Easy to access, widely used, and outside of enterprise control, social media sites are gold mines for malicious actors. People share a lot of seemingly innocuous information, which is exactly the kind of data that hackers love to collect and use in phishing or spear phishing campaigns.
A recent NopSec 2016 State of Vulnerability Risk Management Report found that organizations use inadequate risk evaluation scoring systems. The report claimed that social media -- which often isn't included in any risk evaluation system -- is now a top platform for cybersecurity.
So, what's the correlation between social media and the rise in malware?
Steve Durbin, managing director at Information Security Forum, said that correlation is a bit of a strong word. "Social media use has increased. Once someone is onto a site like LinkedIn, Twitter, or Facebook, there is almost an assumption that the way you are interacting with others is without risk. Psychologically, your guard is down."
As a result, social media sites have become a useful channel for those who want to spread malware through social engineering.
"From a hacker standpoint, social media is rich picking. We have an environment where by nature the people have very low guard. They will quite readily engage with a third party. It's a great opportunity to gather information that you can make use of from spear phishing to social engineering to push out malware," Durbin said.
According to the NopSec report, "Twitter is becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits. Vulnerabilities associated with active malware are tweeted nine times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities."
Social media is both a lure and a gateway for malware. The sites are attack vectors that are outside of end point security, which suggests that relying solely on the CVSS score makes it difficult to prioritize risks. "But its subscores combined with other factors such as context, social media trend analysis, and data feeds deliver a better risk evaluation and prioritization," the NopSec report said.
In the sixth annual Smarsh 2016 Electronic Communications Compliance Survey, 48 percent of the respondents cited social media as the number one channel of perceived compliance risk.
"Even when a firm has banned social media channels, risks remain if employees do not adhere to the ban. In fact, the percentage of respondents who claim to have minimal or no confidence that they could prove the policy of prohibition is working ranges from 30 percent for LinkedIn to 41 percent for Facebook and 45 percent for Twitter," according to the Smarsh report.
The problem for cybersecurity teams is that there is little to no visibility into social media sites because these sites exist outside the network perimeter. Mike Raggo, chief research officer, and Evan Blair, co-founder and chief business officer of ZeroFOX said, "Social media represents one of the largest, most dynamic risks to organizational security."
Sign up for CIO Asia eNewsletters.