A majority of attacks on the Internet depend upon the exploitation of human nature through the abuse of trust. It is human nature, for example, to feel comfortable with Web-based social networks that include our friends and family. We don't expect these people to be hosting anything on their pages that would "attack" us.
Likewise, most wikis are created by well-meaning people, typically subject matter experts, and we tend to trust experts. We don't expect a page full of useful information to contain anything that would be harmful. However, there is plenty of evidence that such Web pages are being used to distribute malware, almost always without the knowledge of the page owner or creator.
In November 2007, the MySpace profiles of Alicia Keys and a number of other recording artists were found to be serving up malicious code. McAfee Inc. also recently reported a malicious MySpace friend request which, when clicked, popped up an apparently legitimate "Automatic Update" window that, in fact, tries to download what McAfee described as a "malware cocktail" containing additional downloaders, several Trojans and a remote administration tool.
So, in addition to enterprise concerns over productivity losses to social networks and privacy issues arising from their use, particularly at work, there are now some direct security threats in play, including network compromise via infected pages. (To get a measure of just how much "drive-by" malware is being
Creating a sensible social network policy
The challenge for the enterprise is to protect against attacks that come through social networks without losing the potential benefits derived from accessing them. These benefits are quite real, and a blanket ban on employees going to social network sites or wikis, either through policy, filtering or both, could put the organization at a competitive disadvantage, particularly in sectors such as entertainment and hi-tech, or in fields like marketing and human resources. Just as the maliciously inclined seek to leverage the popularity of social networks to their ends, all manner of legitimate entities are looking to do the same: promoting products, recruiting people, and so on.
Enterprises should manage social network dangers with sensible policy implemented through technology and training. The policy will depend upon an organization's risk posture and other specifics. A talent agency or other entertainment-related business, for example, may find a ban on social networks to be impractical. A bank, however, may allow only certain employees or group to access such sites. All organizations will want to remind employees that their Web browsing is monitored, and excessive trips to non-work related sites will be flagged and perhaps be used as grounds for some sort of penalty.
Getting employees to follow the policy
Training employees means educating them as to the policy, its enforcement and the risks that the policy is intended to mitigate. Employers are likely to get better cooperation if they lay the information out to workers rather than simply issue blanket bans from on high.
As for the risks mentioned in the policy, computers can be infected and used to attack other machines, including the corporate network, potentially causing significant damage and possibly the compromise of personal data and loss of personal files. Following such directives as "No clicking on banner ads on social networks" can help avoid those consequences since such ads have often been used to spread malware. Management professionals may want to add further directives amid the emergence of other attack vectors, like bogus update notices.
It may also be useful to do some general awareness training about social networks and wikis. Assumptions of anonymity on social networking sites should be challenged. Remind employees that what they post on numerous social networks is accessible to anyone on the planet with an Internet connection, and that information is often traceable. And just as employees should be advised to never put anything in email that they wouldn't want their mothers to read, they should ask themselves the same question when posting to social network sites: "Do you really want total strangers, and everyone you know, to know this about you?"
Of course, not all social Web sites are created equal. Some require meaningful identification of members and restrict access to vetted members, sometimes through paid subscription. These sites are arguably less open to abuse. For example, CompuServe forums, which required a paid subscription, never suffered much damage.
Regarding "social" malware, the defensive technology available includes traditional antimalware scanning across the network and all connecting clients, which may detect, and hopefully prevent, infections. Link checking or site filtering that weeds out known malware pages should also be considered; programs like LinkScanner and SiteAdvisor may help. Also, it may be worthwhile to consider OpenDNS, a free DNS resolution service, as a way to steer employees away from a whole range of bad sites. For employees whose machines spend time out of the office, consider specific bot defenses and the use of network access control technology, which vet systems before they are allowed back onto the corporate network.
Clearly social networking isn't going away anytime soon; it's arguably one of the most compelling and enjoyable ways to use the Internet. However, it's increasingly clear that malware and other threats will continue to plague social networking sites for the foreseeable future. With good policy and employee awareness, however, social networking threats can be greatly reduced.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in February 2008