Information Security Management Handbook, Sixth Edition (2012)
DOMAIN 3: INFORMATION SECURITY AND RISK MANAGEMENT
Chapter 6. Social Networking
Did you get my tweet? Can I join your LinkedIn? Did you see my updates on Facebook or MySpace? Some people with limited knowledge of computers might think, “what language are you talking?” Social networking is continuing to creep into all arenas of people using computers, even the corporate environment. Does your enterprise permit access to social networking sites during business hours? Does your enterprise have a policy that states what can and cannot be posted to a social networking site? Many enterprises do not have guidelines or education programs for their staff and the enterprise does not know what information may be being disclosed and what the staff are posting about themselves or the enterprise. In the age of social networking, what are the enterprise risks with using social networking internally and not guiding employees on information disclosure?
What exactly is social networking? A social network is a social structure made up of people that are linked by one or more specific types of interconnections, such as values, ideas, friendship, or a professional connection, similar to the game six-degrees of separation. Our network of social relations has expanded, moved to the Internet, and organized. Online social networking exploded during 2003 and 2004. All online social networking sites allow a person to provide information about themselves and whatever other information they would like to share. The types of communications within social networking sites include forums, chat rooms, e-mail, and instant messenger. The social networking sites allow a person to browse based on certain criteria. Some social networking sites have communities and subgroups for particular interests. So, what are some of the security implications of online social networks?
Some people may not exercise caution when disclosing information, as they would when they are in person.
There is a perception of anonymity when online.
Lack of physical interaction provides a false sense of security.
Many Internet sites are now tailoring information for those they are connected to without realizing who else may see it.
A person may offer insights to impress his friends and colleagues.
Generally, people using these sites do not pose any threats, yet malicious people may be drawn to these sites because of the freely available (personal) information. The more information available about a person, the more someone might be able to use it for malicious reasons. Malicious people can attempt to form relationships and eventually perform a social engineering attack using the information a person provided about the enterprise in which he is or was employed. Social networking sites, depending on the site, store a person’s personal information. What is the largest global enterprise you can think of? Now, think of the number of accounts and images that global enterprise stores. It does not matter which one you choose, because you can bet that Facebook or MySpace contains many more accounts and images. And what is used to secure those social networking accounts—yes, a simple user ID and password. For many security professionals, their social networking accounts probably have strong passwords, but what about the millions of other accounts that have no security background. Today, many enterprise users prefer to manage their personal information on a social networking site to keep acquaintances abreast of their activities and accomplishments.
Ok, so we share personal information. What types of privacy and security issues and threats are present with social networking sites to the enterprise?
One of the larger enterprise risks is social engineering attacks: Social engineering is a means of attack that is frequently used by hackers to bypass security mechanisms and access sensitive enterprise data—not by using technology (although technology may be involved), but by using enterprise employees. Data is collected subtly and are gathered gradually, piece by piece. Some information is necessary to create an account or to enter an online community, but often the privacy settings are neglected; therefore, the threshold for gaining information to be used in a social engineering attack is low.
Spam: Social networking sites enable various types of messaging. These messaging services allow others to provide unsolicited e-mails to members, even though site policies are in place.
Spear phishing: With social networking messaging, members are potentially opening themselves up to an e-mail spoofing fraud attempt that targets a specific enterprise, seeking unauthorized access to confidential data.
Information leakage: Some information is only available to “friends” or members of a restricted group within a social networking site and this is the first line of defense in protecting privacy. Because it is easy to become linked to another, someone may be linked under false pretences. Some users do not intend to release information about their enterprise, yet it is part of their profile details.
Reputation slander: Fake profiles are created in the name of well-known personalities or brands or to slander people who are well known within a particular network of linked profiles. Not all profiles are necessarily accurate portrayals of the individual posting the profile.
Stalking and bullying: These are repeated and purposeful acts of harm that are carried out using technology against individuals.
