Starting a new job is news that many people can’t resist blasting to their friends and colleagues on social media sites. To underscore their excitement, many people are using their new employee ID badges to serve as the iconic image of their freshly-minted success—a trend we call “badge bragging.” While innocent in nature, posting employee credentials online can pose an unintended security risk for companies.
While technology has evolved from the PC-era to an explosion of connected devices, so too have attackers’ methods. Social media has become a fountain of knowledge for attackers, giving them unlimited access to victims’ personal information, photos and whereabouts. Often people post what they believe is benign information, but in the hands of a cybercriminal, information found on a badge can lead to unauthorized access to sensitive business and personal information or physical access to buildings.
Today’s sophisticated hackers use special digital tools to aid in reconnaissance operations before attempting to infiltrate physical and virtual spaces. These tools can quickly comb through large amounts of information casually posted by people on sites like Twitter, Facebook, or LinkedIn to help them construct attack plans. Despite security researchers’ advances in stopping new techniques and platforms, these attackers are able to exploit the weakest link in any system—human behavior. The same technology that companies trust to restrict access can ultimately be undone with a single posting to a social media site.
From Digital to Physical Risk
The Symantec Cyber Security Services team has observed a trend across a variety of social media platforms where employees have posted high-resolution badge photos, which unwittingly opened the doors to targeted attacks by cybercriminals.
One such example involved a new employee—we’ll call him “Richard”—who just started a job at a prestigious hospital. Richard was thrilled about his new job and posted a picture of his new employee badge on his favorite social media channel. Equally excited could be a skilled cyber attacker who has been trying to gain access to the hospital where Richard works, because the photo of Richard’s hospital badge could be the key piece of Open Source Intelligence (OSINT) the attacker needs to gain access.
An employee badge photo could end up being a treasure trove of information to an attacker. This hospital badge had Richard’s full name, his level of education (including his degree), the name of the hospital, the branch name, and the department Richard worked in. In Richard’s social media post, he proudly named his first day in the caption of the post and the hospital badge even included its expiration date. With that information, an attacker could learn that the hospital rotates badges every four years, giving an attacker physical access for years. Because Richard took the photo with a smartphone, the high-resolution camera made the bar code in the photo visible. The attacker likely also noticed from the photo that the badge was clipped to fabric, meaning that Richard likely scans his badge via hand-held scanners when he needs access within the hospital. And, because the image is a high-quality photo, the attacker could easily make a usable copy of the badge.
Using Stolen Information for Cybercrime
Aside from the unauthorized physical access the attacker could gain, an adversary would now have all the information required to conduct a targeted cyber attack against Richard, his department and the hospital. The attacker could create an effective spear-phishing email that looks authentic, since it includes Richard’s name, department and employee ID number. A simple subject like “Mandatory New Hire Training” could become the perfect bait for the trap. Using a high-resolution badge photo, an average hacker would only need about 15 minutes to dissect the badge and decode the barcode.
Taking Proactive Security Steps
While social media continues to provide attackers with a wealth of information, the positive side is that the “human element” can also be one of the easiest to correct. Symantec’s Cyber Security Simulation team constantly researches threats of all types that might impact their customers. Often, it’s the lack of training on the part of a company’s security staff and employees that opens the possibility for a risk. For example, if the hospital security staff had noticed how much information was printed on an ID badge, they could have taken appropriate action to prevent it from getting into the wrong hands. This kind of proactive stance mitigates the risk of a badge being replicated. Furthermore, if the hospital security staff knew how easily a badge could be replicated using only a photo, they could have suggested the hospital adopt a more secure badging system or institute a policy regarding posting sensitive information on social media.
There are a few best practices enterprises can follow to ensure their employees stay “security smart”:
- Create a “living” policy: Develop a policy for employees that addresses posting images or details about work activities online. Provide clear examples of acceptable and unacceptable behavior, such as "don’t allow your badge to be photographed". Ensure all employees demonstrate an understanding and agree to follow the policy. Update the policy as needed to account for new social media tools and other technology changes.
- Make security a part of new employee onboarding. Any training for new employees should include education on the policy to avoid any confusion from the outset. Provide some simple tips to employees:
- Do not allow yourself to be photographed with your company badge visible.
- Do not display your badge while not on corporate property.
- Maintain positive control over your badge and report it lost or stolen immediately.
- Regularly reinforce good hygiene. Use consistent communication with employees to reinforce behavior, making sure to highlight any recent attacker trends.
How Symantec Cyber Security Services Helps Organizations Improve Cyber Readiness
Increasing the level of cyber readiness within your organization is instrumental when it comes to strengthening employees’ ability to prevent and detect attacks. Incorporating engaging security training and simulation exercises for both IT professionals and non-technical employees will help them understand the latest cyber attack methods in a way that resonates with their specific role and access level.
Symantec Security Awareness Service educates all employees on best practices when it comes to concepts like creating and remembering a strong password, as well as how to be sure you’re being safe when working remotely. This is a cornerstone in pulling all users of your network into the security conversation and bridging the gap between the security teams and the rest of the organization.
Symantec Phishing Readiness and Security Simulation both give participants hands-on experience and allow them to step into their adversaries’ shoes to learn their methods, motives, and tactics. Through Symantec’s approach to cyber readiness, Richard’s employer could have learned of the potential risk, corrected the issue, and greatly reduced the likelihood of their systems being accessed by adversaries.
Findings like this social media post are pulled into all of Symantec’s cyber readiness offerings to keep the messaging and scenarios current. This gamification of skills development helps level the playing field, providing a more engaging, immersive real-world experience than traditional security skills training.
Learn more about Symantec Cyber Readiness and how it can help your team stay abreast of the latest tactics being used to exploit the human component of security.