1) Social networking sites present security threats.

2) There are many steps corporate security professionals can take to mitigate these threats, including policy, enforcing policy with procedures, security training, administrative procedures, and technology.

What’s in the News

Since the last blog there has been a steady stream of news about more security threats originating at web sites, particularly from social networking sites. Profit motive appears to be the primary intent of the threats. The methodology is committing identity theft for profit. Below are a sample of four web based news articles to which I refer:

Mitigating Web-Based Malware Attacks. August 17, 2009

http://www.threatpost.com/blogs/mitigating-web-based-malware-attacks-117

The Dirtiest Websites To Avoid, 2009-08-20

http://www.securitypronews.com/insiderreports/insider/spn-49-20090820TheDirtiestWebsitesToAvoid.html

Researcher details Facebook CSRF Flaw, August 21, 2009

http://www.scmagazineus.com/Researcher-details-Facebook-CSRF-flaw/article/146986/

Malware designed to steal IDs increased 600 percent, August 20, 2009

http://www.scmagazineus.com/Malware-designed-to-steal-IDs-increased-600-percent/article/146909/

For additional statistical data, the reader can verify the list of infected sites from various manufacturers, including Google and can see growth of malware sites over 100% in last year.

More Financial Motivation

There appears to be a current trend towards targeting smaller and medium sites with identity theft attacks, probably because the larger sites were attached first. Also, organizations that deploy small and medium sized sites may not have the security precautions and resources available to their larger counterparts.

Of course, bad guys do not get sleep deprivation if their attack is running on a small site rather than on a large site.

The Popular Drive-By Attack

There is increase in “drive by download” of malware, where a visitor to a web site unwittingly loads malware from the site. The malware is placed by the perpetrators by exploiting vulnerabilities in web sites. They find the vulnerabilities by a simple query to search engines to find vulnerabilities readily published by software tool manufacturers, providing notifications of patches and weakness warnings.

My Next Blog Article

My next article will provide preventative measures that both end users and web site managers can implement to protect all concerned from the dangers of drive-by malware.

Have a secure week.

Regards,

Ron Lepofsky

ERE Information Security Auditors

We have posted several such articles on the ERE web site: www.ere-security.ca; the most recent one being

August 17, 2009

Hackers put social networks such as Twitter in crosshairs

http://www.infoworld.com/d/security-central/hackers-put-social-networks-such-twitter-in-crosshairs-832?source=IFWNLE_nlt_sec_2009-08-17

My advice to all concerned, especially CIOs CSOs and security managers is to create and enforce end-user policy for social networking sites. The fundimentals are of course:

1. Do not reveal any personal / financial information that you would not otherwise gladly hand to your neighbours.
2. Do not answer any personal questions.
3. Be very leary of links to other web sites, particularly those involving any aspect of personal finance.

Policy should also enforce:

1. Timely patch updates on all end-user devices.
2. Timely updated anti-malware signatures and updates.
3. Defence in depth with at least two layers of malware protection: at least on the end-user devices and on an internet gateway device, through which all related traffic must pass.
4. Enforce all related traffic through the gateway; shut down all unnecessary ports and services on the corporate firewall and then test to see if undesired traffic can be tunneled or otherwise circumvent the gateway.

The difficulties of enforcing policy regarding end-user activity is of course convincing them to want to act in accordance with policy and then punishing those who contravene policy. These of course are age old problems. However there are tried-and-true solutions.

Security awareness training has proven most beneficial in this arena, particularly where training is coupled with rewards for adhering to policy. Handing out rewards to those who pass an on-line test demonstrating their awareness and possibly compliance with policy is a positive reinforcement that further encourages support of the policy.

Rewards may include inexpensive items such as tee-shirts with an appropriate message or sporting and entertainment vouchers. Of course accolades in corporate news services are a must.

Enforcement must be consistent and ubiquitous, including all senior management. Detection of non-compliance can be accomplished with the use of many automated tools plus by an audit team, perhaps composed of H/R staff, simply visiting the employee accounts on social networking sites. This of course requires that as part of policy, that employees must disclose all their social networking accounts, which is a major issue of contention with regard to privacy.

Privacy policy is another topic entirely, as the usual measures of privacy really are outdated by the invention of social networking sites. For instance, it would have been impossible for privacy policy authors to contemplate social networking sites 20 years ago. But this is a topic for another time.