Like its close relative BYO IT, social media was once seen as a consumerisation fad that IT departments could afford to ignore. But if 2011 has shown us anything, it is that Twitter, Facebook and LinkedIn are now viewed as essential business tools and not the productivity-sapping employee distractions they once were.
That fact has some important implications for IT security. First and foremost it means that simply applying a URL filter so that staff can’t access these sites is no longer possible. In fact, applying that approach is likely to get you fired for hindering the organisation’s ability to capture the marketing, PR, relationship-building and collaboration benefits social media can bring.
Again, like with BYO IT, the fact management is now buying into the benefits of social media means that — at least until a major security breach or PR disaster occurs on Twitter or Facebook — social media is here to stay. So if social media can’t be blocked and is instead being used on the corporate network, just what are the risks and how can they be managed?
Understanding the risks — malware
One of the first things organisations need to understand about the security risks of social media IBRS analyst, James Turner, says is that social media sites can act as conduits for data. The greatest threat here is malware; however, Turner says that this risk is chiefly to the employee, rather than their employer, as most of the malware activity on Facebook, for example, is for the self- propagation of apps, pages, and sites which then access the user’s information — and potentially all of their contacts — to then send data such as email addresses, mobile phone numbers, date of birth, and profile photos to a third party managed server.
What may appear to be innocuous data uploaded to social networking sites can also be a risk, Turner says.
"It could be as subtle as an executive linking to new contacts who happen to work for an organisation that is about to do business with the executive’s organisation," he says. "This seemingly innocent information can be a ‘tell’ to the market that something is about to happen, such as restructuring or mergers and acquisitions."
Given that almost half the Australian population — 9.8 million people — visit Facebook every month (compared to some 1.1 Australians visitors to Twitter and about 800,000 on LinkedIn) it’s fair to say that this site above all others is the major source of malware security threats to employees and the organisation that employs them.
“Facebook is the poster boy for social networking,” Blue Coat’s Jonathan Andresen explains. “Facebook, where you have hundreds of friends and they have hundreds of friends — that’s a very powerful tool for security threats.”
In fact, Andresen argues that where email used to be the dominant security threat vector, social networking sites have now surpassed Web mail sites such as Yahoo or Hotmail as users increasing rely on social media for their communication. Realising this, hackers have crafted an increasing number of security attacks designed for the millions of potential victims on Facebook.
The first notable example of this phenomenon, Andresen says was ‘Koobface’: A message was sent to Facebook users telling them they were in a picture or video which had been posted on Facebook. To view the image or video a codec — in actuality a piece of malware — first had to be downloaded.
Since then, fake video codecs, along with fake anti-virus software and phishing attacks, have proliferated on Facebook, as well as in the wider Web.
“It’s no surprise,” Andresen says. “Facebook has 750 million users now; it is basically the world’s third-largest country.”
More recently, ‘click-jacking’ attacks have grown to be the number one Facebook threat. These often take the form of a link posted to a user’s page that offers to provide access to popular games.
“You click on a link to play Angry Birds, but instead of playing it, it posts a link to your wall. It also goes to everyone else’s wall and those links leads to a page that has malware on it,” Andresen explains.
The next most common threat is that of fake ‘friend requests’, which instead of adding a new person to a user’s social network steal their data. Next, fake questionnaires and polls, fake application requests, and fake Facebook features all seek to steal user data by getting the victim to click on phishing links and download malware.