A greater social networking threat on the horizon

Social networking and otherWeb 2.0sites have created a mini dotcom boom driven by media companies eager for a captive mass-market and users hungry for what they offer, writes Gary Wood, research consultant at theInformation Security Forum.

For those working in a locked-down, no-personal-e-mail corporate world these sites give backdoor access to instant messaging and e-mail and provide an easy way to carry their personal lives into the workplace.

But the widespread use of social networking sites is exposing users and employers to risks. For example, many collect personal information that makes users vulnerable to phishing or identity theft. And while users may not post confidential information, many plant clues that are useful for sophisticated social engineering attacks. They may give details of where they work, who their colleagues are and the projects they are working on.

But it is the personal information disclosed that may prove the biggest risk. Users are encouraged to add details of families, close friends, place of birth, pets and schools - just the sort of details that many banks and organisations use for authentication and password recovery.

Information leakage is focusing the minds of security managers and many have already implemented e-mail filtering, USB controls and encrypted hard drives. Social networking sites simply compound the problem, with users trusting sites recommended by friends or colleagues without question.

However, an even bigger problem may lie around the corner. Last year, Facebook purchased Parakey, a start-up from two of the creators of Firefox that promises a web-based operating system designed to bridge the gap between desktop and web and make it easier to move content between the two. How long will it be before one of these sites gives simple remote access from PC to PC?

What can be done?

First, consider technical controls that enable rather than disable access to websites. Choose whitelists of sites that are allowed for employee access rather than blacklists.

Second, apply similar principles to employee contracts and behaviour. Define what is expected to perform their role then challenge them to demonstrate the implications of their actions if they misuse resources.

Finally, improve employee education and awareness to make them familiar with these types of sites, and the potential consequences to themselves and the organisation if they misuse them.