The security perils of social networking
- — 06 December, 2012 11:18
The last few years has really seen the explosion of social networks. Examples include Facebook, Linked In, Twitter to name a few. A lot of us are using it and employees are demanding access to it at work.
There are definitely advantages to the use of social networking. The key ones are defined below:
- Increased employee productivity and operational efficiencies through employee synergies fostered by easier communication lines
- Foster creativity and innovation through greater collaboration
- Enhance partner and customer relationships through better communications.
But with advantages come the pitfalls of social networking. I will now discuss them as follows:
- New attack vectors – The advent of social networking has seen new security concerns and attack vectors emerge. There has been a shift in technology through web services that are empowering server-side core technology components as well as Asynchronous JaveScript and XML (AJAX) and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself. These technology components both on the server-side and in the browser, present attack vectors for intruders to exploit and increase the attack surface that could be utilised to launch web based or browser based attacks
- Worms and phishing attacks – There has been an increase in the spread of worms and phishing attacks through popular social networking sites. These trick unsuspecting users to click on malicious URLS or to visit malicious websites to download malicious content onto their machines. Examples that come to mind include Koobface that targeted Facebook, MySpace, hi5, Bebo, Twitter and other sites, and Fbaction that targeted Facebook. The common element in all of these is that they take advantage of the implied trust that social networking users have with each other
- Trust – Or lack thereof. Social networking users tend to rely on the data that they receive on social network sites. Some of the data may be accurate, but a lot of the data is unverified and cannot be relied upon. Unfortunately when this data is used in a work context, the results can be disastrous if the data is inaccurate
- URL shortening – Is increasingly being used in social networking forums particularly in Twitter to save on character lengths. The risk with this is that these URLS may point to malicious sites which cannot be easily seen due to the shortened URL
- Reputation – Damage to company brand / reputation through inappropriate comments or remarks from employees on social networking sites
- Copyright violation – Third-party material such as essays, articles and photographs are used without written consent form the proprietor
- Failures in the use of social networking – For a variety of reasons most companies that use social networking don’t approach it the way they would with other mission critical technology. They simply dabble in with and without a strategy and proper metrics based on a business case, the social networking projects are likely to remain small, mismanaged and likely to fail resulting in wasted corporate time and money
- Productivity – Users employ social networking tools for non-productive purposes, such as socialising (Social Notworking!)
- Technical integration – Most organisations note that integration between individual Web 2.0 applications (that social networking sites are) and their overall infrastructure is a major concern. This fact limits the useability and applicability of social networking sites into the work environment
- Litigation issues – Discrimination, defamation, violation of privacy and harassment are some of the potential concerns that might result in litigation issues
- Loss of privacy – whatever is posted on social networking sites remain permanently public. The data is not hidden, it is not encrypted and removing the data can be very challenging.
Having discussed some of the issues related to social networking, let’s now turn our attention to the controls that we could apply:
- Policies and procedures – develop an Acceptable Use policy that details how social networking sites and applications can be used and define consequences for failure to comply
- Risk assessment – Establish what information is most critical to the business and understand how this information might become vulnerable and how to protect it. If it is classified as ‘Internal Only’ or ‘Secret’ then it should not be posted on Twitter!
- Education and Awareness – Inform users of the information security risks involved and how to guard against them. For example, only install or run applications from trusted sources approved by Corporate IT
- Vulnerability assessments – Identifying, quantifying and prioritising the potential vulnerabilities that social networking may present to the organisation. Then address these as part of the overall Risk and Vulnerability Management process
- Firewall – utilise next-generation firewall technology (e. g. Palo Alto Networks) that offers granular control of social networking functionality. Identify applications regardless of port, protocol, evasive tactic or SSL. Identify users regardless of IP address. Scan application content in real time. Gain visibility and policy control over application access.
Summerised below are some of the upsides and downsides of social networking:
As discussed above, social networking can have multiple advantages to the organisation. However, as with any technology, the risks must be managed well in order to exploit the benefits without exposing the organisation to obstacles along the way.