Of course, hackers can collect that information even if you don't provide it all in one place. To guard against that, Gudaitis suggests varying your screen name.
Imagine, she says, if a hacker were able to track a specific systems administrator's or help desk technician's every move online, gathering information from message boards and forums, because the victim used the same screen name everywhere. "If I were an adversary, I could start to link all that information and even chat them up to better understand their network and system architecture," she says. "If we looked up every post someone had . . . we could put the puzzle pieces together."
Companies can also look inward at some of their own practices to close social engineering security gaps. In addition to advising employees to choose password-reset challenge questions that can't be answered through research, you could also follow Google Inc.'s leadand send password information to employees' cell phones instead of their e-mail addresses.
Hiring practices are another area in which security can be tightened. Winkler suggests screening the social networking habits of job candidates not just for stereotypical areas of concern, such as amoral behavior, but also for how active they are in social media and how likely they are to do things like expose personal information and voice extreme political views.
Perhaps most key, says Desautels, is designing your infrastructure and managing your sensitive data with an eye toward minimizing damage in the event of an intrusion. He stresses the importance of using encryption, recording and logging network activity, classifying data and putting your most sensitive data in a zone that can't be reached through the network. With a properly designed infrastructure, "you can keep a successful penetration from being successful in stealing your data," he says. "Just because they break in, they don't have to put you out of business."
In the end, it's really about finding a balanced way to leverage social media while minimizing risk, Weider says. For him, social engineering threats are certainly among his top 10 concerns, but they're nowhere near No. 1. "It's something I take seriously," he says, "but I do think there's a balance between reasonable risk and the likelihood of these various things taking place."
Brandel is a Computerworld contributing writer. Contact her at marybrandel@verizon.net.
