Is your company social networking?

At the RSA Security conference during the week of March 1st, one of the topics of discussion was securing networks in a web 2.0 world (http://www.itworld.com/security/98911/tweet-social-network-security-risky-business?page=0%2C0&source=ITWNLE_nlt_today_2010-03-04.

Facebook, Twitter, LinkedIn and other social networking sites were until recently considered to be productivity killers. Most companies blocked access to these websites for their employees to make sure their staff members were not using company resources on frivolous time-wasters.

It is a good idea to block access to these sites for another reason. Social networking sites are just another point of exposure to malware, phishing attempts, and viruses. Everyone agreed that it was just best to keep your employees away from social networking.

However, last year marked a turning point in social networking. Employees in sales, HR, customer service and marketing need to use social networking sites to do their jobs. Corporations are now looking to open their doors to social networking, but how do you protect your company from malicious attacks?

Our take on the situation? Its not time to open the floodgates. Social networking is still potentially dangerous.

Your company should continue to block access to Facebook, Twitter and LinkedIn for most employees. Access should be granted on an individual or departmental basis, and only sparingly using monitored firewall, IPS or Application Security Gateway rules. Check Point and Tipping Point offer good solutions in these areas.

Cybercriminals love social networks because there is a false sense of being in a trusted, safe zone. Employees who do have access to social networking need to be educated that:

• There is no privacy anywhere on the web. They should assume that anything posted on a social network may somehow become public. Trade secrets are at risk as well as your corporate brand.
  
• All links should be treated suspiciously. Social networks use link shortening services like bit.ly and tinyURL. It's impossible to know where such a link will take you. It could be a phishing site that will enable someone to take over your account, steal your information or install a virus or malicious code on your computer.
  
• All third party applications should be treated suspiciously. Twitter and Facebook offer thousands of applications that they do not take responsibility for. Be wary when installing one, or giving access to your account.
  
• Finally, consider heavily what information you add to your public or semi-public social networking profiles. Remember that things like "High School attended," "Birth Date," "Pet Names," "Sibling Names," etc. are all things used by banks and credit institutions to validate your identity. You wouldn't hand out this information to strangers on the street, would you? Why, then, do people gleefully post this online? I'm actually surprised Facebook doesn't have a "Mother's Maiden Name" field.

There is No Security Patch for Stupidity

At Razorpoint, we spend a lot of time trying to stay ahead of malicious attackers and cybercriminals. We track the newest, most advanced techniques so that we can work with our customers to repel attacks. That's why we were floored by this article:

http://www.businessweek.com/news/2010-02-18/global-hackers-breached-2-400-companies-security-firm-says.html

According to Bloomberg News "hackers infiltrated the computer networks of more than 2,400 companies in almost 200 countries over an 18-month period." When we took a closer look at these attacks we noticed something very interesting:

"The attack uses a piece of software called ZeuS, designed in Eastern Europe, that takes control of large numbers of computers. These so-called botnets of computers are deployed to extract login and personal information related to e-mail, financial and social-networking Web sites."

ZeuS (aka Kneber) is a bot that steals information by keystroke logging. This method of infiltration is over 10 years old and it should not work anymore. Yet it does - because users continue to fall for the same dumb tricks. They open attachments to email that they shouldn't. They respond to phishing emails.

ZeuS and other bots now control more than 100 million computers worldwide. ZeuS targets login credentials for online social networks, e-mail accounts, and banking. Anti-virus software may not offer protection. The primary way to prevent infection is to offer training and security awareness to prevent your employees from clicking on hostile or suspicious links in email and in social networks.

Razorpoint knows that the Internet is still a target-rich environment. While there isn't a security patch for stupidity you can help protect your company by employing our endpoint client protection service (Rz.Endpoint). Additionally, companies should have regular comprehensive security assessments conducted in an effort to stay ahead of attacks like this.

PleaseRobMe.com

Foursquare is an increasingly popular location-based social network that is based on a game-like premise. Players use smart phones or laptops to "check in" to a location, recording their position on a map for friends using the service to see. The more often you check in, the better your chances of being declared the mayor of a particular location, be it a restaurant, bar, office or even your own home. Fourquare updates can be connected to twitter and facebook, keeping the world up to date about your progress.


Is this a good idea? No, and the new site http://www.pleaserobme.com/ shows exactly why. The site is a simple stream of Foursquare updates posted on twitter.


Please Rob Me consists exclusively of an aggregation of public Twitter messages that have been pushed through fast-growing location-based networking site Foursquare, one of a handful of services that encourages people to share their whereabouts with their friends. You can filter by geographic location, too.


You wouldn’t post a sign for all the world to see advertising the fact that you are not home. But people who connect Foursquare to publicly viewable sites like twitter not only let the world know that they are not home, but how far away they are.


Security is not just about installing alarms, locks or guard dogs. Its about exercising common sense. Be secure online and in the real world and keep your whereabouts private.

Razorpoint Security Begins 10th Year

Razorpoint Security Technologies specializes in comprehensive security assessments that provide business leaders and corporate clients the certainty and stability required for survival in today's business climate.

On March 1, 2010, Razorpoint Security Technologies celebrated the beginning of their 10th year in business – great, and slightly hard to believe, at the same time. Our tremendously talented staff and faithful clients have kept us going the entire way. We've done quite a bit to help secure cyberspace in that time. However, we have also realized there is an astonishing amount still to be done. The good news is, we're not tired. There is much more to come.

Seemingly every day another security breach is reported. Bank accounts, identities, corporate data and intellectual property are just some of the valuable assets targeted by attackers. The danger and risk posed to corporate environments grows daily.

If you think your company's network is at risk then call us today for a full risk assessment!