LinkedIn Breach Part II: What You Need to Prepare for Next

Saturday, June 09, 2012

Jason Clark


The recent LinkedIn breach made headlines, but I want to go deeper and provide practical advice for organizations on how they can anticipate any DLP consequences and tighten their network security.

As the world’s largest professional social network, LinkedIn is unique because it has legitimate uses for almost every employee.

LinkedIn’s password breach could result in three serious ramifications for businesses everywhere:

  1. Cybercriminals can take advantage of trust and social engineering attacks. If you are ‘linked’ to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft.
  2. Many LinkedIn accounts are tied to other social media services, such as Facebook or Twitter, so posts with malicious links can also be spread to a larger audience.
  3. Most of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could reach across email, social media, banking accounts, and mobile phone data.

In my last post, I provided an email template for you to share with employees about changing their individual passwords, but it doesn’t stop there. The truth is many of your employees are going to ignore changing their passwords. 

So what next? Well, to be honest, you are just getting started.  First, we need to look at the three likely attack scenarios that might develop from this breach:

  1. Employees are tricked into clicking a malicious link from a trusted colleague through their compromised friends status feed (this could be a broad or targeted attack).
  2. A generic spam email is sent from compromised accounts to one of your employees, leading them to a malicious site.
  3. Sophisticated attackers collect data on their target (your CEO, CFO, etc.), find a suitable LinkedIn contact to compromise and send a tailored lure, which will likely lead to data-stealing code. 

You need a strategy to protect against these and other attack scenarios. Here’s a seven-step check list for mitigating your risk.

  1. Educate, educate, educate your employees. An ounce of prevention can do wonders for your organization’s security. After you have educated, use tools like to test whether employees are “getting it.”
  2. Double-check your core best practice procedures. Are all your security solutions up to date?  
  3. Verify your social media controls and ensure all related policies are current. 
  4. Review what solutions and settings you have in place to protect against targeted attacks. People post true and explicit details about their background on social media sites, which makes them ripe for socially engineered attacks. Can you prevent targeted attacks from email, the web, and mobile devices?
  5. Prepare to spend more time following up on suspicious events or activity. This means digging into logs with more urgency to ensure you have not been targeted or compromised.
  6. You need to be able to monitor data in motion. Your data loss prevention solution should block sensitive information from leaving the network via both email and web channels, not just discover that it’s lying around on the wrong server. Make sure you have this capability.
  7. In addition to DLP, investigate what other outbound security measures you have to identify and contain botnet or other malicious activity.

The potential implications for your business are serious. Talk with peers and find out what other steps they are taking. If you have any questions or thoughts, post comments here. 

Possibly Related Articles:
Information Security
SPAM Social Engineering Data Loss Prevention Cyber Crime DLP breach Mitigation LinkedIn Targeted Attacks
Post Rating I Like this!
Tom Coats "3.Most of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could reach across email, social media, banking accounts, and mobile phone data."

I take offense at that, that would put me and most of us into the same category as Aaron Barr, HBGary Federal and “kibafo33.” Arrogant fools deserve what they get. I hope that this "lesson" will be well remembered. It is not as if it were unexpected, and perhaps it will make it easier to sell due diligence, but there will always be fools but they should not be suffered.
Andrew Baker Well stated advice.

We need a good mix of education and technology (DLP in particular) to continue to attack this problem. At the end of the day, everyone needs to be security conscious all the time.

Don Jackson Speaking first as someone who does not use any of these social networking portals (LinkedIn, Facebook, eHarmony… etc), for whatever reason a user wants to justify is their business, my reasons are defined because I am a security professional who grew up as an administrator and I know that these businesses are not concerned as one may want them to be or would have you believe they are with the information that is entrusted to them.

Lets be real about this OK, the ONLY reason that we even know about any of these data\system breaches is because of laws passed, mostly at the state level which require these companies to fess-up when they’ve been pwned, and I do think it is as simple as engaging the federal government to act with even stiffer penalties when this does happen.

These companies are encouraging us to “use the cloud for this… pay by phone for everything… setup your profile here to meet people like you or look for employment…” but when you read (and I do) the privacy policies and EULA’s they never say or PROMISE to protect your information or that they will notify you if a breach happens, no, they’re more interested in telling you how they will use it, which third parties have access and so on. Here is a question for anyone here… what type of mandatory audits do these companies have to face… SOX because they are public, but does SOX address services that LinkedIn provides or does it just focus on the business and how it protects it’s internal systems?

As far as users are concerned… they are a whole different problem. As Andrew pointed out, you do need to educate them, but what do you do when education fails... I think you need to punish them so that the others will understand that protecting the data and the “network” of systems and data is not just lip service, its serious business. If we’re going to hold these companies responsible then users should be held to a higher standard also, as well as the senior people who make the decisions that allow a user to create and use a weak password.
Andrew Baker Punishing users is easier contemplated than executed, because many of the most common offenders are politically untouchable (i.e. C-Suite).

Also, education is an ongoing thing. I know we'd all like to tell people something security related 2 or 3 times and have that be the end of it, but that's not how life works. (And I'm doubly aware of this as a parent.)

We keep educating them, and working with vendors to develop new tools and processes until things DO improve. It might seem like we've made little progress in security, but that's only because functionality and new technology keep creating new opportunities for breaches. There has been a great deal of improvement in the security landscape over the past decade, and there will continue to be some.

In the meantime, I expect more people to be individually impacted, and more businesses to feel the pain of poor security over the next 2 years or so, which will go a long way to having people change their behavior.

As IT and InfoSec professionals, we cannot necessarily bring consequences, but if organizations do not heed the warnings we generate, they will feel.

As my parents used to say, "If you can't hear, you will feel..."

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.