Posted by: David Schneier
controls, firewall, firewalls, hackers, hacking, information security, regulatory, Regulatory Compliance, Security, social network, web filters
A week or so ago, I received an invitation from a professional friend of mine to connect via Facebook. He’s someone whose brain I’ve picked time and again as he’s one of the brightest information security people I’ve worked with but more importantly, he’s also someone who I enjoy talking to, and so I accepted. A day or so later, I received a Facebook instant message from him suggesting I check out a website for which a link was provided. I have a few fundamental rules that I never deviate from, one of which is that I never click on an unqualified or unsolicited link or attachment. Plus the person allegedly sending the link would never send anything via that protocol unless he prequalified it. And so I ignored it.
The next day I received another message from him with a different link, thus confirming my earlier suspicions that something was amiss. After letting him know about the wayward messages, I started thinking about what had just happened. This is someone who lives security every minute of every day. He knows about every threat old and new, the tools and techniques to combat them and is one of those people I go to for advice when I don’t know where else to turn. And his Facebook session was sending out phantom messages without his prior knowledge. A little scary when you get right down to it.
But wait, it gets just a bit scarier for me.
Fresh on the heels of the Facebook incident, I came across an interview on a security website I visit now and again in which the interviewee offered his opinion that security threats from social media sites are greatly exaggerated. Really? Based on what? Here I am having just been presented with evidence that the threats are real, swift and plentiful and I’m being told just days later that it’s really not that bad. And why I’m writing about it here is because although the person being interviewed is not offered as a security expert, the website itself conveys a certain degree of legitimacy. The opinion was followed up by a recommendation that if you’re concerned about the threats imbued in the use of these sites that you should simply not use them. Hmmm. My takeaway from the interview boils downs to “security threats from social networks sites are not so bad” and “if you’re concerned about threats, don’t use them.” So your choices are either ignorance or avoidance; nice.
I remember way back when Palm Pilots first became popular. Corporate IT reacted by banning them, claiming it would be a support nightmare. Not long afterward, the use of personal email became pervasive and people wanted to be able to access it from their work place. Corporate IT reacted by blocking access to most common external email sites. A short while later, USB storage devices started showing up and almost a minute later corporate IT reacted by, you guessed it, banning them. Fast forward to 2010 and smart phones (the modern day equivalent of the Palm Pilot) are common place within corporate infrastructures, USB devices are allowed, and the demand for access to external emails has subsided quite a bit (thanks to the aforementioned smart phones).
Now the greatest threat presented by the most recent wrinkle in the ongoing evolution of technology is access to social media sites. I keep reading articles and coming across polls exploring whether or not companies should allow access to Facebook and LinkedIn. I’m wondering why anyone seems to think it’s optional. Exactly which technological advance has corporate America successfully derailed since technology first landed on our desks 40 years ago?
Here’s my take on all of this:
- First, the threats presented by social networking sites like Facebook, MySpace, and LinkedIn are real. Hackers were among the first to see the potential of these social networks and have quickly moved to take advantage. I’m hammered on Twitter with suspicious links and receive odd communications via Facebook all the time. And I consider it remarkably irresponsible for anyone remotely having to do with information security to claim anything else.
- Second, you’d better figure out how to safely manage use of social networks. While I can make an intelligent argument why all but the professional social networks should be blocked by your Web filters, I’ve personally witnessed over the not quite two years I’ve been using Facebook that it’s fast becoming the most common way for people to keep in touch. Accordingly, your users will continue to seek out ways to access their network of choice and bypass your controls. So you have a choice: Try to stop the next advance in the digital evolution or figure out a way to manage it better. But remember, historically telling users to not use something and trying to prevent them from doing so has proved to be a flawed and largely ineffective strategy.
- Third, and this is a biggie: Educate your users on the types of threats they’re likely to encounter, how to identify them, and how to handle them when they appear. Rather then spending all of your time trying to prevent this already entrenched advance in technology from being used, split off some of that time to prepare your user community on best practices. And have rules in place so that if someone fails to follow them you retain the option to take action.