CHIPS Articles: Securing LinkedIn — Protecting Your Professional Online Presence

It is a critical defensive measure for everyone to properly configure their social media and professional networking accounts. You must understand that regardless of how effectively and completely you control your LinkedIn settings, there is no way to completely hide your profile. While you can take steps to reduce your risk exposure, you cannot be invisible online. You should be aware that unless you change the default settings on your public profile, it will still be visible even to those who are not LinkedIn members. Further, this information can be indexed by search engines. As a recommendation: Do not put anything in your public profile you would not want the world to see, such as email addresses, telephone numbers or geographical addresses, anywhere but in the appropriate fields.

You can build and maintain an online presence across a variety of platforms; but like all social networking sites, it comes with risk. Be wary of every piece of information you share, or that may be shared about you. The résumé details you post online today could make you the target of a hostile intrusion or security investigation tomorrow.

LinkedIn actually offers many security features to protect the identities of users. It offers varying levels of user identity authentication, none of which guarantee the LinkedIn member is the person their profile purports them to be. With the basic free membership, all that is required to join LinkedIn is a valid email address. LinkedIn verifies the email address by sending a verification email. When the recipient clicks the link included, the email address is verified. However, valid email addresses can be obtained from any number of free and completely anonymous email providers.

LinkedIn does offer paid memberships tailored to preferences and these require a credit or debit card to pay for LinkedIn membership fees. Since untraceable gift cards are readily available and look and operate like credit cards, in reality, anyone with an intention to deceive can, with minimal effort, obtain a LinkedIn membership. This is not to suggest that LinkedIn is riddled with impostors. Quite the contrary, LinkedIn has hundreds of millions of members, like you, using the site for legitimate purposes.

Since LinkedIn attracts many professionals, people in positions of responsibility and trust, like you, its members may be more attractive targets for criminals. Therefore, you should consider the following to ensure your security and refer to the recommendations in Figure 1:

• Do not include you have a security clearance in your profile.
• Exercise appropriate skepticism when contacted by someone not known to you regardless of how credible their LinkedIn presence appears. Not everyone on the internet is who they claim to be.
• Be cautious when considering a connection request because the requestor’s network includes people you know only vaguely.
• Seek and accept connections that add quality to your professional network and consider the ramifications of accepting connections that do not.
• Do not accept connection requests based entirely on the strength of the requestor’s network. People sometimes build phony networks and try to use this fake information to more easily facilitate social engineering attacks.
• Don’t post your résumé. LinkedIn is like the front page of the New York Times. Don’t publish anything there you wouldn’t want repeated back to you by your security officer, or reported in the nightly news. Organizational names like the DON CIO, and specific military departments, like the Navy, shouldn’t be included in your résumé.
• List employment history broadly. LinkedIn asks you to include every employment site so it can tailor advertisements and connections for you. Be mindful that the more detailed information you share, the greater the intelligence target you become.
• Don’t connect with anyone you wouldn’t recommend for a job interview.
• Only access LinkedIn via the platform URL not through an email invitation which can be used in spear phishing attacks.
• Sell your soft skills. Recruiters who are searching for job candidates with a security clearance aren’t using LinkedIn as their primary source. Recruiters use sites such as LinkedIn to verify soft skills after reviewing your résumé on a secure, password-protected site such as ClearanceJobs.com.
• Monitor your online accounts. If an online account has been compromised, immediately change your password.
• Be vigilant and mindful of various cyberattack trends. Cybersecurity is everyone’s responsibility. To keep current with all cyber-related alerts from the Department of Homeland Security (DHS), check the National Cyber Awareness System homepage at https://www.us-cert.gov/ncas.

For guidance on the secure use of Department of the Navy issued devices, the following resources are available on the DON CIO website:

• Amplifying Guidance to the DON Acceptable Use Policy Regarding Collaboration Tools (DON CIO Memo / April 1, 2020): This memo provides amplifying guidance on the acceptable use of Department of the Navy government-furnished IT equipment. Note: Use of collaboration tools greatly enhances our warfighting and business process capabilities during the COVID-19 crisis; however, the use of unauthorized collaboration tools on DON IT networks and devices could expose critical security information or introduce vulnerabilities.
• Acceptable Use of DON Information Technology (DON CIO Memo / Feb. 25, 2020): DON IT resources greatly enhance our warfighting capabilities and user productivity. However, when used inappropriately and without regard to good practices, these same resources increase the DON's exposure to malicious intrusions, expose our most critical information to threats, and increase costs through spillage and higher bandwidth requirements.

Mr. Doug James is a cybersecurity expert in the DON CIO Chief Information Security Officer (CISO) Directorate.