Feature: Social networking security

Like its close relative BYO IT, social media was once seen as a consumerisation fad that IT departments could afford to ignore. But if 2011 has shown us anything, it is that Twitter, Facebook and LinkedIn are now viewed as essential business tools and not the productivity-sapping employee distractions they once were.

That fact has some important implications for IT security. First and foremost it means that simply applying a URL filter so that staff can’t access these sites is no longer possible. In fact, applying that approach is likely to get you fired for hindering the organisation’s ability to capture the marketing, PR, relationship-building and collaboration benefits social media can bring.

Again, like with BYO IT, the fact management is now buying into the benefits of social media means that — at least until a major security breach or PR disaster occurs on Twitter or Facebook — social media is here to stay. So if social media can’t be blocked and is instead being used on the corporate network, just what are the risks and how can they be managed?

Understanding the risks — malware

One of the first things organisations need to understand about the security risks of social media IBRS analyst, James Turner, says is that social media sites can act as conduits for data. The greatest threat here is malware; however, Turner says that this risk is chiefly to the employee, rather than their employer, as most of the malware activity on Facebook, for example, is for the self- propagation of apps, pages, and sites which then access the user’s information — and potentially all of their contacts — to then send data such as email addresses, mobile phone numbers, date of birth, and profile photos to a third party managed server.

What may appear to be innocuous data uploaded to social networking sites can also be a risk, Turner says.

"It could be as subtle as an executive linking to new contacts who happen to work for an organisation that is about to do business with the executive’s organisation," he says. "This seemingly innocent information can be a ‘tell’ to the market that something is about to happen, such as restructuring or mergers and acquisitions."

Given that almost half the Australian population — 9.8 million people — visit Facebook every month (compared to some 1.1 Australians visitors to Twitter and about 800,000 on LinkedIn) it’s fair to say that this site above all others is the major source of malware security threats to employees and the organisation that employs them.

“Facebook is the poster boy for social networking,” Blue Coat’s Jonathan Andresen explains. “Facebook, where you have hundreds of friends and they have hundreds of friends — that’s a very powerful tool for security threats.”

In fact, Andresen argues that where email used to be the dominant security threat vector, social networking sites have now surpassed Web mail sites such as Yahoo or Hotmail as users increasing rely on social media for their communication. Realising this, hackers have crafted an increasing number of security attacks designed for the millions of potential victims on Facebook.

The first notable example of this phenomenon, Andresen says was ‘Koobface’: A message was sent to Facebook users telling them they were in a picture or video which had been posted on Facebook. To view the image or video a codec — in actuality a piece of malware — first had to be downloaded.

Since then, fake video codecs, along with fake anti-virus software and phishing attacks, have proliferated on Facebook, as well as in the wider Web.

“It’s no surprise,” Andresen says. “Facebook has 750 million users now; it is basically the world’s third-largest country.”

More recently, ‘click-jacking’ attacks have grown to be the number one Facebook threat. These often take the form of a link posted to a user’s page that offers to provide access to popular games.

“You click on a link to play Angry Birds, but instead of playing it, it posts a link to your wall. It also goes to everyone else’s wall and those links leads to a page that has malware on it,” Andresen explains.

The next most common threat is that of fake ‘friend requests’, which instead of adding a new person to a user’s social network steal their data. Next, fake questionnaires and polls, fake application requests, and fake Facebook features all seek to steal user data by getting the victim to click on phishing links and download malware.

Page Break

Understanding the risks — social engineering

Like malware, social engineering attacks are also on the rise, with government agencies and organisations serving this industry, as well as those in the banking, health and law enforcement sectors, being most commonly targeted.

“The social engineering challenge for organisations is that it’s largely irrelevant if the social networking site is accessible via an organisation’s IT infrastructure — the employee can equally be targeted while using their own equipment, completely independently of any controls that the organisation may have in place,” IBRS’s Turner says.

“An unintended consequence of the consumerisation of IT is that consumers are racing ahead in their use of information technology, and they are effectively operating out on the Internet on their own — without the support of an IT security department.”

A big part of the issue is that consumers are not trained in how to manage their Facebook profile’s privacy settings and in using discretion with how much personal information they broadcast and how this can reveal a great deal about them. And even how employees using online dating sites can be socially engineered by their dates or potential dates.

Arbor Networks’ APAC solutions architect, Roland Dobbins, also emphasises the social engineering risks associated with social media and argues that many of the techniques associated with email over the years have now transitioned to social media.

"The same types of threats that users face with email — getting email intended to compromise their machines — are now on social media," he warns. "The bad guys are using the same techniques, so the same diligence exercised with email should be exercised with social media."

Dobbins says the typical attack involves a user's credentials for a given social media account — usually Twitter or Facebook — being stolen so that the attacker can then pretend to be that user and exploit the trust that user has among their social network for financial gain.

“[The attacker] will say, ‘Hey, I'm on holiday somewhere and my wallet has been stolen and I need you to wire me some money so I can get home'," he says. "That is a very common type of scam. People want to help, so they will fall for this.

"If the bad guy wants to complete a more thorough form of identity theft, then the more information he can mine about a social media user, and that user’s cloud of social contacts, makes it a lot easier to commit identity theft then apply for a credit cards in the victim’s name."

Dobbins adds that as our personal and work lives have become so intertwined, getting a toehold into an organisation in order to compromise intellectual property or commit corporate espionage often starts with social media.

"The bad guys will target someone who works at an organisation and attempt to get into his various social media accounts, as there is a lot of information and messaging that people pass back and forth between their networks, through the IM [instant messaging] built into social media, to get a more complete picture of the organisation," he says.

"As people often have friends who are colleagues this is a great source of information. The bad guy may be able to get enough information to social engineer his way into the organisation and access critical data."

Blue Coat’s Andresen says it’s important to understand that at the heart of these risks is the issue of trust. “The trust model is so powerful,” he says. “An email from someone you don’t know you are just likely to delete. But when a friend says look at a Web page or this content you are much more likely to look at it.

“Lady Gaga has 40 million friends. If someone can post a link on there then 40 million people will be suggested to look at it. [It is] much more powerful for cyber crime to have users help propagate the malware.”

Page Break

How to regain control

For Gartner security analyst, Rob McMillan, 2012 will see a maturing of attitudes towards social media, with an acceptance from management that sites such as Twitter and LinkedIn have a real communications role to play. Far from being carte blanche for all employees to spend their days on Facebook, the trick will be for IT departments to engage management in a conversation about which staff can access social media and how it is relevant to individual job functions.

“If you are a general user who just wants some basic access to keep an eye on Facebook, then there will be some minimum level of access there,” McMillan says. “If you are marketer who could use Twitter, Facebook, LinkedIn and YouTube as tools for getting your message across, then you will have more access.

“Understand that people will have an expectation to use social media in the same way that they use the telephone. Define what acceptable usage is, and the different roles with different usage case, and then model your policies accordingly.”

One organisation to have recently come to grips with social media through a formal organisation-wide policy is the Australian Federal Police (AFP). The agency’s online services director, Rob Crispe, says that its freshly minted social media policy is being used to help educate staff and executives about the opportunities of Twitter and Facebook.

“In broad terms the policy links our use of social media to, effectively, the AFP code of conduct in terms of the way we should be using it,” Crispe says. “It covers everything from the way we use it for official business to the way staff engage with it in the workplace. The good thing is that it's not too prescriptive; however, it puts the onus on individuals to use it appropriately, whilst enabling the AFP's Corporate Communications team to use it for the betterment of the agency's external communications.”

Crispe says the online services team is also using the policy to help find ways to use social media for citizen engagement and crime prevention activities.

“Our use of social media and Gov 2.0 tools is also about reputation management for the AFP — using it as a media tool and extension of our traditional media, which we've started to do via our external websites for the AFP and act policing, respectively.

“We have developed online media centres on each site, which host multimedia content, RSS feeds, a media extranet facility, and, in the case of act policing, links to Twitter and YouTube pages.”

Technical controls are also important in regaining control, IBRS’s Turner says, primarily to pass a reasonable use test. But the primary means of defence is having the co-operation of trained staff who won’t engage in risky online behaviour. As such, the best solution to each of these broad risks is security awareness training for staff.

Support and training can include informing staff when Facebook changes its privacy settings, providing optimal privacy recommendations, and conducting education sessions where staff members are told why adhering to the corporate policy will also protect them at home.

In industries where social engineering a particular risk, running a session where a forensic psychologist or white hat social engineer demonstrates how easy it is to deconstruct seemingly trivial information to create a profile of an employee, for example, can also be of benefit.

"The consumerisation of IT also means that your organisation’s staff are consumers of IT at both home and work, so deliver value that has practical application for them at home and at work," Turner advises.

Next, IT departments should consider some form of next-generation filtering that will allow them to examine the sub-content in a Web page and be able to identify it separately from everything else, Blue Coat’s Andresen says.

“Traditional filtering isn’t granular enough as it just looks at the domain, but you can use six or 10 different applications or operations on Facebook and the URL won’t change,” he says. “You need a better way to get visibility into what users are doing and the types of content they are accessing. You need the policy to be hable to govern your internet at work and shape it to the way you want it to look.

“Some filters may look at Facebook/Farmville and say that is social networking but it is also gaming so your need a policy which can detect multiple different types of content on a page.”

Arbor Networks’ Dobbins says that to begin addressing the threats IT departments need to encourage staff to exercise good security discipline — using strong passwords, not using use public information kiosks to access their social media accounts or other computers which are not under their administrative control.

Culture also forms a big part of the equation. Dobbins argues that the last 10-15 years' of IT security culture have focused on preventing users from doing what they want to. The result: Users actively circumvent the IT department and its security policies.

“There needs to be a new mindset that the goal of information security need not be forbidding people to do things,” he says. “Instead, the goal should be to empower them to use make use of these tools securely. It is a positive emphasis: ‘We approve of social media and here are the guidelines for safely using social media in a corporate context’.

"Instead of standing at the gate and saying no, embrace it and educate your staff to use social media securely — that is the mindset change that needs to take place."