The Five Things You Need to Know About Social Networking Security by Rich Mogull, Securosis L.L.C.
Now that the genesis of Facebook is fodder for a major Hollywood film, I suppose we can no longer apply the term "over-hyped" to anything involving social networking. We've moved well beyond such contrite terms as Web 2.0 as these tools embedded themselves into our lives to become the world as we know it.
It seems like only a few years ago that IT security could simply block access to a few social networking services and call it a day. But now even the United States Department of Defense struggles to balance the seemingly contradictory needs of security and access to an important personal communications tool. While some might still consider social networking little more than a distraction or fad, it's clear that these services are as important to younger workers (and members of Congress) as letter writing, newspapers, and oxygen.
With very few exceptions, organizations are finding that at least some level of access to social networking is essential to obtain and retain employees. And, like any communications tool, social networking comes with certain security risks. I like to break social networking security into five buckets: the two major categories of risk, and the three components to your social networking security program.
Two Categories of Risks
From a security perspective, these are the top two major categories of risk:
1. Exploits, Malware, and other Attacks — Fundamentally, social networking is about the construction of trust relationships in the digital world. Sometimes these mirror or extend physical relationships, but they are now just as likely to completely exist online. Bad guys take advantage of both of these relationships (and trust in the social networking platforms themselves) to execute a variety of malicious attacks. They take over trusted accounts to trick users into running malware, spam, and phish across the network, and sometimes leverage browser or server vulnerabilities to exploit the platform itself. These attack techniques aren't necessarily new, but when an attacker leverages an established trust relationship or personal information shared online, they increase their chances of success.
2. Information Leaks — Deliberate or not, social networking platforms are a great source for the inadvertent disclosure of sensitive information. On messaging-oriented services like Twitter and Facebook, users will sometimes reveal a little too much about corporate plans or internal workings. When we add blogging to the mix, the potential for long-form exposures increases.
Of these two categories, exploits/attacks are the most concerning. Information leaks are definitely an issue, but you are realistically more likely to suffer a major leak when someone mis-types an email address with a sensitive document attached, as opposed to a mistaken tweet.
Three Pillars of Social Networking Security
There are three major components of a social networking security program:
1. Policies — Some organizations allow social networking, some don't, and most fall somewhere in between. Your policies define allowed behavior, educate employees on safety and security, and provide a framework for managing violations. Policies need to cover:
- which social networking services are allowed
- what content employees are allowed to share (e.g., restricting any discussions of the workplace)
- use of extended features like games or file downloads, and
- what monitoring or blocking will be in place.
Policies should also cover the enforcement process, such as when human resources, legal, or an employee's manager will become involved. Don't forget to educate your employees on these policies—making them more aware of potential issues and letting them know someone is keeping an eye on what they might be doing.
2. Inbound Defense — Policies guide human behaviors, but we turn back to tools for our technical defenses. Content security tools filter inbound traffic over the Web, email, and (some) other services. You can use them to block file downloads, which is a major malicious software vector. Anti-malware tools extend protection to the endpoint, and patch management tools help keep your systems up to date and reduce the risk of known exploits. While these layers aren't invulnerable, the combination can significantly reduce the amount of malicious software running in your environment.
3. Outbound Filtering — Data Loss Prevention is an effective tool for monitoring any outbound communications, especially social networking. DLP isn't limited to protecting credit card numbers; you can also build policies to detect and protect usage of sensitive corporate information such as financials, customer lists, or intellectual property.
Social networking is neither good nor evil — it's simply another vector for humans to connect with each other that comes with risks and benefits.
Rich has twenty years of experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team.
The content featured in the Industry Analyst Corner is the sole representation of the author, independent of Websense, Inc.