Social Media and Security in the Enterprise

Monday, November 14, 2011

Eric Cissorsky

C6b9a422851928980389afe33c48e213

Recently a fellow information security professional and I were discussing a malicious URL [1] making the rounds on Facebook. The conversation went something like this:

Me: Here's a heads up about a Facebook scam. 

Him: Thank you but I'm not sure my customers would be interested.  We deal more with businesses. 

Me: Ok, I can appreciate that.  Let me ask you something.  How many of your customers allow all or some of their employees to access social media sites while at work or from company assets? 

Him: Good point, I may have to rethink this.

As more enterprises allow employees to access social media sites, they should take into consideration the ramifications of this decision. 

The goal of this article is not to disparage social media usage. It is to have organizations review their social media policies with the purpose of aligning their policy with their mission, vision and business culture. 

Your organization does have a social media policy right?  This will help to maximize the organization’s online presence and reduce the risk associated with social media usage in the enterprise. 

One of my former responsibilities was to design web filtering solutions for our customers.  Most customers are implementing these solutions for compliance or legal reasons. 

As part of the interview process, I ask what are their goals are for the web filtering product, beyond compliance or risk management.  The usual answers tend to be: block pxxn, prevent users from wasting bandwidth with streaming media, protect their assets from malicious content, and so on. 

When asking about permitting access to social media, I usually receive the following answer: “We we have a Facebook page so we need to allow our employees access to these sites.” I follow up by asking them if they want their employees to have full access to these sites or, if they would like to restrict access to just their company’s page. 

Do they want all users to have access, or are there a select few that are responsible for maintaining the organization’s Facebook page or Twitter account.  The overwhelming response is to permit all employees access to all social media sites. 

This was usually accompanied by some business justification for permitting access. I would go on to provide the customer with facts regarding social media access.  It’s hard to know for sure if this has ever changed an enterprise’s opinion but it does encourage them to think about it. 

As a trusted business partner there is a responsibility to make the customer aware of the risk this presents.  There will come a time when an incident is traced back to an employee who, intentionally or unintentionally, (mis)used their social media access.  You read that correctly, I said when, not if, not maybe, not possibly but when because it’s only a matter of time until an incident occurs. 

"Cybercriminals want to get into organizations, establish a presence, mine into the system, and steal data they can profit from—and the social web and dynamic DNS sites are prime avenues," said Charles Renert, Websense senior director of Security Research. [2] 

Many organizations have created social media usage policies to communicate what is considered acceptable use by their employees.  This policy may include things such as not using your company email address for personal use or non-company sponsored events or prohibiting an employee from making disparaging remarks about the company online. 

These are sound policies.  Unfortunately, they do not take into consideration the myriad of additional problems that accompany social media access. A recent study by IBM [3] found that 63% of respondents claimed that employee use of social media puts their security posture at risk. 

That same study discovered that only 29% have adequate controls in place to protect their organization from the threats posed by social media.  Further research shows that over half (52%) of organizations have detected an increase in malware attacks that can be directly attributable to employee use of social media. [4] 

Additional findings show that: 

  • 65% of respondents indicated their organization did not enforce their social media policy 
  • 77% indicated social media usage reduced available bandwidth 
  • 60% of employees use social media for at least 30 minutes per day 
  • 89% believe social media diminished productivity

These are some very compelling statistics.  What about your organizations online reputation? [5] Is it good?  Do your employees enhance or detract from it?  How does your social media acceptable use policy address this? 

Or if an employee is posting negative items about your company, or a customer gives a disparaging review of one of your products? What about a worst case scenario: an employee unwittingly posts confidential or proprietary information about your organization on their social media page? 

According to a Symantec poll [6] the average enterprise experienced nine social media incidents in the past year.  Of these, 94% reported negative consequences as a direct result.  What are the direct threats to your organization posed by this? Have you ever entered a URL with a typo in it? 

Everyone has, and cybercriminals are taking advantage.  This is called typosquatting. Cybercriminals are registering domains such as faecbook.com, fcaebok.com and so on in the hope of catching unwitting users. [7] 

These typosquatted domains are malicious in nature and pose a direct threat to your computing assets.  Researchers at Websense, a leading content filtering company, found that over 62% of active domains based on the most common misspellings of Facebook directed the user to malicious websites. [8]

To protect itself from this, Facebook filed a lawsuit against 100+ typosquatters using variations of “facebook” in July of 2011.  This may be completely ineffective.  A ruling by the National Arbitration Forum dismissed a lawsuit filed by Google against goggle.com, goggle.net and goggle.org. The owner of these sites is not based in the USA, so the forum concluded that it did not have jurisdiction in this case. 

Harvard Business School Assistant Professor Benjamin G. Edelman has stated “Typosquatting is rampant.  It’s not unusual for a top website to be targeted by more than a thousand typosquatting domains.”  A 2010 study by FairWinds Partners estimated that the 250 most visited websites lose $285 million US dollars per year from lost sales and other expenses. 

We’ve now looked at how social media impacts employee productivity and how it can introduce malware into your network.  Now let’s take a look at the impact this may have on the employee. 

Let’s say that Jane in marketing comes in early and decides to check her Facebook page before it is time to start work.  She logs on to Facebook and checks various things.  While she is at it she changes her status and posts that she is “At the office.” 

Pretty routine postings for someone, she posts no offending content nor does she post anything about her employer.  So this is well within the boundaries of her employers social media acceptable use policy. 

The problem is people that Jane does not know, are also looking at her Facebook page.  These people are not Jane’s friends.  They are watching Jane and waiting for an opportunity to take advantage of her absence.  Jane has just given them the “go ahead” to rob her home by telling them she is at work. 

Not only is she telling them she is at work but she is telling them that they have several hours in which to loot and pillage.  If you think this scenario is something out of a fiction novel you would be wrong.  A recent survey found that almost 80% of ex-burglars indicated they believe modern robbers are making use of social media to identify potential targets. [9]

The purpose of this article is in no way meant to tell the reader that social media has no place in their organization.  It is to educate them so that better informed policy decisions can be made. 

Approach your policy deliberately and involve all stakeholders.  The best way to protect your organization is through an informed, clearly communicated and enforced social media acceptable use policy.    

[1] Cluely, Graham (2011), Mario Kart on Facebook?  Fast-spreading scam hits many users accounts. Sophos Naked Security Blog

[2] No Author, (2011), Websense Improves Dynamic DNS Protection, Granular Social Web Controls, and Bandwidth Optimization, Websense News Release

[3] Hines, Matt (2011), Social Media Opens Corporate Networks to World of Woes, eWeek,com

[4] McHugh, Kenna (2011), Infographic: Global Survey Finds Malware Attacks Up Because of Social Media, SocialTimes.com 

[5] CBR Staff Writer (2011), Enterprises using social media risk data loss, client trust, reputation: Symantec, CBROnline.com 

[6] Cerha, Matthew (2011), The Importance of Your Online Reputation, Cisco Security Bog 

[7] McNichol, Tom (2011), When You Mean Facebook but Type Faecbook, Bloomberg Business Week 

[8] Ragan, Steve (2011), More than half of the typo-driven URLs for Facebook are malicious, TheTechHerald.com 

[9] Piombino, Kristin (2011), Infographic: 80 percent of ex-burglars believe social media leads to robberies, Ragan.com

Possibly Related Articles:
16404
Enterprise Security
Information Security
Enterprise Security malware Social Media Cyber Crime Employees Typosquatting Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.