Monday, March 22, 2010

Is your company social networking?

At the RSA Security conference during the week of March 1st, one of the topics of discussion was securing networks in a web 2.0 world (http://www.itworld.com/security/98911/tweet-social-network-security-risky-business?page=0%2C0&source=ITWNLE_nlt_today_2010-03-04.

Facebook, Twitter, LinkedIn and other social networking sites were until recently considered to be productivity killers. Most companies blocked access to these websites for their employees to make sure their staff members were not using company resources on frivolous time-wasters.

It is a good idea to block access to these sites for another reason. Social networking sites are just another point of exposure to malware, phishing attempts, and viruses. Everyone agreed that it was just best to keep your employees away from social networking.

However, last year marked a turning point in social networking. Employees in sales, HR, customer service and marketing need to use social networking sites to do their jobs. Corporations are now looking to open their doors to social networking, but how do you protect your company from malicious attacks?

Our take on the situation? Its not time to open the floodgates. Social networking is still potentially dangerous.

Your company should continue to block access to Facebook, Twitter and LinkedIn for most employees. Access should be granted on an individual or departmental basis, and only sparingly using monitored firewall, IPS or Application Security Gateway rules. Check Point and Tipping Point offer good solutions in these areas.

Cybercriminals love social networks because there is a false sense of being in a trusted, safe zone. Employees who do have access to social networking need to be educated that:

  • There is no privacy anywhere on the web. They should assume that anything posted on a social network may somehow become public. Trade secrets are at risk as well as your corporate brand.
  • All links should be treated suspiciously. Social networks use link shortening services like bit.ly and tinyURL. It's impossible to know where such a link will take you. It could be a phishing site that will enable someone to take over your account, steal your information or install a virus or malicious code on your computer.
  • All third party applications should be treated suspiciously. Twitter and Facebook offer thousands of applications that they do not take responsibility for. Be wary when installing one, or giving access to your account.
  • Finally, consider heavily what information you add to your public or semi-public social networking profiles. Remember that things like "High School attended," "Birth Date," "Pet Names," "Sibling Names," etc. are all things used by banks and credit institutions to validate your identity. You wouldn't hand out this information to strangers on the street, would you? Why, then, do people gleefully post this online? I'm actually surprised Facebook doesn't have a "Mother's Maiden Name" field.