Why Professional Networks such as LinkedIn or Xing endanger the Corporate Security

Professional networks such as LinkedIn or Xing are very popular with many employees. And the companies themselves also often like to watch their employees' activities, as every post also potentially increases the employer's reputation. But anyone who proudly presents themselves as a member of a particular company on social networks can inadvertently cause great damage to their employer.

This is reported by Christoph Ritter, Head of the Red Teaming department at SySS. In an experience report, he describes how employee IDs in particular can become a gateway for attackers.

"DO YOU HAVE ANY CERTIFICATIONS?" "of course": WHEN EXCLUSIVE KNOWLEDGE BECOMES PUBLIC KNOW-HOW

"A red team assessment always starts with a so-called open source intelligence analysis. This means that we query public sources in order to find as much information as possible about the set goal and possible ways to achieve it. Two of the first sources we search are LinkedIn and Xing. Here, employees of the respective companies are happy to share information that is more likely to be viewed critically from an IT security perspective. Through the profiles in professional networks, we often find out which software the company works with or what the employee IDs look like. Both are more helpful for attackers than most people might be aware of.

So how do we find out which software a company is using? We search for the company name and receive an extensive list of profiles. Here you can see at first glance what role an employee has in the company. We then filter the results for IT employees and application managers. From these profiles, it is usually very easy to deduce which software is being used. Employees generally advertise their knowledge and certifications in the software or hardware used. In this way, we can already get a first idea. This knowledge can be used very well for phishing campaigns, for example. A phishing e-mail to employees could then contain the request: "The XY software will be abolished and replaced by the new XYZ software. Please test the account with the following URL ...". The message would have great plausibility due to the software known from everyday working life, and clicking on the link is therefore very likely.

"MY FIRST DAY AS MARCEL SOMMER": THE EMPLOYEE ID AS AN ADMISSION TICKET FOR ATTACKERS

The permissive use of employee IDs in professional networks is another advantage for attackers. "My first day with XY" or "After 10 years with XY, today is my last day" are often reasons to proudly post one's employee ID in the form of a photo. It is often underestimated what an attacker can do with the mere knowledge of the design of an ID card.

What is done with this knowledge as part of a red team or physical assessment? We simply create an ID card that looks identical and use a picture of one of the SySS consultants. When we enter the building, we wear the ID clearly visible. Some companies have no separation systems, so everything else is a piece of cake there. Once physical protective measures have been taken, one has to be a bit more creative. For example, one could simulate the ID falling to the ground and then "dive" under the turnstile when picking it up. However, once in the building, strangers with the appropriate clothing and a visually correct-looking ID are usually no longer addressed. This allows us to move around the building freely and even introduce ourselves as a new colleague from the IT department who needs to use the computer for a moment.

In summary, we can therefore say: The information that we find on professional networks such as LinkedIn or Xing does not usually allow us – and therefore real attackers – to carry out a successful attack directly. But they are important puzzle pieces that facilitate an attack and increase the chances of success. Therefore, they should never be underestimated.

INCREASING CORPORATE SECURITY MEANS: INCREASING AWARENESS

Solving the problem is very difficult. Posting employee ID cards may be prohibited by company policy. The disclosure of skills in programs, etc. cannot be regulated by employers. Only awareness training can help here, which vividly shows the possible consequences of such behavior and thus raises awareness of corporate security issues.