In recent years, social networking has exploded in popularity and utilization within the business environment. One of the initial efforts by the current presidential administration was to bring this social networking to the federal sector. Based onthis article those efforts have increased the adoption for social media within the workplace.
Survey results referenced in the document indicated 92% of federal respondents utilize social media from home and 74% utilize social media at work. Keep in mind these are federal employees and the use of social media at work means these items are being accessed during work hours.
The expansion is further confirmed through the presence of social media initiatives available through GSA and USA.gov. Intentions of these initiatives appear to point toward better information distribution and sharing with citizens. For example, a quick peek at the GSA Facebook page provides information on equipment donations to schools, an Energy Saving Light Fair and federal property sales among many other topics. These are items which are not readily available for viewing through the nightly news, daily newspaper or informational flyers. It is information being shared with citizens on the fly.
As a United States citizen, this is an interesting capability which never existed for past generations. It reminds me a little of the GEICO commercial where Paul Revere gets a cellphone. Imagine the differences it could have made. However lets also imagine what would have happened if the shoe was on the other foot. What would have happened if the “Red Coats” would have had the ability to pull up GPS data on those cellphones? Knowing the moves and actions of the patriots as they were occurring could have seriously changed the country we find ourselves in today. Unfortunately, the open and uncontrolled use of social media enables this capability.
Some U.S. agencies still provide publicly accessible employee directories. A brief search of any of these directories can provide a comprehensive listing of every employee currently working at a respective organization. This information generally extends to tell you their work email address and work phone number. This information alone is highly beneficial to further information collection via social engineering. However it also allows for more targeted collection of more detailed information on specific agency employees. In a brief exercise at SecureState, we took this information and performed a quick social networking search to see how easy it would be to find more information on these employees.
As a quick sample, the following are some of the items found on the second employee searched:
I believe one could craft a very good spear phishing campaign on this person just based on these screen shots. In fact, I would be willing to go so far as to say they are a scientist given the listed interest. So if I were searching for scientific research, this would be a great avenue to pursue using favorite sports teams, music interests, etc. A quicker return on this investment may be to package a Java exploit into the phishing probe and see what the quick remote code execution provides. Once the attacker has gained access to the user’s workstation they could use a number of network based attacks, such as the vulnerability fixed in MS08-067, to gain entry to other internal systems. So what? How does this relate to “Hacking FISMA”?
Well, if you take a look at FISMA law and the corresponding guidance which exists from the National Institute of Standards and Technology (NIST), DoD8500, DIACAP, or even FedRAMP, social media is not yet addressed. This means there is a high likelihood that federal organizations, though they provide the capability, are not ready from a security and forensic analysis stance to manage the security implications of social media. Many commercial organizations who have been working in this arena for a longer duration still struggle with the management and boundaries of social media. Without additional guidance for federal organizations, it is reasonable to expect those struggles will continue in the federal sector.
How does the federal government achieve a secure state when it comes to social media? Generally, a Risk Management Framework in the form of NIST or DIARMF is utilized. A gap in one or both of these frameworks leaves open vulnerabilities to the threat of data collection on people, processes and activities. Unless the federal government can provide secure solutions, with better control over what and how employees post their employment relationship to the government, the issue will be continuous. Failure to do so will provide a continued rise in the phishing and social engineering attacks currently experienced as shown from the “Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002”.