Manage Learn to apply best practices and optimize your operations.

How a corporate Twitter policy can combat social network threats

Despite the recent security risks, there is no reason to completely shut down Twitter use in the enterprise. There are, however, important policy controls and technologies that need to be put in place before you let the microblogging site into your organization.

In a little more than three years, Twitter has become "the SMS of the Internet" for millions of people. Many find it a useful and productive form of communication, but recent attacks against the service and its users have highlighted the potential dangers of Twitter and other social networking sites. Enterprises have had to tackle not only the productivity and privacy issues associated with Twitter, but also a number of direct security threats.

Unfortunately, the success of microblogging sites like Twitter relies on the same elements of human nature as social engineering attacks, particularly a natural desire and willingness to share and engage with those we trust.

Most people have learned not to open attachments or links in emails from people they don't know. Yet because Twitter is seen as a friendly, group-based service, many will not hesitate to click on a shortened Twitter link, having no clue as to where it will take them.

This natural trust makes Twitter an attractive approach for a malicious user, who can use the service to initiate attacks ranging from phishing scams to malware installs. A variant of the Koobface malware, for example, sends bogus messages, or tweets, when the infected user logs into Twitter. The tweets direct recipients to a malicious website where they're prompted to download an update of the Adobe Flash player, which is, in fact, malware. URL-shortening services used in tweets also add other attack vectors, with additional DNS lookups and servers sitting between the link and its destination.

For more on Twitter security

Security researcher Aviv Raff will document a number of cross-site scripting (XSS) flaws and other errors threatening Twitter users.

Learn more about the denial-of-service attacks that hit the popular microblogging site.
Creating a corporate Twitter policy
Part of Twitter's appeal and convenience is its ease of accessibility, but the trade-off is security. Organizations need to appreciate that free online services aren't necessarily going to provide a standard of security that matches that of their own systems. Remember there's no Twitter service-level agreement should things go wrong. A blanket ban on using Twitter, however, is probably impractical even in industries such as banking or medicine. Sure, not every employee needs access, but those in marketing or human resources just may -- even U.K. government departments have been urged to make more use of the microblogging tool.

The key to reducing the risks of Twittering is a sensible usage policy implemented through technology and training. The best way of ensuring the success of such an approach is to agree on an acceptable usage policy with your employees and then strictly enforce it. Employees are far less likely to try to circumvent any restrictions if they understand the logic behind them and have been involved in developing the overall corporate Twitter policy. Also, they will have no excuse for not knowing what they can and can't say and do when using Twitter. Web monitoring tools such as Websense Inc.'s Web Security Gateway or McAfee Inc.'s Secure Web Gateway should be deployed to enforce the policy and ensure breaches are detectable so that disciplinary steps can be taken.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
Due to the often ingenious and ever-changing approaches of social engineering-based attacks, it's important to regularly remind staff of the security risks of using social networking sites. Highlight what types of content or requests should be treated as suspicious and reinforce directives such as "No clicking on banner ads on social networks," as banner ads have been used to spread malware. Be vigilant for other emerging attack vectors, such as bogus update notices, so that new restrictions can be implemented to guard against them. Certainly strong and regularly changed passwords are a must, and Twitter passwords should be different from those used to access internal networks and services.

The defensive technologies that can be used to defray Twitter-based attacks obviously include traditional antimalware scanning to detect and hopefully prevent infections. Firewall rules should also control who has access and at what times, as dictated by the corporate Twitter policy. Consider the use of network access control (NAC) to vet systems before they are allowed onto the corporate network. Link checking or site filtering that weeds out known malware pages should also be considered. I recommend looking at OpenDNS, the free content-filtering service, as a way to block undesirable content and prevent network users from visiting phishing websites. If your organization uses Firefox, the URL-shortening service provides a Firefox plug-in that allows users to see where short URLs link to, including site page titles.

The challenge for the enterprise is to protect against attacks that come through social networks without losing the potential benefits derived from using them.

Any organization that fails to outline and implement the infrastructure and resources needed to enforce safe and sensible usage of Twitter among employees is opening itself up too many attack vectors to warrant Twitter's use. Enterprises that don't work to control the use of Twitter and give employees unfettered access are certainly putting their systems and data at risk.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

This was last published in September 2009

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.