A Shot in the Arm - Jason Burke on Health and Life Sciences

Social engineering has been a common form of hacking for as long as we've had computers.  At the root of social engineering hacks is trust -- a hacker's ability to establish a rapport with someone who unwittingly helps the hacker achieve his/her goal.  In today's world, social engineering takes on a slightly different but potentially more effective slant.  Social networks like Facebook are trust networks -- the trust has already been established.  A malicious user need only compromise an account, and immediately gains access to an electronic trust network ready for social engineering.

The situation gets worse when you consider that a compromised social technology account probably has more than enough information contained in it to enable identity theft: name, birthday, home town, email address, other online identities (which may use the same password as the compromised account), etc.  Consider for a moment how much information you have stored about yourself in your top 3 online accounts.

Crime and abuse powered by social technologies also has a much greater capacity and speed than traditional social engineering.  Whereas previously I might be limited in my social engineering efforts to talking to one person at a time on the phone, with one social account I can simultaneously approach 100 people or more.  If only a small fraction of them respond, I probably have what I was looking for.  And the responses are likely to arrive very quickly.  This week saw a user poll delivered through Facebook about assassinating President Obama.  To their credit, Facebook and the US Secret Service responded rapidly, but not before more than 750 people had voted.  As evidenced by this as well as the litany of viruses that have been plaguing Facebook, Twitter, and Reddit, our technology pace is exceeding our adaptability, and the situation is likely to continue.

In the long term, the only way companies are going to be able to mitigate many of these risks is through better software -- software that not only is more secure by design and operation, but also software that is able to help analyze, detect, predict, and prevent malicious behaviors in real time.  I am being quite deliberate in selecting the term "behaviors", as I believe our history has shown repeatedly that no amount of system planning or design rigor can fully account for creative minds looking to find and exploit weaknesses (remember the dinosaurs in Jurassic Park?).

One easy example of using software this way is text mining; for example, flagging messages or applications where "kill" and "President" exist close together.  Similarly, analytical rules can also be used to solve some problems: if a Facebook user who always logs in through a NC ISP's IP address suddenly starts logging in from western Europe, and is still logging in to the same account from NC within 2 hours, flag the account.  Credit card companies do this routinely.

The real power, though, comes in looking for behavior patterns.  In March, SAS launched a fraud detection and prevention analytical product called SAS® Social Network Analysis.  It applies link analysis to fraud detection and prevention, marketing, customer segmentation and pretty much anything else you want to feed it where you want to pinpoint suspicious individuals, activities and transactions.  The basic idea is powerful in its simplicity: if I see a pattern of behaviors that does not resemble "usual" patterns of behavior (usual being defined by comparable groups of behaviors), I should probably check it out.  The interesting thing to me about this technology is that it is capable of detecting very complex relationships -- such as collusion among a group of 5 people -- that would be difficult for a person to easily detect.

If you are interested in seeing an application of this type of technology within healthcare, check out SAS' Healthcare Fraud Framework.