Information aggregation: Profiles on social networking sites can be downloaded and stored over time and incrementally by third parties. This information can be used by third parties for purposes and contexts not intended by the original person.
Secondary data collection: Personal information knowingly disclosed in a profile can be seen by the site operator using the network itself (data such as time and length of connections, location [IP address] of connection, other users’ profiles visited, messages sent and received, and so forth).
Face recognition: Personal information on social networking sites can include user-provided digital images, which are an integral and popular part of a profile.
Linkability from image metadata, tagging, and cross-profile images: Many social networking users tag images with metadata, such as a link to their profile or e-mail address.
Social network aggregators: This is a relatively new breed of applications that attempt to consolidate all of a person’s various social networking profiles into one. Many social network aggregators have not seen much success to date.
Creating an account: Many social networking sites require a birth date as part of the registration to ensure that the member is over a certain age. Other information requested is phone number, address, likes, dislikes, favorite things, and family. Although this information is simple, what can happen if it falls into the hands of a malicious person?
Difficulty of complete account deletion: Trying to completely delete an account from a social networking site is difficult. It is easy to remove the primary pages and information, but secondary information, such as public comments made to others within the social networking sites, remains online and is linked to the original account.
From a business point of view, there are benefits to various social networking sites that start with recruitment and go through staff termination and trying to find resources to acquire for a project. Many human resource recruitment processes now include Internet and social networking site searches to find prospective employees and contractors. Social networking sites can reveal how professional a person can potentially be, the various activities that the recruit is involved in, and also validate information on their resume. Prospective employees can also do research on enterprises for which they are applying for a position. On the other hand, when an employee is exhibiting anomalous behavior and is reported for disciplinary actions, the Human Resource department can again use a social networking site to see if the enterprise is possibly being slandered or discussed by the employee in question. They can determine the level to which the employee is disciplined. During a professional career, we meet many people, we lose touch, and we want to reconnect for an opportunity or a resource. Professional networks allow enterprises to research and connect with potential resources and business partners for technology projects. With caution and validation of the information researched, social networking sites can benefit an enterprise.
Trying to adequately control employee use of public social networking by simply telling them to stop is futile. Employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. Recommendations should be implemented based on business need, risk, and the availability of resources. The following is a list of a few enterprise recommendations to limit the risk of social networking sites within the enterprise:
Block the use of social networking sites from the enterprise network. This will help protect your data or social engineered information about your company or network, from finding its way directly from the employee’s desk or your network.
Strengthen or implement a data leakage prevention program. Know where and how your data is moving.
User awareness training. User awareness is one of the better defenses against any type of technological or nontechnological attacks. Within the user awareness training, information awareness should be discussed from a business and personal point of view for a better understanding of the risk of information disclosure. Information awareness should also include social engineering attack awareness. Promote the idea that the more information given out, the more vulnerable you are and that the Internet is a public resource.
Establish a security policy architecture that includes a security policy on information and a standard or guideline on the use of social networks. Topics for the security policy architecture include accounts, passwords, information handling, and disclosure.
Set up processes to routinely search social networking sites for enterprise (and employee) information.
Set up processes to report and detect abuse. Possible techniques for detecting abuse can include:
– Filtering of malicious or spam comments
– Filtering by Web sites or providers
– Filtering comments by quality to increase content quality
– Filtering of enterprise or staff names
If the enterprise decides that the use of social networking sites is permitted, then the enterprise needs to define guidance for the enterprise employees while connected to the enterprise network and when not connected to the enterprise network. The benefits of a social networking enterprise statement may shield the enterprise from defamation lawsuits and can limit the potential disclosure of company proprietary information. An enterprise could make a policy statement like “Be mature, be ethical, and think before you type and press Enter.” Such a statement will leave much interpretation up to the enterprise employee. As the enterprise decides to incorporate a social networking policy, standard, or guideline into the employee handbook, the enterprise might want to consider the following questions:
1. How far should the statements reach? Should the statements be meant only for employees while at work or connected to the enterprise network, or should the statements be meant for employees when they are not at work? For liability reasons, the statements should cover both scenarios.
