How a corporate Twitter policy can combat social network threats

Unfortunately, the success of microblogging sites like Twitter relies on the same elements of human nature as social engineering attacks, particularly a natural desire and willingness to share and engage with those we trust.

Most people have learned not to open attachments or links in emails from people they don't know. Yet because Twitter is seen as a friendly, group-based service, many will not hesitate to click on a shortened Twitter link, having no clue as to where it will take them.

This natural trust makes Twitter an attract...

BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

RELATED CONTENT Threat Monitor Server Message Block Version 2 security in question: Disable or patch? Preparing for future security threats, evolving malware Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar Should enterprises be concerned with Twitter in the workplace?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ive approach for a malicious user, who can use the service to initiate attacks ranging from phishing scams to malware installs. A variant of the Koobface malware, for example, sends bogus messages, or tweets, when the infected user logs into Twitter. The tweets direct recipients to a malicious website where they're prompted to download an update of the Adobe Flash player, which is, in fact, malware. URL-shortening services used in tweets also add other attack vectors, with additional DNS lookups and servers sitting between the link and its destination.

Creating a corporate Twitter policy
Part of Twitter's appeal and convenience is its ease of accessibility, but the trade-off is security. Organizations need to appreciate that free online services aren't necessarily going to provide a standard of security that matches that of their own systems. Remember there's no Twitter service-level agreement should things go wrong. A blanket ban on using Twitter, however, is probably impractical even in industries such as banking or medicine. Sure, not every employee needs access, but those in marketing or human resources just may -- even U.K. government departments have been urged to make more use of the microblogging tool.

The key to reducing the risks of Twittering is a sensible usage policy implemented through technology and training. The best way of ensuring the success of such an approach is to agree on an acceptable usage policy with your employees and then strictly enforce it. Employees are far less likely to try to circumvent any restrictions if they understand the logic behind them and have been involved in developing the overall corporate Twitter policy. Also, they will have no excuse for not knowing what they can and can't say and do when using Twitter. Web monitoring tools such as Websense Inc.'s Web Security Gateway or McAfee Inc.'s Secure Web Gateway should be deployed to enforce the policy and ensure breaches are detectable so that disciplinary steps can be taken.

Due to the often ingenious and ever-changing approaches of social engineering-based attacks, it's important to regularly remind staff of the security risks of using social networking sites. Highlight what types of content or requests should be treated as suspicious and reinforce directives such as "No clicking on banner ads on social networks," as banner ads have been used to spread malware. Be vigilant for other emerging attack vectors, such as bogus update notices, so that new restrictions can be implemented to guard against them. Certainly strong and regularly changed passwords are a must, and Twitter passwords should be different from those used to access internal networks and services.

The defensive technologies that can be used to defray Twitter-based attacks obviously include traditional antimalware scanning to detect and hopefully prevent infections. Firewall rules should also control who has access and at what times, as dictated by the corporate Twitter policy. Consider the use of network access control (NAC) to vet systems before they are allowed onto the corporate network. Link checking or site filtering that weeds out known malware pages should also be considered. I recommend looking at OpenDNS, the free content-filtering service, as a way to block undesirable content and prevent network users from visiting phishing websites. If your organization uses Firefox, the Bit.ly URL-shortening service provides a Firefox plug-in that allows users to see where short URLs link to, including site page titles.

The challenge for the enterprise is to protect against attacks that come through social networks without losing the potential benefits derived from using them.

Any organization that fails to outline and implement the infrastructure and resources needed to enforce safe and sensible usage of Twitter among employees is opening itself up too many attack vectors to warrant Twitter's use. Enterprises that don't work to control the use of Twitter and give employees unfettered access are certainly putting their systems and data at risk.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.