What do professionals inadvertently disclose about the operations security (OPSEC) of their organizations and themselves while giving advice? Becoming a known educator and voice in your area of expertise is effectively done by drawing connections between yourself, your knowledge base, and your audience. Often in Information Security (InfoSec), this involves sharing an anecdote or short story that others can relate to and emphasizing the security benefits or areas of improvement that are seen in the story. However, even the most savvy security professionals should be wary of what information they provide that could be used by an attacker.
Where is Sensitive Information Sneaking Out?
This can be seen in two categories of examples; first, employees as spokespeople for an organization, and, second, employees as marketers for themselves which can provide insight into their employers and companies. In the first category, there was recently a post on LinkedIn by the Chief Information Security Officer (CISO) of a high-profile company with thousands of connections, followers, and interactions on posts. In one post that stood out, the CISO mentioned the benefits of a specific password manager and how successful it had been for their organization. While password managers can be wonderful, and the advice is both sound and potentially helpful, the CISO has now disclosed the password manager most likely used in their organization through the highlighting of a single example.
Once this organization’s password manager is disclosed publicly, a variety of potential social engineering attack vectors are presented. The first vector that comes to mind is convincing targets to utilize a credential harvester that mimics the login page of the password manager. Once the SE obtains usernames and passwords to the password management account, they could be mere seconds away from obtaining all of a user’s passwords, including any shared passwords used by the organization. Though two-factor-authentication may provide an extra hurdle to accessing the contents of a password management account, it is by no means invincible to a savvy and determined SE. This CISO has put the company at risk, though was ultimately attempting to be helpful to all.
Second, how professionals interact with the world can provide insight into themselves, their expertise, and their affiliated companies and colleagues. To grow a personal marketing strategy, one is often personable and shares personal and professional anecdotes. A way to endear oneself to others is to make them feel trusted BY you, a la amygdala hijacking. Amygdala hijacking is detailed in Paul Ekman and Chris Hadnagy’s book, Unmasking the Social Engineer and, though it is not specifically referenced to personal marketing, it is absolutely translatable. Once others feel trusted by you, they feel part of your tribe, they follow you, they care about you and your voice, and this can be used to boost a personal brand. So, how do others feel trusted by you? By sharing bits of your authentic self with them. This is where treading the line of being a personable security professional enters.
There are many examples on Twitter of professionals sharing information in anecdotes that is overly sensitive for specific reasons. For example, referencing the airline you fly, at the time you fly it, or the ride-share company you use is valuable open source intelligence (OSINT) for malicious social engineers. Furthermore, emphasizing the use of any subscription service, be it Netflix or Spotify, carries a similar risk. The attack vector these actions expose is that they are all referencing service vendors that are paid regularly. A common security question when banking is to authenticate by verifying recent purchases. Subscription services are one of a few fixed costs and can trigger at regular points in the month. Additionally, quotes for the price of ride-shares between points A and B are available on Google Maps, so if an SE can discover the starting and ending point of a trip they can get close to the price likely paid for, which they can use to build rapport and verify themselves with financial institutions.
Once an SE knows recent purchases, or potentially recent purchases, they may have a convincing vector into a target’s personal and corporate finances depending on how the finances are organized. Additionally, if the target has a credit card from the airline shared in the post, that could be an additional vulnerability. These vectors can be used to access financial information, or the financial information of an employer or company. As security professionals, it is critical to lead by example; as educators, this is increasingly crucial.
How Can Professionals Share Securely?
This is not meant to suggest sharing on social media should be avoided or advice should not be publicly given, there are just some important things to think about while writing a post. Ask the following questions:
- Are there specific vendors disclosed in the post?
- Are you endorsing the vendor, or is the vendor a service you use personally?
- Would you want your grandparents or parents to share that they use that vendor?
- Do others in your organization use that vendor?
- Do you pay that vendor?
- Does your organization pay that vendor?
- Did you pay the vendor around the time of your post?
- Is there a way to share the same endearing story without disclosing the specific vendor?
When sharing, ensure the advice given is good advice based in generality, not specifics. In the first story of the CISO sharing a specific password manager, they could have made the same, beneficial point, that password managers can make an organization more secure, by referencing an article suggesting many top password managers, like this one. This strategy can be applied when posting personal posts as well. Think of ways to tell the story without alluding to any particulars.