Should enterprises be concerned with Twitter in the workplace?

BROWSE BY TAG Application Security,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Are there still Google Desktop security problems? Will an application usage policy best control network bandwidth? Can an IP spoofing tool be used to spam SPF servers? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool Preventing cross-site request forgery attacks Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Information Security Policies, Procedures and Guidelines How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

I've come across some organizations that make great use of Twitter, the popular micro-blogging social network. The companies have agreed on an acceptable usage policy with their employees, and that policy is strictly enforced. Employees have no doubt as to what they can and can't say and do when using Twitter. Web-monitoring tools, such as the Web Security Gateway from Websense Inc., ensure policy breaches are detectable so that disciplinary steps can be taken.

This type of approach to Twitter and other Web 2.0 tools allows companies to safely harness the speed and flexibility these services provide. There's no doubt many people find them to be a productive form of communication. I think an essential step when embracing Twitter and other new technologies is to make everyone aware of their potential risks and the purpose of an acceptable usage policy. Not everyone in an organization will need access to Twitter, and firewall rules should control who has access and at what times. People are far less likely to try to circumvent such restrictions if they understand the logic behind them. Due to the increasing use of social engineering-based attacks against Twitter users, it's important to regularly remind staff of the social networking dangers. Those in charge of communicating policy should highlight the types of content or requests that must be treated as suspicious. Twitter's relaxed style shouldn't mean relaxed security.

Enterprises that don't work to control Twitter in the workplace and give employees unfettered access are certainly putting their systems and data at risk. Because Twitter's creators have focused on making the service easy to use, they have gone a bit too easy on security, in my opinion. As I'm sure you're aware, there have been numerous successful hacks on Twitter and its users, not to mention the recent denial-of-service attacks on Twitter. Although Twitter Inc. reacts quickly to any breaches it discovers, there is the additional risk from the many services built on the Twitter API that uses Twitter passwords for authentication. Even if Twitter was to improve its authentication, phishing scams would still be possible.

I think phishing will always be a big problem for micro-blogging sites like Twitter, as there has to be a certain level of trust involved when people are sharing links, particularly shortened links that lead users to unknown destinations. TinyURL is the most common link-shortener URL you'll see on Twitter, as well as one of the easiest ways for a malicious user to expose users to attacks, ranging from phishing scams to malware installs. (At least the Bit.ly URL-shortening service provides a Firefox plug-in that allows a user to see where short URLs link to, including site page titles.)

Unless an organization has the infrastructure and resources to enforce safe and sensible usage of Twitter, I think the site opens too many attack vectors against your employees to warrant its use. At the end of the day, do your employees really need Twitter to be able to perform their jobs?