewJob #FirstDay #CompanyName via a hash-tagged selfie, showing off their new workspace and neglecting to realize that sensitive company information may be in the background.”
Insider threats continue to be a top concern across the industry. In fact, according to the Verizon Data Breach Investigations Report from this year, “privilege misuse and error by insiders” account for 30 percent of breaches. How can organizations protect against this insider threat?
Companies should rethink their social media security policies, as well as train managers and social teams to spot any risky data posted online, Carruthers said: And because photos may inevitably end up online from the office, she recommended that companies also establish a safe photo space – an area of the office where any sensitive information is banned.
The top method of protection, however, is implementing security training, Carruthers stressed.
“Make sure your interns and new hires are getting this as part of their onboarding process,” she said. “You can make this fun and effective by helping them to understand the ways a hacker could use the seemingly harmless info they might consider posting.”