Risk
7/24/2009
02:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Social Networking In The Enterprise -- What Should Security Pros Do About It?

As Facebook and LinkedIn become more popular at work, security solutions become trickier for IT

A Special Analysis For Dark Reading

Social networking is hot. Whether it's personal communications on Facebook or business networking on LinkedIn, your end users are probably spending a good chunk of their days on social networks -- even while they're at work.

As social networks become more a part of users' lives -- and more a part of business communications -- it's becoming less and less possible for the security team to simply disallow the use of these networks in the enterprise. Yet these networks may also pose serious security risks to your business. How can you strike a balance between providing the access users need while preventing your sensitive data from leaking out -- or malware from creeping in?

The security threat from social networks shouldn't be overlooked. In recent months, we've seen an increasing number of attacks against the more popular social networking sites, such as MySpace, Facebook, and LinkedIn, which are commonly accessed at work. From the Samy worm that hit MySpace in late 2005 to recent variants of Koobface plaguing Facebook users, attackers have consistently found that social networks are an excellent back way into the soft, chewy center of the corporate net.

Malware isn't the only threat -- real or perceived -- posed by unrestricted access to social networks. A survey conducted in February by Sophos revealed 62.8 percent of enterprises were concerned that employees were sharing too much information on these networks, and 66 percent believed employees using social networking sites endanger corporate security.

Yet even with those concerns, only about half of enterprises said they actually restricted the times when users can access social networks, possibly relying on user education and policies to promote responsible user behavior.

But social networking policy and education don't always prevent users from unknowingly -- and sometimes knowingly -- doing the wrong thing. For example, just last month, a Hawaiian woman was sentenced to a year in prison for illegally accessing a patient's medical records and posting on MySpace that the patient had HIV and was dying of AIDS. In that case, even HIPAA regulations carrying legal implications didn't stop the user from violating policy.

As their popularity grows, blocking access to social networks may not be an option for your organization. If it is, great. Go for it -- but be aware that users will find a way around your prevention mechanisms.

They might opt for the easy route -- doing it via a cell phone app -- or they might get creative and use a Web-based proxy service, possibly something like the browser-based darknet to be unveiled next week at Black Hat. Either way, it's a lose-lose situation for your company because users are wasting time trying to circumvent your controls -- and possibly introducing a new vulnerability into your network.

If you don't have the option of blocking social networks, you'll have to take a more reactive and involved approach. Limiting access to social networks to certain time periods -- such as lunch hour, as recommended in the July Sophos Security Threat Report (PDF), is one option. Other alternatives include scanning all Web traffic for malware, and monitoring all content with a data leakage protection (DLP) solution.

The first option -- limiting access -- may prove partially effective at limiting the impact of social networks on productivity, but it could still lead to employees trying to circumvent the controls.

Because the threats from social networks can take many forms -- links to other sites, direct messages, phishing e-mails, etc. -- all Web traffic should be scanned for malicious content, not just content sourced from social networking sites. For the one-two punch, DLP should be used to help prevent employees from posting sensitive information where it shouldn't be. DLP can't stop the determined insider threat, but it can be quite effective at preventing and detecting accidental infections and leaks.

Social networking sites do have a place in many businesses, so making the decision to block or allow the sites -- and what controls to put in place -- isn't always easy. Although the decision will often ride on the conundrum of security vs. productivity/functionality, it will often be made for you. As a security pro, all you can do is to try your best to keep the data protected, even with social network access in place.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.