Published: 05 Mar 2009
You don't want to become the Pete Hoekstra of your company.
Not that Pete's a bad guy. In fact, Rep. Hoekstra of Michigan has a distinguished legacy of service in politics and business, including a 2004 appointment as chairman of the House Permanent Select Committee on Intelligence, where he is the ranking Republican and still leads oversight on intelligence issues. He's a connected guy.
And that's his problem.
Early in February, Hoekstra flew into Iraq as part of a Congressional delegation's trip there, and to Afghanistan. Upon his arrival, he posted to his Twitter page that he'd just landed in the Iraqi capital of Baghdad and was stunned he had BlackBerry service for the first time in his 11 trips to Iraq. He later made posts about moving through the "Green Zone" via helicopter to the U.S. Embassy.
So much for what was supposed to be a secret trip, and so much for keeping the sanctity of the delegation's itinerary. Hoekstra has close to 3,500 Twitter followers, and theoretically, each one knew of, and could share, his whereabouts in an instant.
Such is the viral nature of social networking, and a prime example of the risk to sensitive corporate and private information presented by, what is for many, today's primary means of small talk.
Tweeting, for instance, is becoming part of the professional lexicon, whether you work in the public or private sector. People are ever more connected socially via networks such as Twitter, LinkedIn, Facebook and countless others. People who Twitter in their personal lives, for example, also tend to bring those 140-character Tweets into their professional lives, and the line can become blurred as to how much information becomes too much information.
Paranoia? Not really.
Take LinkedIn, for example. LinkedIn, for the uninitiated, is a professional networking service, a place where people are able to make business contacts, join others in similar industries in informal information-sharing groups, and ferret out new job prospects. It's also a haven for mining competitive intelligence. Threats expert Lenny Zeltser wrote recently for the SANS Internet Storm Center that attackers are checking out company profiles for title changes that would indicate strategy or organizational shifts. New hires show up on company profiles too; they're fresh meat for attackers because newbies aren't up to speed on company policy or security culture. Sophisticated attackers can also map organizations via these profiles in order to target attacks.
Web 2.0 has radically messed with the way information and even marketing material is disseminated and consumed. Twits (the affectionate nickname for folks on Twitter) scooped CNN.com on the January crash of USAir flight 1549 into the Hudson River. Blogs, RSS feeds and Craigslist have pushed newspapers and their day-old analysis of news to the brink of extinction. Many companies are building their brands via social networking, going as far as disseminating press releases and product announcements via Web 2.0.
It's an immediacy not even email can offer. But like any business implement, there must be controls and finding a happy security balance between policy and technology is tricky. Banning social networking -- and by extension, Web 2.0 -- in the enterprise is akin, as expert Marcus Ranum likes to say, to complaining after a horse has left an unlocked barn. The next-generation workforce has Web 2.0 neatly packed away in their backpacks and intends to use it at their desks; it's up to the security industry to work with business management to contain the threat of its side effects: information leakage, malware infestations and productivity drain.
SERIOUS RISKS: MALWARE, DATA LEAKAGE
User generated content is what separates today's Web 2.0 from yesterday's online experience. People love to share the most innocuous things with their online friends, download silly applications and manage what they believe to be their private space on the Internet. The companion truth is that attackers have followed their prey to social networking platforms, and are laying down phishing snares, infecting machines with ad-generating software and logging keystrokes.
In the business world, the dangers to corporate secrets are growing. As business embraces these new mediums, the odds grow that someone could inadvertently spill secrets on a blog or collaboration portal, or follow links in a Facebook app to a phishing or malware site and either lose personal information or afford an attacker unfettered access to a corporate network.
"In the old days, you put up content on a website and people can browse it. Hopefully, the website is under the control of one party and it's easier to inspect content and make sure it's legitimate," says Chenxi Wang, principal analyst at Forrester Research. "Now with social networking, you're involving a large number of parties who are all uploading content; it's very difficult to attain the same level of assurance."
Wang says companies are getting less Draconian about social networking use inside the firewall. If there is a business purpose, it is allowed, even if it is restricted somewhat; it's also a useful in helping attracting younger workers. She points out that in some heavily regulated industries, such as financial services and health care where communication must be logged, policies are stricter on content that leaves over the Web. Webmail, i.e., Gmail and Yahoo, is a concern there, as are peer-to-peer file sharing resources and online storage containers such as Megaupload; knowledge workers could use these resources to circumvent policies on what types and how documents are allowed to leave the network (see "You're the Last to Know, below).
|Workarounds: You're the Last To Know|
Users are ahead of IT when it comes to side-stepping Web 2.0 restrictions.
