Black Hat 2010: 10 Security Hotspots for CIOs - Social Networking Hides Hazards
(
Page 11 of 11 )
The most obvious risk in the widespread use of social networks is the amount of publicly available and seemingly unimportant data that can be joined together in order to create extremely valuable information. For example, your company's sales representative might tweet that he is "heading to North Carolina to close a deal with a large bank." Imagine how valuable this seemingly innocuous information could be to your competitor.
Additionally, since social networks are a great way to connect people with like-minded objectives, they have also become a place for hackers to communicate, collaborate and share information. It's become even easier for exploit samples to make their way around the hacker community thanks to the ubiquity of social networks.
Social networks are also a great environment for social engineering. False, yet realistic-looking identities can be created in order to establish connections and friendships with strategically selected individuals, which can then be used to gain access to sensitive information. Who does your CEO have as friends on Facebook?
A lot of the risk here comes from activities outside of the organization, and therefore, mostly out of the control of the CSO/CIO. To manage the risk on the inside, organizations can leverage well-defined policies and related application control technologies to prevent the use of social networks within the workplace. There is no technical control over the personal use of these technologies outside the workplace, and therefore written HR policy will need to be the primary control in these situations. The policy will need to guide the employees to keep company-related information out of the social space, unless, of course, their job specifically calls for it. As for the act of social engineering, organizations should consider monitoring the top social networks (Facebook, Twitter, LinkedIn, MySpace, and others relevant to your industry) to see who is saying what about your company; you may just find identities, both real and fake, (mis-)representing the company in ways you don't want.
Sean Martin, CISSP, is founder of imsmartin consulting. He can be reached at sean@imsmartinc.com
test
