Social networking sites are no longer the preserve of teenagers keeping in touch with friends, but a popular way for people to communicate with their peers, business contacts and keep up to date with their industry. Businesses are finding it hard or impossible to simply ban their users from accessing such sites, especially when companies such as LinkedIn and Naymz are focusing on the business community.
Sadly, hackers, spammers and phishers see these as a great resource too, and social networking posts can inadvertently send confidential information out of the organisation.
This article takes a look at the various threats that may come from these sites and discusses the options that security managers and employees can take to reduce the organisation’s exposure to the problems that allowing access can bring.
Firstly, let’s look at the positive benefits of social networking sites. Employees can keep in touch with business contacts, share business information, watch for competitive information (eg when a known contact moves from one company to another), and use these sites to communicate to suppliers and customers. The human resources department, in particular, can use social networking sites for recruitment purposes – posting vacancies to targeted groups of people and searching for possible candidates and experience.
Phishing for corporate or personal information
People often get carried away with posting information onto social networking sites. Email addresses and personal information that allows a reader to work out full address details can result in phishing attacks that are a concern for the employer even if it is personal information being phished, as time lost fixing the problems is usually work time.
Ensure that employees are reminded not to publish anything that they don’t want everyone in the world to be able to see; this includes competitors, mothers and spouses! Employees should also be warned not to accept every invitation to join someone else’s network. Though the new contact may know you, that doesn’t mean that you know them.
There have been cases of social networking sites used as conduits for malicious code, as personal information can include links to other sites, upload images and some sites even allow users to embed HTML code into their pages. In addition, spyware encoded adverts can be around the site information.
Organisations should ensure that their employee’s browsers are up to date (a quick check that can be performed at the Internet gateway when the user first accesses the Internet each day), and that all social networking content is being inspected for malicious code. My recommendation is that no executables (.EXE .DLL .CAB etc.) should be allowed from social networking sites – these can also be blocked at the web gateway.
Employees can (usually inadvertently) post information that is useful to a competitor onto social networking sites. This can be through updating their own pages or via the social networking mail services (similar to email and Instant Messaging but sent through the social networking sites via HTTP or HTTPS).