Network managers have a whole new attack surface to manage: the vast multitude of potential entry points created by social media sites, each one offering new opportunities for malware or information loss.
Managing network security is all about controlling the attack surface.
If your network users need to communicate with services A, B, and C through channels X, Y, and Z, it's not impossible (with a little elbow grease) to manage the potential attack surfaces in the network and control the security risk. When it was all about communication with email and a few Web applications, network security could be better managed, because you knew where the potential holes were and could close them off when new threats were revealed.
But now network managers have a whole new attack surface to manage: the vast multitude of potential entry points to a network created by the use of social media sites. And as social media services get more robust, the potential for a security breach goes up almost exponentially for both your organization and individual users themselves.
It's become a well-known scenario: An employee visits a social media site on a corporate machine during some idle time and ends up picking up a piece of malware from one of the dozens of trojans that proliferate through that site. That malware may just turn the machine into a spam generator, if you're lucky. More sophisticated malware will log keystrokes and provide the malware author with plenty of authentication information from your network.
Users themselves are particularly at risk while using social media sites, because if one of their social media accounts gets compromised, it's a fair bet their password will be repeated on other sites. This leaves them vulnerable to being hacked on banking and commerce sites, which can impact their productivity as they spend days if not weeks trying to get their online and financial identities back in order. Not to mention what happens if they use the same password for your network.
Depending on the brazenness of a criminal targeting your company, your very organization can even be put at risk. A recent story on Inc. related the tale of a manufacturing company undergoing an expansion of their warehouse and announcing it to the world at large on their corporate blog, Facebook, and Twitter.
"As the day for the big move approached, they told customers about potential shipping delays, but said they'd return with better service than ever.
"On the first day, several men wearing the uniforms of a well-known logistics company showed up to help with the move. With dozens of legitimate workers swarming around the site, they blended in easily and no one questioned them as they loaded equipment into their own van. They drove off before anyone realized they were interlopers," the article related.
This kind of incident is rare, but virtual criminal activity doesn't have to remain virtual; reports of armed robberies and assaults around Craigslist-initiated sales meetings are also on the rise.
This article was originally published on Friday Feb 4th 2011
Social networking security policies: Should you ban?
As a networking manager, it's not your responsibility to keep employees safe from harm on their own time. But there are some policies you can consider implementing that will decrease the size of your network's attack surface and--if implemented with a fair dose of training--will also keep your co-workers safe on their own machines.
One policy that bears exploring is the straightforward banning of social media activity on your network. That may indeed be necessary, if your organization's Internet policy already discourages personal use of company assets. It's a little hard to police that kind of policy on email, since you can't really tell what messages are personal or business without treading into privacy waters. But unless the user is with sales or marketing, it's a pretty reasonable assumption that they aren't on Facebook or Foursquare for business reasons.
Of course, this won't make you popular, and it doesn't address the larger problem of social media: it's still very easy to phish for information across social media networks. Phishing attacks are rampant on all forms of communication, but they are especially troublesome on social media because it's not that hard to fool someone. If open source guru Simon Phipps tweets me a link from @webmink, will I notice that it's really from @webmink2 before I click the link to a fake login page? Hopefully yes, but if I'm not paying attention, I could just as easily be fooled.
Education and password management
Most experts agree that a two-pronged solution is needed to control the size of the social media attack surface in your organization.
The first is purely an educational tactic: deliver the message to users that if they are using social media, they must never assume that a link or software download is actually from a friend--even if it's from their friend's account. They need to challenge such receipts and confirm that the package was indeed intended to be delivered.
The second approach is to enforce better password management. This is partly educational, since you will need to convince users that it's in their best interests to have different passwords for each network and service they visit anyway. But you have some control over this, as well: Implement a password policy that will enforce a password change every month. Even if the user has used like passwords across multiple sites, it is very unlikely that will continue to be the case after a month or two of resetting passwords on your network. They may still have a problem with a single password for multiple sites, but your network won't be one of them.
On the broader problem of social media as a corporate attack surface, make sure you impress upon the people in your organization who do use social media to do their jobs that care should be taking in sharing information about the company or its employees. Social media is a great tool to reach customers, but it's not just your customers who are listening to what your company has to say. Think about risk in every corporate statement, even a tweet.
Brian Proffitt is a technology expert who writes for a number of publications. Formerly the Community Manager for Linux.com and the Linux Foundation, he is the author of 20 consumer technology books, including the most recent Take Your iPad to Work. Follow him on Twitter at @TheTechScribe.