Social Networking...or Social Engineering?
By Thomas Owen, CISSP, CISA, CISM, Security+, Network+
CoNetrix Security and Compliance Consultant
This article was published in the May/June 2010 issue of the Colorado Banker
With the explosion in new communication platforms, hackers are moving swiftly to
capitalize in every way they can. While Facebook, MySpace, Twitter and other social
networking/blogging sites used to be the domain of Generation Y, the trend is now
for people of all ages to use these sites to keep in touch and spread information.
However, the problem is you never know exactly what information is being spread
and to whom.
For instance, consider the case of two employees of a large US financial firm that
made news a few months ago. For simplicity's sake, we will call them Jack and Jill.
Both had Facebook accounts, were Facebook friends, and sometimes communicated outside
of work. Sounds like an innocent friendship, right? It was, until hackers were able
to take control of Jack's Facebook account. The hackers then sent Jill a simple
message, "Look at the pictures I took of us at the company picnic." Jill clicked
on the link, expecting to see pictures from the picnic. Instead, she downloaded
malicious software, allowing the hackers to take control of her company laptop.
I'm sure you can see where this is headed: The attackers were then able to use her
credentials to access the company’s network. The breach went undetected for approximately
two weeks.
This example illustrates how the growth of social media, coupled with a lack of
awareness among employees and employers regarding personal and potential business
use, can increase a financial institution's reputational, liability, and operational
risk exposures. This increase can be attributed to the institution having a social
networking presence to reach customers, employees accessing social networking sites
at work, and employees accessing social networking sites on financial institution-owned
computers at home.
How can organizations manage this risk?
Treat social media as any other type of risk: Include social media in a formal risk
assessment process. This risk assessment should help you gauge the level of risk,
identify existing controls, evaluate the need for additional controls and ultimately,
help the bank determine its approach to the use of social media by employees. All
decisions should be based on this risk-based process.
What types of controls are available?
Controls will vary by organization, but some examples include technical restrictions,
addressing social media in the Acceptable Use Policy (AUP) or as a specific policy,
and security awareness training for employees.
- Technical controls usually provide the greatest (but sometimes a false) peace
of mind. Hardware appliances or software can be used to filter websites by web address,
content, or category. Organizations can also set up a proxy server to force users
through a filtering process even when users are physically offsite.
- Identifying social media use in the AUP or a specific policy will help organizations
provide guidelines for employees and mitigate risks, especially reputational risk.
The policy framework should address whether social media can be used on organization-controlled
systems (both at work and at home) and what information an employee is allowed to
disclose regarding the organization and organizational activities.
- Security awareness training for employees regarding social media is an ongoing
process. It is not adequate to expect users to sit in a room for 8 hours once a
year and retain that knowledge until the next annual training. Posters, memos, and
e-mails regarding the evolving social media landscape can serve as reminders to
be vigilant both at the workplace and at home. If there is a virus outbreak on frequently-visited
sites (such as the Koobface worm on Facebook), use the occasion to inform employees
about the hazards.
Remember, a chain is only as strong as the weakest link. With "always on" social
media, the weakest link may well be your employees.
View More Articles