The following is an excerpt from the book Securing the Clicks: Network Security in the Age of Social Media by Gary Bahadur, Jason Inasi, and Alex de Carvalho. In this section, author Gary Bahadur offers insights on effective social media policy and illustrates different strategies for managing in-house and external applications.
What Is an Effective Social Media Security Policy?
Defining the content of a policy is the first great challenge. Currently, there are no international standards bodies (such as Institute of Electrical and Electronics Engineers or IEEE) to help with this problem. The government is trying to adapt NIST SP 800-53 Rev 3, which is a government standard on information security procedures, to take into account some form of accreditation for services such as Twitter or YouTube as a network system. As these are hosted services, however, you have no control over them; you have to rely on the administrator of Twitter and YouTube to maintain security protocols.
- Any regulatory requirements and legal requirements that social media use could impact
- Managing internal and external hosted applications, including monitoring and reporting tools and techniques and testing and auditing
- Enterprise-wide coordination
- Codes of conduct and acceptable use
- Roles and responsibilities for the Community Manager
- Education and training
- Policy management, reporting, and monitoring
Securing the Clicks: Network Security in the Age of Social Media
Authors: Gary Bahadur, Jason Inasi, and Alex de Carvalho
Learn more about Securing the Clicks Network Security in the Age of Social Media from publisher McGraw-Hill.
Managing In-house (Self-hosted) Applications
Your social media security policy should detail security requirements for using social media sites that you do have control over. Companies that build their own policies and apply their own requirements without the benefit of adopting a secure process for developing applications are developing policies based on how technology and privacy of data has been historically treated in typical security infrastructures. Many approaches to securing a social media application or website are similar to securing your company’s ecommerce site or proprietary applications. Differences occur when you are compromised by an employee saying something inappropriate, a customer attacking your company brand, or your sales team losing customer data over social media channels. These problems make it into the public sphere much quicker; customer feedback is almost immediate; and your brand can suffer damage within the span of a few hours.
More on social media security
- Web application risks exacerbated by social media ties, says ISACA
- Checklist: Managing applications in the cloud
Managing Externally Hosted Applications
Third-party cloud applications cannot be handled in the same manner as your own infrastructure applications. You have minimal impact on these third-party companies and their security requirements, and influencing them to modify their security posture will probably not be effective. Alternatively, reliance on your own controls is essential. Examples of internal controls to consider include:
- How your employees use these third-party social media sites
- What data is allowed
- How you will monitor your corporate activity
- How you will respond to an external incident
Another key change in how you manage data is that you have to rely on third-party platforms to conduct their own security testing of their applications, and then they may or may not show you the results. You inherently trust these platforms and related applications to keep all the private messages you receive from your Facebook Fans secure from hackers and you rely on third parties not to sell customer lists of your Twitter followers. But has your company asked Twitter or Facebook for a SAS 70 II audit report (which is a third-party analysis of a company’s security posture)? As of last year, Twitter agreed to share all public tweets since its inception (2006) and archive them in the Library of Congress—with the exception of deleted tweets. Google already indexes tweets in real time. Yahoo! and Microsoft get copies, too. This could be part of your audit processes. Have you any idea what their security policies are over the data you share with these third-party companies?
The policy framework has to take into account the following major security concepts when dealing with a third-party application:
- Social media is generally based on third-party “cloud” applications and, therefore, your company can’t control their security.
- Social media web applications and downloadable applications have the same security challenges as all other web-based applications and other installed software applications.
- The general public is as involved with your company’s use of social media as you are, and your policy has to give guidance to your employees on how to handle public interactions.
- Your company should have a public version of your social media policy that explains your positions on social media.
Sharing of data is a must in social media, but data sharing is also a key aspect of attacks from both a technological hacking perspective as well as a content perspective.
- Malicious code is easier to share via social media portals and downloadable applications that can then connect back to the corporate environment to introduce viruses, Trojans, and other malware.
- Reputation management is often more important than secure technology-based controls when addressing the risks due to social media.
- Enable encrypted communications to the social media site when possible. This is not easy with most sites, but applications are available that can help with this task. One example is HTTPS Everywhere from the Electronic Frontier Foundation (https://www.eff.org/https-everywhere). As the site says:
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the Web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
When you install the HTTPS Everywhere add-on in Firefox, it forces encryption on the sites it covers. In Figure 6-1, you see that going to Facebook without HTTPS Everywhere leaves the website unencrypted. Once you install HTTPS Everywhere, you will see, as shown in Figures 6-2 and 6-3, how the “https” is now forced without any user interaction for social media sites you visit.
Figure 6-1 Visiting a site without HTTPS Everywhere turned on and no encryption
Figure 6-2 “HTTPS” is forced when visiting Facebook with HTTPS Everywhere.
Figure 6-3 “HTTPS” is forced when visiting Twitter with HTTPS Everywhere.
Read the whole chapter
HTTPS Everywhere actually offers protection against Firesheep and the software currently supports other sites such as Google Search, Wikipedia, bit.ly, GMX, and Wordpress.com blogs, and, of course, Facebook and Twitter. (As we mentioned in Chapter 5, BlackSheep can also help identify the Firesheep threat.) As Facebook and Google and other sites make HTTPS connections more readily accessible and a default option, the threat of unencrypted communications will decrease.
Excerpted from Securing the Clicks: Network Security in the Age of Social Media by (McGraw-Hill; 2012) with permission from McGraw-Hill.