This article will look at how best to manage the security issues social networking brings to business and if a company decides to stop staff using social networking how can it monitor this and avoid security breaches from threats left behind by computers that have been used to access social networks.
Social networks can simply be described as people having conversations online using a range of communication tools such as Facebook, LinkedIn, Bebo and Twitter. A social network is exactly what it says on the tin, it's a communication network of social contacts and seems to have become the most popular way to stay in touch. Forrester Research stated that the number of people using the web will increase by 45% to 2.2 billion by 2013, the total global internet audience is currently 625M and two thirds of these internet users have now joined a social networking site (417M). This is a huge number of people and consequently the security risks are equally substantial. Businesses must address these risks.
"Social Networking brings with it an extensive variety of risks ranging from identity theft and malware infections to the potential for letting careless employees damage corporate reputation and messaging.”
- Simon Morris
It seems hard to justify the use of social networking in business as the sites are more focused on keeping in touch with friends, sharing photos, video and chatting; however businesses should not prevent employees from catching up with colleagues and talking with friends while in the office, on their tea break or having a cigarette. Staff morale is important and it would be viewed as draconian to block reasonable use of social networking sites at work. Many businesses are now embracing benefits in social networking to bring them closer to their customers and improve brand experience. The uses of social media seem endless, but what are the security issues that businesses need to consider before embarking on a new marketing campaign or allowing staff the luxury of keeping in touch with friends and family at their desks?
Social Networking brings with it an extensive variety of risks ranging from identity theft and malware infections to the potential for letting careless employees damage corporate reputation and messaging. Social networking uses diverse integrated functionality to convey information as well as feature rich functionality including web, chat, audio, video, pictures and integrated applications. As the use of these social networking tools increases in the corporate environment, so too does the inherent information security risks. Many of the applications available for download on these websites can propagate malicious code from third parties, which can include viruses or Trojans and signing up to these could involve consenting to the deployment of spyware. These also pose data leakage and malware risks to any business that allows access to social networking sites.
One of the largest security risks for businesses permitting access to social networking is the fact sites like Facebook offer thousands of integrated applications that its users can install and run. These applications include calendars that allow friends to be reminded when it's your birthday, tools to send friends online greeting cards, quizzes on myriad topics etc. Many have been designed by users and hosted externally which means that there is little regulation or standards to adhere to. In this case one primary security issue is the ability of the application in question to extract profile information which would then be stored at a third party location with obvious security implications.
Another risk for business environments involves the shortening of URLs on sites such as Facebook, LinkedIn and Twitter. While this is not a specific issue of social networking sites it is an effective phishing medium. Users of these sites let down their guard down so easily and this is a huge concern for businesses. Shortening URLs has been born out of a characteristic of social networking type sites because users are limited to the number of characters for messages and posts. To get around this, third-party services such as tinyurl.com can encode the URL into a much shorter version but there is a clear security risk associated with this. The shortened URL does not tell the user the real destination of the link they are clicking on and they only find out once they are there, which may be too late if the site happens to contain drive-by malware.
This article was originally published on Friday Mar 5th 2010
How to tackle the risks:
There is no simple solution to manage these risks. Businesses can implement technical barriers to prevent any use of Twitter, Facebook or similar applications but then the business may have lost a valuable sales and marketing tool in its effort to protect its information security and privacy. Businesses should firstly have an Acceptable Use Policy that details how social networking sites and applications can be used. The policy should also define consequences for failure to comply as this can lead to the termination of employment and legal action. It will always be difficult to restrict what employees do on their personal social networking accounts so it is important for a business to protect its information based on a worst case scenario idea that employees will download malicious code and will divulge information they shouldn't.
It is crucial for organisations to carry out a risk assessment to establish which information is most critical to the business. They also need to evaluate how it might become vulnerable and how to protect it. Assessing current and future risk posed to the business is imperative so action can be taken and high level critical threats can be mitigated. They must also make sure their current infrastructure has the most up to date and application-aware security solutions (including both network and endpoint based solutions) to block any harmful files that may be accidently opened. Employees should receive education on the information security risks involved in their internet access and how they can guard against them - for example, only installing or running applications from trusted sources approved by the corporate IT department.
Many organisations are faced with large volumes of information when looking at their internal vulnerabilities. Pentura believes the most effective method of prioritising these vulnerabilities involves a number of key steps which Pentura has developed as a Vulnerability Risk Assessment (VRA) service. This includes: modeling and mapping the network and importing rules from multiple devices, defining the threat origins and classifying the assets based on importance to the business. This identifies the vulnerabilities presenting the greatest threat to the business, thus allowing remediation and protection of the most important assets. Remediation may involve patching endpoint systems, changing rules on routers or firewalls to prevent the threat from entering the network, or deploying new technology to address the threats. Pentura works with organisations in developing a security strategy to gain visibility of their current security toolsets, identifies their effectiveness, provides consultancy in policy tuning and understands what additional solutions may be needed to address areas not currently covered from a security perspective. These Risk Assessments have a proven track record of success, and in many cases, remediation of the top 30 – 40 threats has dramatically brought down the overall business risk.
Technologies have started to emerge that offer granular control of social networking functionality. Palo Alto Networks offer one such technology that is unique in the firewall marketplace. It allows businesses to gain user application usage visibility and affect a policy to control social networking site access from almost any aspect such as chat, email, apps and file transfer. As well as securing site access, companies that harness web 2.0 functionality for their own use should be mindful of ensuring their applications and website code is fully checked and written in a secure manner which can be validated. Last but not least, use common sense on the internet and in email, by taking an extra moment or two to think about what you've received or are about to do can mean the difference between looking at a seemingly harmless funny photo and risking critical business and personal information such as customer details, business plans, bank account details, all of which you don't want to be in the hands of anyone other than yourself or your business.
Pentura is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk