Tweet this: Social network security is risky business

Panel discussions at RSA focus on a more social attack vector

SAN FRANCISCO -- Businesses are still trying to figure out what to make of social networking. The knee-jerk impulse at some companies is to ban its use because it's insecure and seen as unproductive, while at others it's viewed as, in fact, the way a lot of people now get work done.

The debate gets into familiar territory -- balancing business benefits versus risks -- and some that's not so familiar: Is a new generation in the workforce wired differently because of Facebook and Twitter?

"It starts way before college," said Gillian Hayes, a University of California at Irvine professor who took part in a panel at this week's RSA Security conference. "The emphasis is on 21st century skills, solving problems creatively; kids solve problems by mashing up bits and pieces."

Hayes' panel addressed "Lifestyle Hacking: Social Networks and Gen Y Meet Security and Privacy."

There's a growing generation gap between those who have grown up immersed in the Internet and those who think using social network sites is no more productive than spending work time surfing e-Bay, Amazon, ESPN.com, or, for that matter, porn and gambling sites. Companies often cite productivity, even more than security, as the prime reason for banning social networking.

"There are baby boomers like me who think the road to productivity is through single focus, one thing at a time, said Jim Routh, a consultant for Archer Technologies. "In reality, those brought up on the Internet are accustomed to using multiple media-rich environments productively. The older generation separates the work and the social, but the technology is so pervasive, there is no separation anymore."

Some companies are responding by allowing social networks for specific business initiatives, such as marketing and sales. Even then, however, people who were raised with technology often find ways to break through work-imposed barriers, tunneling through Web proxies or getting to Facebook using Google.

Not surprisingly, this puts security people in a tough place. They're under pressure from employees, business managers and, sometimes, upper management to find a way to bring social networking in securely. Even for security mangers who understand risk assessment in a world in which business is often powered by access to a global network, social networking is still risky business.

"We spent so many years locking things down," said Frank Waszmer, information security architect at Florida-based Health First. Waszmer was part of a panel discussing "How CIOs Protect Their Data in A Web 2.0 World."

"It took a long time to convince management to tighten things up," he said. "You have to make sure management is on board to the risk of opening up."

Part of the problem is that people's comfort level with Facebook, Twitter and MySpace makes them easy marks for cybercriminals, who are jumping on social networking sites with gusto, dumping spam, launching phishing attacks, stealing identities and installing malware. The same people who have learned to be very wary of phishing attacks, enticing links and sales pitches for cheap Viagra in their inboxes allow themselves to be seduced on FaceBook and Twitter.

"Hackers recognize there are more and more and more people spending more and more time on social networks," said Graham Cluley, senior technology consultant at Sophos, in his presentation, "Web 2 Woe: Cybercrime on Social Networks." That makes social networking sites attractive to cybercriminals.

"If you've got hundreds of millions of people on Facebook, then why go to all the effort to infect their computers which has antivirus software?" he said.

Cluely's description of the many ways social networking users are tricked into giving up their identities, buying things they don't want, spawning attacks on their friends and downloading malware offered a sense of déjà vu. Social networks have renewed a sense of trust that has long since been torn from e-mail use.

"Most users are willing to click if they think, 'It's my friend,'" he said. "I'm OK, because I'm inside my network and that's Fred. Only it's not Fred, it's Fred's hijacked account."

There's more. Criminals build profiles of individuals from their Facebook pages and use them to launch highly targeted attacks at individuals or at their company through them. People who are accustomed to publishing information on Facebook in the assumption that they have some measure of privacy can give up sensitive corporate information -- or damage a company's brand -- simply by grousing about their unhappiness.

"Brand is the number one concern among big enterprises," said Archer Technologies' Routh. "It's the same as when I used to get off work and go to the pub, but that was totally separate from the work environment, and the company didn't care."

What's the solution? Security technology, especially Web security gateways, can help if a user, who thinks he's still in the social Web site environment, is diverted to a malicious or compromised page. Education, especially demonstrating the consequences of promiscuous social networking behavior, is important, too.

"People are pretty good about doing what you want -- if they understand," said Hayes. "Help them intelligently understand the risks."

That's also good advice for security managers. "It's important for management to understand, who's going to take the risk?" said Waszmer. "When I [as a security manager] can assign risk to them, I can say, 'This is what we are going to do based on your requirements.'"

Neil Roiter is a freelance writer who has covered technology and security issues, most recently for TechTarget.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies