A new campaign from the Office of the Director of National Intelligence urges clearance holders, “Don’t Be This Guy” – the one who overshares on social media and opens himself up as a victim of social engineering.
It’s a problem intelligence leaders know about firsthand. The CIA director recently discovered social engineering can be very useful in identifying email passwords or password reset “challenge questions.” A teen hacker was able to take control of Director John Brennan’s email account by tricking an employee into providing some of Brennan’s personal information, and then using that information to reset his password. It goes to show almost anyone can be a victim, and points to why it’s probably not best to share your SF-86 paperwork via email.
One of ODNI’s videos specifically highlights the danger of unsolicited contact by a recruiter. In the video, a clearance holder is lured into providing his clearance level and the specific names of projects or contracts he’s working on – all without vetting the individual asking the questions.
In another video, ODNI urges clearance holders to “Raise Your Shield,” directly cautioning against posting information to sites without establishing strict privacy controls. ODNI offers several cautionary statistics:
- 15 percent of social media users publicly share their birthday
- 17 percent post what high school they attended
- 29 percent don’t use strong passwords (the CIA director may share this characterstic)
Given those statistics, and the risks, does that mean clearance holders shouldn’t participate in social media at all? Not necessarily. Security clearance attorney Sean Bigley offered this advice for clearance holders looking to network, but avoid the security risks:
- Set your social media accounts to private and/or consider using an alias on social media,
- Use difficult passwords – and challenge questions – that cannot be guessed by someone who knows you, and employ a combination of letters, numbers and symbols.
- “Friend,” “add,” or “follow” only people who you know.
- Keep any job or clearance-related information off your profiles.
- Only respond to job recruiter inquiries from vetted sources – like ClearanceJobs.com.
Christopher Burgess, CEO and co-founder of Prevendra, a security strategies consultancy, notes the volume of recent breaches further emphasizes the need for vigilance, rather than negating it.
“Your responsibilities include understanding how individuals may use the various pieces of data public and private (compromised data sets) to approach you. Fictional LinkedIn profiles can be used to appeal to your professional interests. Facebook and Google+ groups and communities can be stepping stones to personal virtual relationships,” he says.
In the past, government clearance holders may have doubted they were targets – a relative few are spies, after all. They’re more likely to be analysts or accountants. The Office of Personnel Management’s 20-million-person breach is a reminder, however, that in the quest for government secrets, every employee is a target. As the ODNI campaign aptly states, we should all strive to avoid being “That Guy.”
Lindy Kyzer is the editor of ClearanceJobs.com and a former Defense Department employee.