Anti-Social Networking Sites

Friday, October 09, 2009

Ron Lepofsky

39b6d5c1d3c6db11155b975f1b08059f

Over the last two weeks security news reports identify social networking sites as distribution points for malware of all sorts and flavours and as botnets for distributing more of the same.  In addition, site users seem enthusiastic to reveal personal information to those who would gladly accept the information for purposes of identity theft.  The benefits of social networking are being strongly challenged by the disadvantages of predatory, definitely anti-social behavior.

We have posted several such articles on the ERE web site: www.ere-security.ca; the most recent one being

August 17, 2009

Hackers put social networks such as Twitter in crosshairs

http://www.infoworld.com/d/security-central/hackers-put-social-networks-such-twitter-in-crosshairs-832?source=IFWNLE_nlt_sec_2009-08-17

My advice to all concerned, especially CIO’s CSOs and security managers is to create and enforce end-user policy for social networking sites.  The fundimentals are of course:

Do not reveal any personal / financial information that you would not otherwise gladly hand to your neighbours.Do not answer any personal questions.Be very leary of links to other web sites, particularly those involving any aspect of personal finance.

Policy should also enforce:

Timely patch updates on all end-user devices.Timely updated anti-malware signatures and updates.Defence in depth with at least two layers of malware protection: at least on the end-user devices and on an internet gateway device, through which all related traffic must pass.Enforce all related traffic through the gateway; shut down all unnecessary ports and services on the corporate firewall and then test to see if undesired traffic can be tunneled or otherwise circumvent the gateway.

The difficulties of enforcing policy regarding end-user activity is of course convincing them to want to act in accordance with policy and then punishing those who contravene policy.  These of course are age old problems.  However there are tried-and-true solutions.

Security awareness training has proven most beneficial in this arena, particularly where training is coupled with rewards for adhering to policy.  Handing out rewards to those who pass an on-line test demonstrating their awareness and possibly compliance with policy is a positive reinforcement that further encourages support of the policy. 

Rewards may include inexpensive items such as tee-shirts with an appropriate message or sporting and entertainment vouchers. Of course accolades in corporate news services are a must.

Enforcement must be consistent and ubiquitous, including all senior management.  Detection of non-compliance can be accomplished with the use of many automated tools plus by an audit team, perhaps composed of H/R staff, simply visiting the employee accounts on social networking sites.  This of course requires that as part of policy, that employees must disclose all their social networking accounts, which is a major issue of contention with regard to privacy.

Privacy policy is another topic entirely, as the usual measures of privacy really are outdated by the invention of social networking sites.  For instance, it would have been impossible for privacy policy authors to contemplate social networking sites 20 years ago.  But this is a topic for another time.

Possibly Related Articles:
9921
Cloud Security Viruses & Malware Security Awareness Webappsec->General
Policy virus Social Networking
Post Rating I Like this!
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams I never understood why sites like Facebook default to "all can view". Why don't they default to a more private setting that only your trusted friend network can view and then require you to check a box or something to let it out publically?
1255119085
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.