SAN FRANCISCO -- Are the risks of social networking ultimately brought on by users who make bad decisions about when and how to share their information, or by social networks that fail to properly protect their users' data?
People are not taking fundamental responsibility over their information.
CEOInternet Security Advisors Group
That was the key topic of debate during a 2010 RSA Conference panel discussion on social networking risks and why the use social networking sites often leads to the unintended exposure of personal and business information.
Jason Hong, assistant professor in the School of Computer Science at Carnegie Mellon University in Pittsburgh, said social networking offers many benefits, including simple communication on a quick and massive scale and the ease with which individuals can project, experiment with or redefine their personas, but too many users take social networking risks by sacrificing their privacy for the short-term gratification that comes from making a new "friend" or granting privileges to a new Facebook plug-in.
"A user installing an application wants it now and accepts the risk because there's a low probability that something bad may happen in the future," Hong said. "This is why we have so many problems with health care: There's this great food in front of us right now so we eat it, even though we know we should be eating healthy."
Mischel Kwon, vice president of public sector security solutions for RSA, the security division of Hopkinton, Mass.-based EMC Corp., said many teenagers today are falling into those traps and revealing information that later on may harm their careers.
"If you're 17 years old, if you put some risqué stuff out there, and you later want to get hired by an intelligence agency, then that could be a problem," Kwon said. "You have to decide if you want to take that risk."
Marcus H. Sachs, executive director for national security and cyber policy for Verizon in Washington D.C., said corporations face a similar quandary when deciding whether to grant employees leeway on how much online privacy they want to have while not putting their companies at risk.
"We have to adapt to it," Sachs said, "and it's not something we can do overnight."
But should social networking infrastructure providers like Facebook and Twitter bear more responsibility to reduce social networking risks by educating users and helping them protect their personal information and, in turn, that of their employers?
Ira Winkler, author and president and CEO of the Internet Security Advisors Group in Severna Park, Md., said the providers profit from enticing users into sharing their personal data, yet typically fail to warn of the risks of providing that information. He said they also have an obligation to provide more thorough security measures, such as making sure the ads served through their services aren't laden with malware.
"I expect an infrastructure provider to provide a basic level of security. They don't have to prescreen a link that somebody sends me, but they should filter the ads in malware if they're making money off of them," Winkler said. "They're making money off of facilitating the compromise of information."
However, Kwon argued, the responsibility should be shared by infrastructure providers and ISPs, which she noted commonly offer free antimalware and other optional protections for consumers, yet do little to filter malware from traversing their networks.
"At some point, this can be handled at the infrastructure layer," Kwon said. "Let's help it get to the point where we can clean a big chunk of the malware before it ever gets to Facebook and our computers."
Sachs noted that the decision as to what is and isn't malware on a network isn't always black and white, and it's questionable whether ISPs should be asked to make those decisions.
"ISPs are the critical component enabling these attacks," Winkler countered. "You get websites being exploited because the ISPs are letting 5,000 packets a second go out of grandma's computer system" to support botnets.
"They shouldn't have to look at every layer of every application," Winkler added. "People are not taking fundamental responsibility over their information."
Ultimately, Sachs said, enterprises that want to hire "the best and the brightest" young workers must figure out how to allow those employees to use social networking tools because employees won't stay at companies where the restrictions are too tight.
Sachs noted some companies have a "foosball" policy for social networking, in which employees can't conduct social networking at their day-to-day workstations, but can access the services using separate, shared workstations that pose less risk to the corporate network.
"This new world of social networking, we're going to have to embrace it," Sachs said. "Yes, there are social problems and leakage problems, but we can't go backwards. I don't think anyone has the right answer… We're going to see a lot of change, but we have to get that [security] awareness up."