Does Sociability Compromise Security?
May 11, 2010
Do you allow your employees to use Facebook, Twitter, LinkedIn and others from your corporate network? Or, do you have a “no social media on the corporate network” policy? If you’re part of the first group, read on. You’ve got some serious security issues to consider.
In the old days, when Web 1.0 was all the rage, a website developer or administrator published all the content for end users to read. Things were relatively safe as long as certain protection mechanisms were in place. But, life has become more complicated in recent years with the launch and subsequent popularity of Web 2.0. This new age of collaboration introduced a fun and innovative way for end users to communicate via social media sites such as FaceBook, Twitter, MySpace and many many others. However, because social media sites pull content from multiple sites and servers, Web 2.0 has made it significantly more complicated for you to truly secure your users’ browsers.
Trust is really at the root of the problem. Social networking sites give users an inherent sense of trust that they shouldn’t have. And, unfortunately that trust opens the door wide open for a variety of new attack vectors. If you don’t have the right policies and solutions in place, there’s a pretty good chance that sooner or later the bad guys are going to use social media to access your corporate data.
How will they do it? There are a few different strategies we’re seeing.
- In some instances, criminals are creating malicious websites (or infecting legit sites due to their own vulnerabilities) that have malware installed and are redirecting users in various ways to those sites. Once a user goes to the malicious site, their system becomes infected with this malware. At this point, the attacker is purely limited by their imagination on what could happen next. Most commonly, the malware starts harvesting information from your user’s system, such as their passwords or corporate information. The malware then attempts to either stream this information back to a predetermined host controlled by the attacker, or utilizes a batch process to email or funnel this information out to the attacker.
- As of late, spear phishing is the attack strategy of choice. With this method, criminals gather information about your employees from social networking sites.
This brings up another common oversight or gap in many organizations current information security policies. As an example, should your employees be allowed to disclose that they work for you? How about the division of the company they work in? How about what project or program they are working on? All of this type of information can be used in a spear phishing attack.
Once the attacker has gathered enough information about their intended target, they start sending personal emails to your end users to gain their trust, and then direct them to websites or applications to install, which facilitates the malware infection. Cross-domain attacks are also common. This strategy influences users to click on links they normally wouldn’t have because of their newly assumed trust level with the attacker’s bogus company or request. Once infected, again, it’s up to the attacker’s imagination at this point on what they wish to do with their new victim.
There are a number of things you can do to protect your company and mitigate the threats:
- Implement an IT security program with sound policies – Adopt or update your existing Acceptable Internet Usage policy to inform your employees on what types of information they are allowed to post online about your company to reduce the possibility of spear phishing.
- Implement the right technologies – At this point, you should already have anti-malware/anti-virus software installed on every corporate computer to attempt to cover your end users. In addition to this, you should consider investing in data leak prevention solutions, to help enforce your corporate policies on what is acceptable content to post online or even be allowed to leave your network.
- Continually educate your employees – a lot of cybercrime relies on an end user’s lack of knowledge. Continually update and performed user awareness training sessions or “brown bag” events to teach your users the common threats they will face, as well as update them on the latest attacks being carried out.