2. Does the enterprise want to permit social networking while connected to the enterprise network? It is not realistic to ban all social networking at work. The enterprise will lose the benefit of business-related networking, such as LinkedIn.
3. If the enterprise prohibits social networking, how will social networking be monitored? Turning off Internet access, installing software to block certain sites, monitoring employees’ use, and disciplining offenders are all possibilities, depending on how many resources the enterprise has or how aggressive the enterprise monitoring wants to be.
4. If the enterprise permits employees to social network while connected to the enterprise network, does the enterprise limit the access to work-related conduct, or permit limited personal use?
5. Does the enterprise want employees to identify with the enterprise when networking online? Enterprise employees should be made aware that if they post as an employee of the enterprise, the enterprise can hold them responsible for any negative portrayals. Or, the enterprise can simply require the employees to not affiliate with the enterprise and, potentially, lose the networking and marketing potential.
6. How does the enterprise define “appropriate behavior”? The enterprise needs to understand that what is posted online is public and they have no privacy rights in what they put out for the world to see. Another note is that anything in cyberspace might be used as grounds to discipline an employee, no matter whether the employee wrote it from work or outside of work.
The information that should be included in enterprise guidance for social networking is as follows:
Notice: Make sure that the statements are easily accessible by all employees and that the statements are included in orientation, awareness, and employee manuals. The enterprise may also want to consider whether employee acknowledgements of the statements are required.
Competence: Inform employees that they should not use any social media tool unless they really understand how it works. Offer social networking awareness training regarding these technologies.
Purpose: Remind employees that enterprise assets are designed and intended for business, not for personal use. Make sure that the enterprise knows that social networking must not interfere with their work obligations.
Respect: Inform employees that social networking sites are not to be used to harass, threaten, malign, defame, or discriminate against anyone within the enterprise, customers, or anyone else.
Employment decisions: Include counsel to determine what steps the enterprise may legally take to obtain information from social networking sites as part of hiring, promotion, and other employment decisions.
Integrity: Remind employees of the enterprise ethics statements.
Appropriate content: Remind employees that any electronic communications for work-related purposes must maintain and reflect the enterprise’s standards for professionalism.
Confidential information: The enterprise must state that employees must comply with all company policies covering confidential information and trade secrets.
Disclaimers: Remind employees to state in any social media environments that what they write is their own opinion and not that of the enterprise.
No right to privacy: Remind employees that they have no right to privacy with respect to any information sent, received, created, accessed, obtained, viewed, stored, or otherwise found at any time on the enterprise network and assets.
Penalties/discipline: The enterprise needs to state that any violations of the policy will be subject to discipline, up to and including termination.
Modifications: The enterprise should state that they reserve the right to modify, discontinue, or replace the policy or any terms of the policy.
The enterprise statement should include examples of content that should not be permitted for posting, such as:
– Comments not topically related to the resource being commented on
– Content that promotes, fosters, or perpetuates discrimination against the enterprise
– Content that promotes, fosters, or perpetuates discrimination on the basis of race, creed, color, age, religion, gender, marital status, status with regard to public assistance, national origin, physical or mental disability, or sexual orientation
– Profane language or content
– Sexual content or links to sexual content
– Solicitations of commerce
– Conduct or encouragement of illegal activity
– Information that may tend to compromise the safety or security of the public or public systems
– Content that violates a legal ownership interest of any other party
Social networking sites have business benefits and risks. Yes, social networking sites can be blocked through filtering software, but will it help or hurt the enterprise business model? It is up to the enterprise to protect their assets and intellectual property through awareness, technology, and processes. As with any technology, the enterprise needs to document business requirements and perform a risk assessment before implementing or allowing the use of specific technology within the enterprise network.