Social networks, like Facebook, Plaxo, Linkedin and MySpace, among others, have become interaction tools with more than a million users worldwide. According to recent statistics, social networks as applications have superseded common e-mail and two thirds of Internet users have at least one profile in one of them (1).
These new technologies and its impressive growth has attracted the attention of cyber criminals, who according to statistics, are responsible for 19% of attacks against social networks detected between January and July of this year (2).
A study has revealed that two thirds of the surveyed organizations felt that social networks represent a risk to their security (3). For this reason, many companies and institutions requested advice on the possible risks on allowing employees to access these networks through the available IT infrastructure at their workplace (i.e. Internet access, workstations, notebooks, etc.).
From an information security perspective, there are several risks that an organization may face if preventive measures are not taken:
The first one, and most common, is disclosure of confidential information. Let us imagine that an employee is working on a confidential project and accidentally publishes in a social network, like Linkedin, what he is working on (the majority of these networks allow a user to publish what they are doing under the question “What’s on your mind?” or “Share your comments”). What would the impact of this action be? For starters, all users with access to this employee’s profile will know what he is working on, thus information otherwise classified as confidential will be disclosed.
The second risk is associated with the increase of possibilities to be victim of a social engineering attack. In most of these networks, the user is required to store personal information like full name, date of birth, marital status, employment, hobbies, work experiences, etc. Without the correct configuration of privacy options, an attacker could create a social profile of the victim by simply using google, becoming these actions the grounds for an identity theft attack.
Once attackers have your personal information, what stops them from calling your company helpdesk and ask for a password reset? Or opening a bank account? There have been public cases where persons had been victims of identity theft in social networks, like Facebook, where attackers pretend to be the victim by creating virtual profiles (this is a very common case with celebrities).
Is it possible for an attacker to steal the identity of a company’s CEO, create a virtual profile in a social network, add company employees to this profile and then try to obtain confidential information? The answer is yes, and it has already happen in personal and corporate levels.
Other risks are malware attacks, caused mainly by worms. The quantity of malware that use social networks as a distribution point has significantly grown. Allowing access to these sites from organizations workplaces increases the chances of infection.
What to do with the risks mentioned previously? As preventive measures, it is critical to configure each social network privacy options in a most restrictive way, validate the users that we are adding to our networks, personnel training and awareness programs, monitor social network activities, apply technical controls (i.e. antivirus software) and a sound security and acceptable use policy regarding access to these networks.
Author: Agustin Chernitsky
Sources:
(1). Nielsen - Global Faces and Networked Places.
(2) Breach - The Web Hacking Incidents Database 2009.
(3) Sophos - Security threat report: Update July 2009.
(2) Breach - The Web Hacking Incidents Database 2009.
(3) Sophos - Security threat report: Update July 2009.
No comments:
Post a Comment