DO YOU REALLY know the extent of what Web 2.0 sites are visited, or what tools are being installed on machines in your network? Your perception is probably counter to reality.
While more organizations are making a business case for the capabilities found in Web 2.0 applications, users for the most part aren't waiting for you to iron out your acceptable usage policies or lay out a list of permitted apps. They're forging ahead and using and installing a glut of Web 2.0 tools and applications such as peer-to-peer file sharing, Web conferencing and anonymiziers such as Tor, in addition to downloading user-generated applications from Facebook, MySpace and LinkedIn. These end-arounds are increasingly exposing companies to data loss and malware infections.
Face Time Communications recently asked IT and security managers at more than 80 enterprises how many and which Web 2.0 apps they believed were running in their networks. Their estimates are far lower than reality. For example: 60 percent believed users were actively doing social networking; 54 percent thought P2P apps were installed and 15 percent were confident of the presence of anonymizers; when in fact there was 100 percent, or close to it, penetration of all of these tools and more, including Internet Protocol TV (IPTV), which streams mainstream television programming.
"Hackers are following people, and moving to Web 2.0," says Face Time VP of product marketing Frank Cabri. "Threats are moving in parallel."
And even when IT puts barriers in place -- sites are blocked or restricted, or size limits put on email files -- users find other ways around them with the use of anonymizers or proxy servers such as Ultrasurf that bypass the corporate networks and policies banning visits to certain sites. Users wanting to move restricted data off a network can upload their hard drives to a Web-based storage service such as Dropbox or Megaupload. These services also support encryption.
"The problem is, IT is always the last one to know," says Palo Alto Networks VP of marketing Steve Mullaney. "The lack of visibility is the problem. You think you're stopping things by blocking MySpace, but younger people especially are going to be stopped for about two seconds. They're going to fire up Ultrasurf or use some encrypted proxy avoidance app that lets you do what you want." [END MARK]
--Michael S. Mimoso
"I think companies need to be judicious about Web 2.0 adoption and usage; don't use anything the business doesn't call for," Wang says. "Really take a close look at the security treatment of new technology and whether it opens you to risk and whether you're prepared to handle or accept it."
Jamie Gesswein wasn't willing to accept the risks that accompany social networking -- not entirely any way. Gesswein, network security engineer for Children's Hospital of The King's Daughters in Norfolk, Va., says only a handful of public relations and marketing employees have access to social networking sites; the business case being that they need such access to monitor blogs and the like for mentions of the hospital.
"The biggest concerns were downloading malware and data leakage too," Gesswein says. Hospital staff aren't the only people with Internet access at the hospital; its young patients are allowed to bring in their laptops and access the Net via a guest wireless network. But even then, MySpace, Facebook and the like are blocked.
"We get a lot of calls from nurses and administrators asking us to allow access to kids to Facebook and MySpace, but we've stuck to our guns and not allowed it," Gesswein says. "I don't need a 7-year-old in the hospital accessing MySpace."
Organizations need to train users about which of their actions online pose the biggest risks.
"Don't click on links in Facebook, or on wikis or blogs," says Tim Roddy, senior director of product marketing at McAfee. "There's a real danger is you don't know who posted the content there. Most organizations have data security policies, but those need to be updated to include whether you can use web-based email to send information, or you can post to a blog. It's an awareness issue for employees because most data leakage isn't deliberate. Look at what's being posted; people shouldn't be blogging about their company -- period."
A bigger driver is federal and industry regulation; for Children's Hospital of the King's Daughters, it's HIPAA compliance. With stringent watch on patient privacy in the health care industry, compliance helps drive the message home to upper management of the importance of data protection and get their backing to shut down as many egress points as possible.
Still, deny-by-default isn't going to work forever. Information Security magazine's annual Priorities 2009 survey tends to back up this trend. More than 660 responded to a question about social networking, and 42 percent say they ban it entirely. Of the 58 percent that don't, only 9 percent said they allowed unrestricted access
"In general, things are loosening up," Forrester's Wang says. "More people are saying it's useful for business purposes. And more people are allowing them to attract younger workers. It really depends on the company culture."
Clearly, a mix of technology and policy is the most sensible road to travel for many companies. Web security gateways that address not only antimalware, but URL and content filtering are being turned on social networking sites in order to catch private data such as credit card or Social Security numbers, or certain keywords that would indicate a corporate secret could be heading through the pipes onto the Web.
