Social networking sites are a popular means for people to communicate with their peers and business contacts, and remain up-to-date with their industry. Certainly, they’re no longer the preserve of teenagers wanting to keep in touch with their mates.
Businesses are finding it either difficult or impossible to simply ban users from accessing such sites (particularly when those like LinkedIn and Naymz are deliberately targeting professionals within the business community).
Sadly, hackers, spammers and phishers also view networking sites as a great resource. No wonder. It’s accepted that, caught off guard or not, employees can post confidential information outside of their host organisation.
Accentuate the positives
First, let’s look at the positive benefits of social networking sites. Employees can keep in touch with business contacts, share information, watch for competitive information (for example when a known contact moves from one company to another) and use these sites for communicating with suppliers and customers.
The Human Resources Department, in particular, can use social networking sites for recruitment purposes, posting vacancies to targeted groups of people, searching for possible candidates and mining experience.
However, people are often ‘carried away’ when posting information on these sites. The inclusion of e-mail addresses and personal information that allows a reader to work out full address details can result in phishing attacks. These are a concern for the employer even if it’s personal information being phished, as time lost fixing the problems is usually work time.
Ensure that employees are reminded not to publish anything that they don’t want the world and his wife to see. This includes details on competitors, mothers and spouses! Employees should also be warned not to accept every invitation to join someone else’s network – though the new contact may know you, that doesn’t mean you know them.
Conduits for malicious code
There have been cases of social networking sites being used as conduits for malicious code. Personal information can include links to other sites, and allow the upload of images. Some sites even let users embed HTML code within their pages. Spyware-encoded adverts can be located around the site information.
Organisations should ensure that their employees’ browsers are up-to-date (a quick check that can be performed at the Internet gateway when the user first accesses the World Wide Web each day) and that all social networking content is being inspected for malicious code.
It’s highly recommended that no executables (.EXE .DLL .CAB, etc) should be allowed from social networking sites. These may also be blocked at the web gateway.
Employees can – usually inadvertently – post information that’s useful to a competitor. This may be executed through updating their own pages or via the social networking mail services (similar to e-mail and Instant Messaging but sent via the social networking sites).
Employees should be warned about the dangers of sharing too much information. In addition, whenever a user tries to post a message the company network should be set up to make sure that a warning appears on their screen reminding them of the threat.
If the company deploys data leakage prevention systems, these should be checking the web posts as well as e-mail. As most social networking sites use SSL encryption, there must be an ability to decrypt for inspection.
Problems with bandwidth
Social networking sites are common places for posting music and videos. These can impact on business traffic, particularly during busy periods or when they are downloaded to offices with low bandwidth capacity.
IT management can block file types likely to be high bandwidth with logic such as “IF [social networking sites] AND [streaming, music, video] THEN block”. Alternatively, bandwidth management can use similar logic to reduce the download speed of such content.
Social networking sites are designed to be very engaging, encouraging users to keep searching for new contacts, chatting to online friends and adding a wealth of personal information so that people can find them. The running of competitions and online games, plus distribution of repeated e-mails, only encourages repeat visits.
This is where education comes to the fore. Intercept requests to social networking sites and issue a ‘splash screen’ warning to users within the company that all access is both logged and not anonymous. Constantly remind employees about the organisation’s policies governing acceptable use. Log access at all times, and look for the highest users.
Dangers when ‘on the move’
When travelling, users are at a greater risk from the threats posed by social networking sites as they’re outside the corporate web gateway. In addition, they’re likely to be less vigilant if they are using the laptop at home or in a hotel.
Therefore, it’s important to continue to give them the protection you can, ensuring anti-virus systems are up-to-date. One further option would be to disallow all access to social networking sites when outwith the corporate network. There are a number of companies who offer free laptop web filtering together with web security gateway appliances.
Social networking sites are just like many other types of web site, containing news, shopping information, instant messaging and the like. Some of the content can be useful, and yet there are many hidden dangers.
For security professionals trying to monitor usage by company employees, a mixture of user education, messages with reminders and smart policies can reduce the danger to the enterprise and engender the use of such sites for appropriate business purposes.