Social media is all the buzz these days. Along with the increased popularity of these services comes the increased cries from security professionals to "watch what you post". Most people focus on the issues of privacy and reputation when they think about social media. Those are certainly important considerations but just as important are the security risks. That's what this post is going to focus on.

This is not a new problem. As long as I have been doing penetration testing, social engineering and blind vulnerability assessments (around 9 years) I have used similar technologies to my advantage.  Newsgroups have long been a great resource for gaining knowledge of a customers systems.

For example, searching for "[customer name] problem" in a newsgroup search will often pull in all kinds of interesting and insightful results. I have found full configuration files, usernames, application paths and all sorts of other useful technical tidbits about my client's networks.

Enter the new social medias: twitter, facebook,  myspace, blogs, etc. My experience is that these new places aren't nearly as good when it comes to technical information about a company. However, they are an endless supply of information about staff. This stuff is gold when it comes to social engineering or in any situation when you could benefit from a list of employees and their interests. For example, user account brute force attacks are much easier if you have a list of names to start from.  Add to that a list of subjects that interest them, their dog and kid's names and their birthday and you have 99% of their passwords.

So what can you do about this? Well, you will never be able to stop people from posting personal information. However, you can and should educate them of the dangers of posting this information. You should also have strict policies around posting of any information about your enterprise. Aside from this you should protect yourself from the consequences of having this information (inevitably) our there. For example, have a strict password policy that doesn't permit the use of personal information in passwords and forces them to be complex. You should also make sure that you are training your staff around social engineering and how to identify it. Just because someone knows your dogs name doesn't mean they know you, right?

Social media isn't going away and the only thing we can do as administrators is to make sure that the information on these sites isn't easily used against us.