"The better weapon is to have the technology in place, but without policy, it would be moot," says Gesswein, who has a Sophos WS 1000 Web appliance installed on the hospital's network. The appliance, and others like it, inspects inbound and outbound traffic and compares it to policy, allows granular control over Web content and also includes an anonymizing proxy detection technology that sniffs out proxy servers more savvy users could use to sneak out confidential data through, for example, personal webmail accounts. "We have the ability to show the management what is going on in the network, what is being protected and how."
Gesswein struggles with that balance of providing access and enforcing policy. Doctors, like others in many industries, can collaborate online with peers via social networking sites. Medical collaboration sites and message boards, blogs and wikis are invaluable tools in speeding up patient care. Gesswein acknowledges that more staff members are also accessing information via personal devices such as BlackBerries and iPhones.
"The hardest thing is to have to keep telling myself that there has to be a balance. In a perfect world as a security person, everything is blocked, nothing is allowed. But in reality, we have to make money to stay alive. In order for them to make that money more efficiently, they need this technology in place, have access to information and be able to send and receive and talk to people more effectively. That balance between security and giving them this ability is tough. If you have to have this type of access and technology, let me work with you to figure out how I can protect the information and also at the same time, get you what you want."
MONITOR OUTBOUND CONTENT
Web 2.0 security isn't just about social networking and leaking secrets inadvertently on a blog post. Online productivity suites such as those afforded by Google apps are attractive no-cost options for organizations seeking free email, word processing, spreadsheets and document-sharing capabilities. Problems arise on these platforms from the lack of oversight, especially when they're used departmentally, or even by select individuals on a project.
Greenhill & Co., a small investment banking firm in New York, needed to get a handle on users accessing and moving documents on webmail services such as Gmail, Hotmail and others. John Shaffer, vice president of IT, says Sarbanes-Oxley auditors were looking at this risk and how it was being mitigated. Worse, he didn't want to see documents such as compensation spreadsheets leaking outside his organization via Gmail or Google docs.
"We had two choices: capture HTTP mail, or block it. We blocked it as opposed to archiving external email," Shaffer says, adding that users were hurdling port-blocking firewalls by using SSL. The organization moved in Palo Alto Networks' PA series firewalls that consolidated threat protection and content filtering into one box. Shaffer had the visibility he needed to satisfy auditors and learn exactly what users were up to, especially over Gmail. He could also then set blocking policies per user via Active Directory.
"Data leakage was a big concern. We wanted to make sure people were not attaching spreadsheets," Shaffer says. "There are a number of ways to get data out of a network. We're at least making a best effort to get out to some. When we get audited and go through the whole Sarbanes-Oxley process, that's one of the things they're looking at."
While Gmail and Google Docs are free applications, enterprise versions provide some management and security capabilities that enterprises could use to rein in users via policy controls.
"If we are talking about a vendor that is providing collaboration services for corporations, you have to expect a very stringent policy control interface for me to say this type of document can be shared to this group, but not outside. Or, this document lives on a server for this long, but then is deleted," says Wang. "I haven't seen a lot of collaboration sites that offer this type of elaborate policy control interface to users. People like Google have to work on it. If they are trying to break into the enterprise, policy control is important."
Wang acknowledges that monitoring outbound content is difficult, but sees that trend spiking in a positive direction as more content security vendors acquire data leak prevention tools.
"There's a lot more going on around outbound data filtering," Wang says. "In the old days, it was all about filtering inbound email. Today, content filtering and webmail filtering is taking on more of a business context. We want to look at outbound content; what kind of mail you're sending out, attachments too, as well as Facebook and MySpace and what you're posting there. A lot of secure Web gateways have primitive abilities to recognize structured data. They're not as sophisticated enough to block corporate secrets, for example. That's in a fairly early stage. But that's the direction vendors are working hard toward."
The good news is that, yes, vendors and CISOs are looking at Web 2.0 security and the consequences of user behaviors online. Social networking presents security and productivity issues that run counter to growing business uses for these tools. Enterprises see a marketing value in Web 2.0 outlets such as Facebook, Twitter and LinkedIn. Younger people entering the workforce are used to having these sites and this kind of connectivity at their disposal, and expect it as part of their professional existence.
CISOs, as with any new online phenomenon, have to find that precious balance between security and productivity. Risk must be offset with a mix of policy and technology, and users must be educated so that important information isn't inadvertently leaked online and the next Pete Hoekstra doesn't work within your company's four walls.
Michael S. Mimoso is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.