IT Security Workers Are Most Gullible of All: Study
Study shows that even security professionals aren't terribly good at deflecting social engineering attacks --a problem that their organizations' IT departments must solve.
Enterprise IT security professionals should be among the most diligent defenders of their corporate and personal information, you might think.
You'd be wrong.
A new study by security software vendor BitDefender should serve as a wake-up call to IT security professionals primarily because it demonstrates that those responsible for safeguarding enterprise data networks are the most likely to divulge sensitive personal and key corporate information to a stranger through a social networking site.
To arrive at their conclusions, security researchers selected a popular social networking site (which BitDefender did not identify) that had more than enough registered users to easily accommodate a fairly random selection of 2,000 people (1,000 male and 1,000 female, mean age 27.3 years of age). Next, BitDefender created a "test profile" of a nonexistent, 21-year-old woman described as a "fair-haired" and "very, very naïve interlocutor" -- basically a hot rube who was just trying to figure out how this whole social networking thing worked by asking a bunch of seemingly innocent, fact-finding questions.
With the avatar created, the fictitious person then sent out 2,000 "friendship requests," relying on the bogus description and made-up interests as the presumptive lure. Of the 2,000 social networks pinged with a "friendship" request, a stunning 1,872 accepted the invitation. And the vast majority (81 percent) of them did it without asking any questions at all. Others asked a question or two, presumably like, "Who are you?" or "How do I know you?" before eventually adding this new "friend."
Considering the rampant abuse of social networking sites, such as Facebook, MySpace and Twitter, by hackers, phishers and malware peddlers, this alone should strike fear in any IT administrator's heart.
But it gets worse. An astonishing 86 percent of those who accepted the bogus profile's "friendship" request identified themselves as working in the IT industry. Even worse, 31 percent said they worked in some capacity in IT security.
"This result was an unexpected one, as almost all IT security companies lay stress on the e-threats associated with social networks," wrote Sabina Datcu, a BitDefender security researcher, in a post on the company's MalwareCity blog.
Perhaps, the researchers wondered, the reason for this abnormally high naiveté among a group of people who should know better and are paid to prevent exactly this type of potential security risk could be explained away as a "study project" they were undertaking for professional purposes.
Not a chance. Fifty-three percent said they accepted the invite because the bogus invitee "had a lovely face." Another 17 percent said they brought the interloper into the fold because she "had a known face but I don't remember the place we've met. Twenty-four percent clicked "accept" because she "worked in the same industry" and the remaining 6 percent took her in because she had "an interesting profile."
Duped into revealing corporate secrets
Pressing further, BitDefender researchers engaged 20 of the more receptive IT workers in extended online conversations with the "fair-haired, 21-year-old" woman. Within half an hour, 10 percent of them disclosed sensitive information, such as their address, phone number, parents' names and other differentiating information typically used to recover or steal users' social networking and bank account passwords.
It got just plain ugly after the conversation was extended to two hours. By this point, 73 percent of the IT workers who just "met" this bogus person were disclosing confidential information from their companies -- including future strategies and plans and unreleased details about upcoming technologies and applications.
"The results of this study suggest not only that social network users accept unknown persons in their group just based on a nice profile photo, but also that they are willing to reveal personal, sensitive information after a short online conversation," Datcu wrote.
"This means that social networks serve both as a meeting ground where people can present themselves and communicate, but also as a starting point for a virtual friendship, which brings people to divulge too much information because of the illusion of anonymity," she added.
Follow eSecurityPlanet on Twitter @eSecurityP.