Security professionals are worried the social network could cause security problems for their companies.
CISOs attending Forrester Research Inc.’s security forum held Sept. 10-11 in San Diego must have gotten an earful from the forum’s keynote speaker: Marcus Ranum. According to Forrester analyst Rob Whiteley, attendees responded to Ranum’s opposition to Twitter with “loud, thunderous applause.”
Writing about some of the highlights from the two day forum, Whiteley said he was shocked by the audience reaction:
It’s very clear to me that we’re at an inflection point in information security. What we called a “shift in ownership” will be the challenge of all CISOs heading into 2010. It’s no longer sufficient — and definitely not necessary — to denounce the use of social media.
In an interview I had with Whiteley, he referred to this “shift in ownership” as perhaps the most important area IT security is grappling with right now. Security can no longer “control” data. The bottom line: Guard the intellectual property that is the lifeblood of the business as tightly as you can. Focus on reducing the risks of data leakage elsewhere.
It’s hard to gauge audience reaction. Perhaps those in attendance have never used Twitter and don’t understand its significance or usefulness as a communication tool. But others are finding it useful to share research and items of interest and its popularity can’t be ignored. The service has attracted 14 million US visitors according to Nielsen Online. It’s now valued at $1 billion. It’s clear that Twitter has found its niche.
As Whiteley points out there are security concerns. Users can click on malicious links hiding behind URL shorteners (though browser-based tools are available to avoid this malicious use.) Employees can post negative comments about their company or leak intellectual secrets (Employees can leak company data on blogs, wikis and forums as well. Shall ban them too?) Here’s another one to add to that list of concerns: According to security consultant Lenny Zeltser, employees could be leaking data in drops that collectively could be used by an attacker to figure out passwords, conduct social engineering attacks and ultimately gain access to corporate networks. Zeltser, who leads the security consulting practice for Savvis and is a faculty member at SANS Institute, said it’s easy for an attacker to collect information that appears harmless on Twitter, Facebook and other social networking platforms. And if it’s easy, it’s being done. You can count on it. (Listen to my interview with Zeltser in our June 10 edition of Security Wire Weekly on social networking threats.)
Perhaps the more appropriate response from senior-level security professionals is to get educated on these newer forms of communication and respond with the right mixture of education and policy for employees. (Sign up for a Twitter account and follow some of your employees.) It’s highly unlikely that employees can be blocked from using tools they find helpful to their productivity. After all, standing in the way of innovation is not the goal of security. Finding the appropriate level of policy and technology to reduce risks should be the end goal.