Social networking sites are no longer the preserve of teenagers keeping in touch with friends, but a popular way for people to communicate with their peers, business contacts and keep up to date with their industry. Businesses are finding it hard or impossible to simply ban their users from accessing such sites, especially when companies such as LinkedIn and Naymz are focusing on the business community.
Sadly, hackers, spammers and phishers see these as a great resource too, and social networking posts can inadvertently send confidential information out of the organisation.
This article takes a look at the various threats that may come from these sites and discusses the options that security managers and employees can take to reduce the organisation’s exposure to the problems that allowing access can bring.
Firstly, let’s look at the positive benefits of social networking sites. Employees can keep in touch with business contacts, share business information, watch for competitive information (eg when a known contact moves from one company to another), and use these sites to communicate to suppliers and customers. The human resources department, in particular, can use social networking sites for recruitment purposes – posting vacancies to targeted groups of people and searching for possible candidates and experience.
Phishing for corporate or personal information
People often get carried away with posting information onto social networking sites. Email addresses and personal information that allows a reader to work out full address details can result in phishing attacks that are a concern for the employer even if it is personal information being phished, as time lost fixing the problems is usually work time.
Ensure that employees are reminded not to publish anything that they don’t want everyone in the world to be able to see; this includes competitors, mothers and spouses! Employees should also be warned not to accept every invitation to join someone else’s network. Though the new contact may know you, that doesn’t mean that you know them.
There have been cases of social networking sites used as conduits for malicious code, as personal information can include links to other sites, upload images and some sites even allow users to embed HTML code into their pages. In addition, spyware encoded adverts can be around the site information.
Organisations should ensure that their employee’s browsers are up to date (a quick check that can be performed at the Internet gateway when the user first accesses the Internet each day), and that all social networking content is being inspected for malicious code. My recommendation is that no executables (.EXE .DLL .CAB etc.) should be allowed from social networking sites – these can also be blocked at the web gateway.
Employees can (usually inadvertently) post information that is useful to a competitor onto social networking sites. This can be through updating their own pages or via the social networking mail services (similar to email and Instant Messaging but sent through the social networking sites via HTTP or HTTPS).
Employees should be warned about the dangers of sharing too much information and in addition, I recommend that whenever a user tries to post a message, a warning should appear on their screen reminding them of the threat. If the company deploys data leak prevention systems, these should be checking web posts as well as email. As most social networking sites use SSL encryption, the post must be decrypted for inspection.
Social networking sites are common places to post music and videos. These can impact business traffic as users download them, especially during busy periods or in offices with low bandwidth capacity.
IT management can block file types that are likely to be high-bandwidth with logic such as “IF [social networking sites] AND [streaming, music, video] THEN block. Alternatively, bandwidth management can use similar logic to reduce the download speed of such content.
Social networking sites are designed to be very engaging, encouraging users to keep searching for new contacts, keep chatting to online friends, keep adding in a wealth of personal information so that people can find them, and running competitions and online games.
These is where education comes to the fore - intercept requests to social networking sites and issue a “splash screen” warning the users that all access is logged and is not anonymous, and remind them about the acceptable use policies of the organisation. Log access and look for the highest users. I have even seen an IT department that published a table outside the office with a list of “This week’s top ten FaceBook/MySpace Users”, and that caused a stir!
Dangers when travelling
When travelling, users are at a greater risk from the threats from social networking sites as they are outside the corporate web gateway. In addition, they are likely to be less vigilant if they are using the laptop at home, or in a hotel.
It is therefore important to continue to give them all the protection you can, ensuring antivirus systems are up to date – one further option would be to disallow all access to social networking sites when outside the corporate network. There are a number of companies who offer free laptop web filtering together with web security gateway appliances.
Social networking sites are just like many other types of website and web access; news, shopping, instant messaging, etc. Some of it can be useful and yet there are dangers. A mix of user education, messages with reminders and smart policies can reduce the danger to the organisation and allow social networking sites to be used for appropriate business purposes.
This article was written by Nigel Hawthorn, Vice-President of Marketing at Blue Coat Systems. Blue Coat is a consultancy specialising in securing web communications, offering a mix of appliances and client-based solutions.