While social networking sites such as Twitter and Facebook are great tools for businesses to engage with their audience and build their profile, they pose significant security risks. Hackers and scammers are becoming increasingly sophisticated in the ways in which they use social media to illicitly gain personal and financial information. As a business owner it is important to know what these threats are, and how you can safeguard your staff and your business.
Twitter and Facebook: opportunities for SMEs – and for hackers
The latest avalanche of Twitter-related breaches and attacks – ranging from cross-site scripting vulnerabilities to worm attacks – focus on stealing log-in details and information such as email and online payment accounts. Illicit access to this information translates to a wide range of online crime opportunities, from further spam and phishing attempts (employing a business’s list of followers) to online blackmail and extortion.
Spammers are also using shortened URLs to trick Twitter users into clicking on websites that turn out to be malicious. Since it’s difficult to gauge what a shortened URL actually is or its legitimacy, more and more spammers are using them as part of their attacks.
For SMEs whose staff have access to and who use Facebook at the office, a bit of vigilance is recommended. In a Facebook phishing scam detected recently, hackers stole many usernames and passwords by directing users to a convincingly-spoofed Facebook login page.
Once a link is opened, the user is immediately prompted to re-enter their login details. These details are then used by the hacker to spread spam messages. The bad news for SMEs who have a Facebook identity or profile is that certain types of threats can even append code to a profile page. When you log in, a “bot” is automatically downloaded to your PC, transforming it into a “zombie” – a compromised machine that is part of a larger net of infected machines, called botnet, which a hacker remotely controls.
Here are my top 10 tips to protect your staff and your business from online and offline security threats:
- Educate your staff on safe usage practices for Twitter and Facebook. Set an agreed guideline for the usage of these communication tools within the workplace: e.g. never opening a link or downloading a file that may seem innocuous but have suspicious origins or context.
- Check the legitimacy of a shortened URL by first entering it into a Google search page.
- Acquire and use a reliable security solution that has passed stringent testing (such as Checkmark, Av-Test.org and TuV, among others).
- Make sure your security solution includes a firewall and that it is configured to notify you of inbound and outbound connection attempts.
- Keep all your software and your operating system up-to-date. Most would have automatic update options. Make use of these as much as you can. This will ensure no known vulnerabilities can be exploited remotely (most online attacks make use of these vulnerabilities).
- Make sure your security solution supports the email client you use. It will filter most spam, making your life easier.
- Don’t execute files from USB sticks before scanning them with your security solution. Ideally, your security solution’s resident shield automatically detects and scans the removable device when inserted.
- Disable the auto-run feature on all optical or removable drives – including CD, DVD and USB drives.
- Don’t rely on end-point security only. Make sure your network has emails served by a local mail server that is protected by a security product designed specifically for mail servers.
- Make use of a security product that is based not only on reactive detection methods (by way of downloaded signatures), but one that also possesses proactive methods of detecting malware (by way of heuristics and “in-the-cloud” scanning).
– Bogdan Dumitru is Chief Technology Officer of BitDefender (www.bitdefender.com.au)
People who read this, also liked:
One in five victims of cybercrime
Protect your business from spam and phishing attacks