Most security professionals are aware of the security-related social networking issues posed by popular sites such as Facebook, Twitter and Myspace. They may also know that criminals are increasingly focusing their efforts on social networking sites, where they hope to snare unsuspecting users, steal their personal details and infect their computers. But even security professionals may not realise the sheer scale of the social networking challenges.
Facebook Inc. now has more than 400 million active users globally, a massive 229% increase from a year ago. The uptake of Twitter has been even sharper. Twitter Inc.'s co-founder Biz Stone recently trumpeted that the number of Twitter accounts had grown by 1,500% in a year; although he gave no absolute figures, it is clear the number of users is already in the tens, if not hundreds, of millions.
Whatever the precise numbers, the rise in social media usage during the last year has been dramatic, and users and social networking challenges are growing at a faster pace than most companies can manage.
A couple of recent reports from security vendors highlight the extent of social networking security issues, and many believe it is one that companies need to tackle sooner rather than later.
Security vendor Webroot Software Inc. recently released a report indicating that while users are increasingly aware of the danger of sharing too much information on social networking sites, most users are still wide open to attack.
The Boulder, Colo.-based vendor surveyed more than 1,100 users of Facebook, LinkedIn, MySpace, Twitter and some other social networks, and compared the findings with a similar study conducted a year ago.
On the plus side, 27% of users now block anyone finding their profile through a public search engine, up from 20% a year ago; 67% use different passwords for each of their social network accounts, up from 64 % last year; and 47% know who can see their profile, up from 41%.
On the other hand, more than a quarter of survey respondents had never changed their default privacy settings, and more than three-quarters placed no restrictions on who could see their recent activity. Users between the ages of 18 and 29 were the most lax about protecting information, with 43% using the same password and 77% happy to click on any link sent by a friend.
Likewise, users are still willing to share personal information that could be of use to a criminal:
- 61% of users displayed their birthdays;
- 52% of users showed their places of birth;
- 17% of users showed their mobile phone numbers.
At the same time, the amount of spam hitting social networking sites rose by 27% in the last year, according to Webroot, and much of it was used to try and lure recipients into clicking on infected websites or downloading malware.
"Our team has noted over 100 different variations of Koobface, a worm known to trick people into clicking links they shouldn't in order to infect their PCs and often convince them to provide credit card numbers to buy phony antivirus products, among other fraudulent activities," said Jeff Horne, Webroot's director of threat research, in a statement.
New research from Blue Coat Systems Inc. also noted a rapid rise in the use of social networking, which has triggered a change of tactics by criminals.
"Social networking was already gaining traction in 2008, but its popularity exploded in 2009," the report said. "Blue Coat Labs saw an increase of over 500% in the frequency with which people accessed social networking sites during 2009."
The company said this trend has prompted criminals to exploit the poor security on these sites, with the top two Web-based threats being fake antivirus software and fake video codecs (where users are invited to view a video, but need to download a codec, which turns out to be malware). As it points out, these attacks are unlike the drive-by attacks of recent years which exploited software vulnerabilities, and are designed just to exploit human trust.
Security-related social networking issues present corporate problems
But while lack of security is clearly a problem for individuals using social networking sites, it also can also have severe implications for employers. Individuals may share sensitive corporate information via Twitter or Facebook, and they make also pick up malware infections along the way.
Ever since the advent of social networking sites, companies have been divided over whether to allow their staff to indulge in social networking while at work. Opponents focused on the time-wasting aspects, and also on the network bandwidth consumed by users downloading and sharing YouTube videos. For examplea study last year by security service supplier Network Box Corp. revealed that 7.8% of corporate network bandwidth was consumed by, YouTube, and 4.4% by Facebook.
But attitudes are changing. Some companies are beginning to see social networking as a powerful new channel for marketing and communications with customers, and are embracing with it enthusiasm -- despite any prevalent social networking challenges.
"There has to be a compromise -- employees would not accept a ban," said David Cowan, head of security for London-based consultants Plan-Net plc. "But you have to realise that if you are opening up to social networking and other mobile devices, you are opening yourself up to greater concern and risk."
According to Cowan, social networking is much harder to manage than other forms of communication, such as email. "Unlike email, you can't put a disclaimer on the end of a social networking message," he said. "Someone could say something on a social networking site and attribute it to your company, and misrepresent you. With email, you have an email policy and you can enforce disclaimers, but here you have no control."
Cowan said social networking security issues therefore must now be incorporated into enterprise information security policies and employees' acceptable usage guidelines. He commonly advises companies to provide as much help and advice as possible to ensure employees use social networking sites cautiously and abide by their organizations' social networking security policies.
"Social networking definitely needs to be integrated into the information security policy and user education," Cowan said. "You need to make it clear what you should do, and what you shouldn't do. And give examples to make the message clear."
Nigel Hawthorn, head of European marketing for Blue Coat, agreed and mentioned that training needs to explain how easy it is to leak information. "There is, for instance, a difference between Facebook and Twitter," he said. "With Facebook, you can limit your comments to just a few friends, whereas with Twitter, everyone can see it. Some people display astonishing naiveté on these sites."
Hawthorn added that Web URL filtering technology has a role to play in enforcing granular security policies. By categorising different webpages, companies can allow certain pages on Facebook, for example, while blocking others.
"It would also be a good idea to block executables from being downloaded from any social networking site, which I don't think many companies are doing," Hawthorn added. "That would stop malware such as Koobface from infecting machines."
David Bennett, a business development manager with Webroot, said few companies include social networking security issues in their acceptable usage policies.
"This needs to happen so that people are educated when they join an organisation, and I'd also recommend a regular refresher, possibly on a quarterly basis, to ensure they remain aware of the policies," Wood said. "They also need to be educated, for example, about the need to change their account passwords on a regular basis."
He also made the point that training and education need to be underpinned with technology that can protect remote and mobile users as well as those users on the corporate network: "It's all about education, and backing that up with the right IT infrastructure."