How to help ensure the secure use of social media in your organization Featured

1:41pm EDT September 1, 2011

As social media moves to the forefront of the information security industry, many bloggers and information systems analysts have been working around the clock to promote what should be understood about the problems social media may pose.

Smart Business spoke to Chris Crane, a project manager with Hurricane Labs, about the threats involved in using social media.

What are the inherent risks in using social media?

Social media in itself encompasses all major forms of communication and ways to provide information, and in an incredibly easy way. It is available for use by anyone, with extreme portability, and welcomed by all. This may not appear to be a problem to the random users who finds its ability to make and keep connections as a very handy tool, but what is missed underneath the surface are the doorways to intrusion that it carries along with it.

Attacks such as the Zeus Trojan or the evolving Koobface can be easily be manipulated and provided to others via social networking sites. Information provided ‘at will’ can be gathered and used for social engineering purposes. I do not promote myself to be someone who can socially engineer information, but even I have learned about aspects of people’s lives and their jobs (remote user accounts that just happen to form ironical humor) that should have never reached the pages of regularly used social networking sites.

How can users protect themselves?

Social media exploitation will continue to pose threats to the IT community, but when an evolutionary threat presents itself, knowing a good stance or having the right mindset from an individual user’s perspective is a good starting point. This should be a good base to implement a solid policy that can be watched and reacted to. From there, gather what information is needed to re-evaluate the policies that you want to enforce.

Here are some ideals that every user should be acquainted with to better secure themselves:

Self censorship. Know what it is that is being posted when it is posted. To be aware of any potential threats this information may cause to the user or to the user’s place of employment. This is in no way a means to destroy individuality. The user must be aware of the ease of access to anything that is posted via the Web. The information being spread, no matter the depth, can be used by anyone willing to spend the time gathering a personal database against the user or the company the user works for. For example, think of the security questions answered while setting up a personal e-mail account. Answering with the name of a favorite pet and then flooding a Facebook page with pictures and posts of ‘Socrates’ does not leave too much of a challenge to those interested. Especially if the personal e-mail address you answered that question for is listed as a means of contact on a blog/Facebook/etc.

This may be thought of as a long shot towards affecting a company, but how many times does one recycle personal passwords? How often is personal e-mail used in the workplace as a work-around when accomplishing a task involving sensitive material?

Trust. Create a personal social networking cloud and understanding the threats they may offer. These are the people that will be reading all of the data that is provided by the user. Outside of the information that will be shared out, these are the people that will be providing the information coming in. Not everyone has malicious intent, but everyone is vulnerable to malicious attacks. Common attacks to social media are intended to spread easily and quickly, so that by the time it is noticed as a threat, a significant amount of damage has been done. This means understanding what is being offered as a link, what the intent of a message is, and what may be offered as something beneficial, but in turn is potentially harmful. Just because it comes from a picture of your mother doesn’t mean that it is necessarily her behind the wheel.

Become a super-user. Know what the application or site can offer. Know what can be done with the application or site to tailor it to provide what is intended. What social media offers is not something to be afraid of. Like all things, there needs to be a level of control, and these sites and applications provide the tools and configurations necessary to maintain a level of privacy. It is always a best practice to fully understand the capabilities of any application, website, or communications tool.

Training and understanding of the social media landscape should not be overlooked. It is something that will have to be dealt with as this landscape moves and reshapes itself. To quote a former instructor of mine, ‘They asked me what would be the No. 1 thing I would do to help secure their network. I told them: remove the users.’ As comical as that sounds, it holds truth. Hopefully educating everyone on social media security will allow for some ‘give’ to that statement.

Chris Crane is a project manager with Hurricane Labs. Reach him at (216) 923-1330, ext. 3.