Social networking, a term relatively new to the computing vernacular, has already become part of the cultural norm for a great proportion of Internet users.
Even more recently, the use of online communities to establish and build connections among those with shared interests has become part of the corporate world as well. As professional social networks such as LinkedIn and Blue Chip Expert continue to grow, and professional groups gain in popularity on once-personal sites like Facebook and MySpace, enterprise security and risk management professionals must face the reality that these sites are emerging conduits for the unauthorized disclosure of confidential corperate information. Add the use of public social networking tools to the list of concerns, and the effectiveness of the traditional corporate security perimeter is further diminished. However, a robust set of policy, process and architecture aids in mitigating the risks of being social.
Broadly, social networking is described as software that lets people interact, rendezvous, connect, play or collaborate by use of a computer network. This definition covers the popular social networking sites, including those mentioned above, as well as blogs, wikis, RSS, podcasts, tags, and more recently, search engines. While there are numerous benefits to social network solutions, including reducing costs and increasing collaboration, we'll focus on addressing the risks of social networks.
Social networking security: Start with policy
All enterprises have a form of an acceptable use policy, which should govern the use of all resources in the enterprise computing environment. While it may be implicitly implied in your current policies that public social networking sites are covered, because of the nebulous nature of this technology, a more explicit rendering of the expectations and policies is necessary.
Critically read your current policy in a context of social networking and identify gaps that need to be addressed. For instance, because of the risks and inherent difficulty in managing the use of social networking applications, many enterprises have made the decision to not allow access to social networking services from inside the corporate perimeter (often with the exception of human resources departments for recruiting purposes). Of greatest importance is a clear and unambiguous warning in the policy about sharing confidential corporate information. Many organizations have added social networking sections to their training on protecting corporate information. Ensure that the policy indicates the prohibitions against revealing sensitive information via social networking, and clearly spells out the ramifications, including the levels of discipline that could occur. As always, when the acceptable use policy has been modified, ensure that all employees are made aware! Policy should then be enforced either through analysis of Web logs, which will detail use during business time (if not allowed), or through automated searches of websites for corporate information.
Defenses for social networking
Security success is all about the right combination of people, process, policy and technology. When it comes to addressing social networking concerns, the same holds true. Intrusion detection and intrusion prevention systems (IDS and IPS) need to be kept current to address the risks of social networking traffic, and bandwidth-shaping technology should be deployed in order to maintain proper network speed, and also identify abuse or compromised machines.
In addition, many popular Web-based social network services have an increasing number of applications available to download locally. While many are benign, a significant number of these small apps carry malicious payloads, hacking tools or marketing software. This can be combated by having a standard desktop image that does not allow local installation of applications, or changes to the registry keys or operating systems.
Lastly, firewall rule sets can be granularly defined to monitor, catch or block social network traffic, and of course, always ensure that antivirus products are up to date as a last line of defense.
Social networking and security awareness
Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or modifying your appropriate use policy. Include senior representatives from human resources, risk management, privacy, physical security, audit and legal in your preparations and response to social networking risks. A stronger partnership, and ultimately a stronger policy and process, will surely result from reaching out to them.
Establish a working group to meet periodically to discuss how this technology is emerging, and how the enterprise as a whole can address it. In addition, use formal training, newsletters, "lunch and learns," or any avenue possible to make employees aware of the proper and improper use of social networks, both at work and at home. As with many security issues and risks, a higher level of awareness points to a higher level of compliance.
Monitor for your good name
Finally, even with all of these controls in place, data and information will inevitably find its way to the Internet. Enterprises should remain vigilant in scouring the Internet regularly for any information that may be sensitive in nature.
Using third-party services, internal monitoring programs, or simply performing Web searches for keywords and key phrases can be essential in identifying and addressing instances when company information is made available via social networks, either inadvertently or intentionally.
Social networking: With progress comes risk
As with all emerging technologies, social networking is advancing rapidly and security professionals need to remain aware of the risks associated with it. There is a generation entering the workforce that assumes this technology will not only be available for their use, but is also essential to the way they communicate with colleagues and business partners.
While there are many benefits that come with using social networks both internally and externally, the policy and architecture to defend against the risks must be addressed proactively and not taken lightly. Remember, it's not being anti-social to think this way, it's being secure.
About the author:
As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. A CISSP and CISM, Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance.
This was first published in November 2008