This type of approach to Twitter and other Web 2.0 tools allows companies to safely harness the speed and flexibility these services provide. There's no doubt many people find them to be a productive form of communication. I think an essential step when embracing Twitter and other new technologies is to make everyone aware of their potential risks and the purpose of an acceptable usage policy. Not everyone in an organization will need access to Twitter, and firewall rules should control who has access and at what times. People are far less likely to try to circumvent such restrictions if they understand the logic behind them. Due to the increasing use of social engineering-based attacks against Twitter users, it's important to regularly remind staff of the social networking dangers. Those in charge of communicating policy should highlight the types of content or requests that must be treated as suspicious. Twitter's relaxed style shouldn't mean relaxed security.
Enterprises that don't work to control Twitter in the workplace and give employees unfettered access are certainly putting their systems and data at risk. Because Twitter's creators have focused on making the service easy to use, they have gone a bit too easy on security, in my opinion. As I'm sure you're aware, there have been numerous successful hacks on Twitter and its users, not to mention the recent denial-of-service attacks on Twitter. Although Twitter Inc. reacts quickly to any breaches it discovers, there is the additional risk from the many services built on the Twitter API that uses Twitter passwords for authentication. Even if Twitter was to improve its authentication, phishing scams would still be possible.
I think phishing will always be a big problem for micro-blogging sites like Twitter, as there has to be a certain level of trust involved when people are sharing links, particularly shortened links that lead users to unknown destinations. TinyURL is the most common link-shortener URL you'll see on Twitter, as well as one of the easiest ways for a malicious user to expose users to attacks, ranging from phishing scams to malware installs. (At least the Bit.ly URL-shortening service provides a Firefox plug-in that allows a user to see where short URLs link to, including site page titles.)
Unless an organization has the infrastructure and resources to enforce safe and sensible usage of Twitter, I think the site opens too many attack vectors against your employees to warrant its use. At the end of the day, do your employees really need Twitter to be able to perform their jobs?
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading