Over the last two weeks security news reports identify social networking sites as distribution points for malware of all sorts and flavours and as botnets for distributing more of the same. In addition, site users seem enthusiastic to reveal personal information to those who would gladly accept the information for purposes of identity theft. The benefits of social networking are being strongly challenged by the disadvantages of predatory, definitely anti-social behavior.

We have posted several such articles on the ERE web site: www.ere-security.ca; the most recent one being

August 17, 2009

Hackers put social networks such as Twitter in crosshairs

http://www.infoworld.com/d/security-central/hackers-put-social-networks-such-twitter-in-crosshairs-832?source=IFWNLE_nlt_sec_2009-08-17

My advice to all concerned, especially CIOs CSOs and security managers is to create and enforce end-user policy for social networking sites. The fundimentals are of course:

1. Do not reveal any personal / financial information that you would not otherwise gladly hand to your neighbours.
2. Do not answer any personal questions.
3. Be very leary of links to other web sites, particularly those involving any aspect of personal finance.

Policy should also enforce:

1. Timely patch updates on all end-user devices.
2. Timely updated anti-malware signatures and updates.
3. Defence in depth with at least two layers of malware protection: at least on the end-user devices and on an internet gateway device, through which all related traffic must pass.
4. Enforce all related traffic through the gateway; shut down all unnecessary ports and services on the corporate firewall and then test to see if undesired traffic can be tunneled or otherwise circumvent the gateway.

The difficulties of enforcing policy regarding end-user activity is of course convincing them to want to act in accordance with policy and then punishing those who contravene policy. These of course are age old problems. However there are tried-and-true solutions.

Security awareness training has proven most beneficial in this arena, particularly where training is coupled with rewards for adhering to policy. Handing out rewards to those who pass an on-line test demonstrating their awareness and possibly compliance with policy is a positive reinforcement that further encourages support of the policy.

Rewards may include inexpensive items such as tee-shirts with an appropriate message or sporting and entertainment vouchers. Of course accolades in corporate news services are a must.

Enforcement must be consistent and ubiquitous, including all senior management. Detection of non-compliance can be accomplished with the use of many automated tools plus by an audit team, perhaps composed of H/R staff, simply visiting the employee accounts on social networking sites. This of course requires that as part of policy, that employees must disclose all their social networking accounts, which is a major issue of contention with regard to privacy.

Privacy policy is another topic entirely, as the usual measures of privacy really are outdated by the invention of social networking sites. For instance, it would have been impossible for privacy policy authors to contemplate social networking sites 20 years ago. But this is a topic for another time.