Anthropologist Robin Dunbar famously observed that most people can only maintain relationships at one time with 150 people. The average on Facebook is 120-230. And of that, only a fraction really matter to us. Penetrating a small circle is usually very difficult, especially if they are members of a network based around a tie that cannot easily be faked or replicated. Social media, however, is changing the security dynamics of "small" groups. By geographically disaggregating friend network locations and mixing professional and personal worlds together, it becomes easier to use deception to achieve targeted entries into professional ecosystems.
The Robin Sage case is famous because it illustrates the perennial problem of deception in small ecosystems:
In just a month, Sage made connections with hundreds of people from the U.S. military, intelligence agencies, information security companies and government contractors. The 25-year-old navy cyberthreat analyst was invited to speak at security conferences and offered jobs at companies including Google and Lockheed Martin. ... But there was a slight hitch: Robin Sage did not exist. The pretty cybergeek, supposedly educated at the Massachusetts Institute of Technology (MIT) and a prep school in New Hampshire, was in reality an avatar created by a security researcher to find out how social networking sites could be used to covertly gather intelligence.
Granted, Sage was easy on the eyes. But she also used a basic social engineering technique -- manipulating social proofs -- to gain her access. By accumulating lots of shared friends and contacts, she gained credibility by proxy with others. If you saw a friend request from Ms. Sage, you might also see a list of shared friends. While most focus on the "honey pot" aspect of men in the national security world chasing a young, pretty woman or the problem of sharing information on social network sites, the issue of social proof is really the most significant aspect.
Assuming Ms. Sage was a balding man and the pages she accessed were scrubbed of important details, the problem is still that she was able to use social proof to get the access in the first place. Small social ecosystems -- especially those based around a common interest that is geographically dispersed -- are uniquely vulnerable to this. Someone at the fringes of a small ecosystem can rather easily move in. Besides the embarrassment of being hoaxed and the potential exposure of valuable information, the revelation of deception in small groups tends to have a deleterious effect on group trust. While this is merely unfortunate in a group of close friends, it can be deadly to a professional network in today's age of cross-disciplinary and cross-agency collaboration. Having a solid understanding of one's own network is essential. Hub users that have a lot of friends tend to be the first targets of Robin Sages, since they are easy to add in order to build up a database of mutual friends that may entice a prospective target to believe that the Robin Sage is legitimate.
The move towards more and more compartmentalization of human "data" on social networks will follow small ecosystem deception -- putting a premium on the ability to juggle multiple networks simultaneously while keeping touch with a very small, carefully selected group. Google+'s Circles and Facebook's growing set of lists is one example. Others may try more extreme remedies. The social network Path heavily limits on the size of your network in order to keep it targeted towards your immediate friends and family.
Whatever path technology takes, social engineering is likely to remain a crucial security problem.
Crossposted at CTOVision.