Social Engineering Audit

Social engineering attacks are the most prevalent types of attacks against IT systems. This is primarily due to the fact that they directly attack the weakest link in any IT system...the users. While there are many ways to lock down, or secure data residing on a computer or other device, securing data held in the brains of users is difficult to secure for a number of reasons. People have the ability to reason and even redefine rules, while computers do not. If you tell a computer to not allow access to a particular file by a particular user, the computer will do just that. However, a human can be tricked into giving up all sorts of information, often without even knowing that they have done so.

For this lab, you will conduct a social engineering audit on various social media websites. Almost every social engineering attack begins with the collection of data. The aim of collecting this data is to discover ways in which the target of the attack can be tricked into giving up potentially valuable information. This initial data can take many forms: birth dates, addresses, user names, pictures, phone numbers, names of co-workers or relatives, and much more. Often times this seemingly innocent data can be used to either directly impersonate someone the target trusts, or to build a collection of data which can be used to know more about the movements, personality, or general life of the target.

This lab has two parts, as described below:

Part 1: Gathering data

To accomplish this part of the lab, you will access some social media sites of your choice. Obviously Facebook is a veritable treasure trove of personal data. However, there are many others like Flickr, Twitter, YouTube, LinkedIn, and Instagram, which you might also consider. Locate data posted by or about users (they could be friends and family, or people you don't know) which you feel could be exploited in a social engineering attack. This data can consist of many different things, but should pose a potential security risk for the user, or others. For example, my sister-in-law recently posted a baby shower invitation on Facebook to all her friends. Since my sister-in-law is a heavy Facebook user, the invitation was undoubtedly viewed by many people my sister-in-law does not even know. A baby shower invitation might not seem like a big deal, but think about what it contained. My sister-in-law's home address for sending gifts for non-attenders. A time frame when she will not be home (because she will be away at the shower), and the address of where she will be during that time. Do you see the potential security problem here? This is only one of many examples I see on social media sites all the time.

Part 2: The analysis

After you have gathered data from various social media sites which you feel could be used in an attack, you will conduct an analysis of your OWN social media accounts. Look at the types of data you felt were potentially dangerous for other users, and compare it to data you have exposed to the world from your own social media accounts. After conducting the analysis of your own social media account(s), complete a 1 - 2 page written response regarding your data gathering and analysis. Describe the types of data you found others posted, and how the data could be used in a social engineering attack (please do not include any names or actual specific data you found). Include the analysis of your own social media accounts. Was there data that you decided to either delete from your social media accounts, or types of data you will refrain from posting in the future?