Seven deadly sins of social networking security

To users of LinkedIn, Facebook, Myspace, Twitter or all of the above: Are you guilty of one of these security oversights?

Admit it: You are currently addicted to social networking. Your drug of choice might be Facebook or Twitter, or maybe Myspace or LinkedIn. Some of you are using all of the above, and using them hard, even IT security practitioners who know better.

While it's impossible to escape every social networking threat out there, there are steps one can take to significantly reduce the risks. CSOonline recently checked in with dozens of IT security professionals (ironically, using more than one social networking platform to do so) to pinpoint seven typical security mistakes people make; and how to avoid them.

Over-sharing company activitiesThis is a sin of pride, when someone gets excited about something their company is working on and simply must tell everyone about it. Maybe you work for a drug company that is on the verge of developing the cure for cancer. Maybe the company is developing a new car that runs on curbside trash -- in other words, something everyone will want.

By sharing too much about your employer's intellectual property, you threaten to put it out of business by tipping off a competitor who could then find a way to duplicate the effort or find a way to spoil what they can't have by hiring a hacker to penetrate the network or by sneaking a spy into the building.

Then there are hackers controlling legions of botnets that could be programmed to scour a company's defenses and, upon finding a weakness, exploit it to access data on the intellectual property. With the data in hand, the hacker can then sell what they have to the highest bidder, which just might be your biggest competitor.

"Sharing this kind of information could lead to targeted attacks on specific technology-producing enterprises," says Souheil Mouhammad, a senior security expert at Altran Technologies.

This sin has sparked a debate in the security industry about whether companies need to revise their employee computer use policies with more specific language on what is/isn't allowed in the social networking arena.

To reign in the urge to share too much, it might be useful to repeat this saying, which has started to appear in the public domain: "Loose Tweets Sink Fleets."

Mixing personal with professional

This sin is closely related to the first, but extends beyond the mere disclosure of company data. This is the case where someone uses a social network for both business and pleasure, most commonly on Facebook, where one's friends include business associates, family members and friends.

The problem is that the language and images one shares with friends and family may be entirely inappropriate on the professional side. A prospective employer may choose to skip to the next candidate after seeing pictures of you drunk or showing off a little too much leg at someone's birthday party. In sharing such things, you also stand a good chance of making the company you represent look bad.

"In my view one of the major rules when engaging in social networking is to be aware that your words belong in the public domain," says Paul V. de Souza, chief security engineer at AT&T. "You may be quoted all over the Internet, so make sure to choose your words carefully. Be diplomatic and extremely professional."

In some cases, it's nearly impossible to separate business from the personal on a social networking site. Those who work for media companies, for example, are sometimes required to use all their social networking portals to proliferate content in an effort to boost page views which, in turn, attract potential advertisers. But wherever and whenever possible, security practitioners work to keep each locked in their respective boxes.

"You have to understand very clearly what the objective of your presence on any given social network is. If it is for work, keep it for work only. If it is for personal/fun use, keep it for personal use only," says Benjamin Fellows, a senior IT security and risk consultant at Ernst & Young. "I can't tell you how many times I have been invited to Facebook by a work colleague only to find things on their wall or profile that are definitely not politically correct or are downright offensive. I keep all my work friends in LinkedIn and my personal friends in Facebook. Even then, I am very careful what I say on either site. I guess you could also put this under the heading of know your audience."

Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage

For the person who has just been laid off or had their professional integrity called into question online, the urge to fire back with a stream of vitriol can be irresistible. Call this a sin of wrath.

"You don't want to get into a flame war," says John Bruggeman, a Cincinnati-based IT director. "Be mindful of what you say and imagine you are at a party where everyone is listening, including your boss, spouse or future employer."

Scott Hayes, president and CEO of Database-Brothers Inc., agrees, saying, "Posting any content when angry is about as dangerous as sending flaming emails, if not more so. Think twice about clicking 'submit' because the world may be looking at your angry, immature rant for years."

Believing he/she who dies with the most connections winsFor some social networkers, it's all about accumulating as many connections as possible. Folks on LinkedIn are notorious for doing this, especially those in such LinkedIn groups as TopLinked and LION. This may seem harmless enough or, at the worst, just annoying. But when the name of the game is quantity over quality, it's easy to link or "friend" a scam artist, terrorist or identity thief.

"Always verify the person who wants to get in contact with you," says Ruud van den Bercken, a security specialist at XS4ALL Internet in the Netherlands. "Do you know him or her? If not, why is the person trying to connect with you? Check if the profile of the other person is secured. If you can't retrieve a list of that person's connections, you have to ask yourself" if you really want to go down that road.

As San Francisco-based network and security architect/engineer Jatinder Thukral puts it: "I'd rather have 50 relevant contacts than 500 unknowns."

Password sloth

Another common sin is one of laziness, in this case picking passwords for your social networks that you're least likely to forget. In many cases, that means using the same password for LinkedIn and Facebook that you're using for your online bank account or work machine. If someone with malicious intent figures out the password for one social network, that person can now go and access everything else.

"Using the same password on several sites is like trusting the weakest link in a chain to carry the same weight. Every site has vulnerabilities, plan for them to be exploited," says Daniel Philpott, information security engineer at OnPoint Consulting Inc.

Trigger finger (clicking everything, especially on Facebook)Facebook in particular is notorious as a place where inboxes are stuffed with everything from drink requests to cause requests. For some social networkers, clicking on such requests is as natural as breathing. Unfortunately, the bad guys know this and will send you links that appear to be from legitimate friends. Open the link and you're inviting a piece of malware to infect your machine. Christophe Veltsos, president of Prudent Security, describes this as being "click-happy" and warns, "Don't click unless you're ready to deal with drive-by downloads and zero-day attacks."

Endangering yourself and others

All of the above tie into the seventh and perhaps most serious sin, which is that reckless social networking can literally put someone's life in danger. It could be a relative or co-worker. Or it could be yourself.

Security experts advise extreme caution when posting birthday information, too much detail on your spouse and children, etc. Otherwise, they could become the target of an identity thief or even a kidnapper.

At the CSO Executive Seminar on Data Loss Prevention in Chicago, last month, Motorola CSO Bill Boni expressed his reservations about using Twitter, calling it a great way to get one's self kidnapped. "Don't be a twit," Boni said to those who might feel the need to divulge every detail about their location and what they're doing.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityseven deadly sinssocial networking

More about BillFacebookHayesMotorolaXS4ALL Internet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place