Regulatory Reality

Jun 25 2010   4:08PM GMT

Security pros need to practice vigilance not avoidance

David Schneier David Schneier Profile: David Schneier

A week or so ago, I received an invitation from a professional friend of mine to connect via Facebook.  He’s someone whose brain I’ve picked time and again as he’s one of the brightest information security people I’ve worked with but more importantly, he’s also someone who I enjoy talking to, and so I accepted.  A day or so later, I received a Facebook instant message from him suggesting I check out a website for which a link was provided.  I have a few fundamental rules that I never deviate from, one of which is that I never click on an unqualified or unsolicited link or attachment.  Plus the person allegedly sending the link would never send anything via that protocol unless he prequalified it.  And so I ignored it.

The next day I received another message from him with a different link, thus confirming my earlier suspicions that something was amiss. After letting him know about the wayward messages, I started thinking about what had just happened.  This is someone who lives security every minute of every day.  He knows about every threat old and new, the tools and techniques to combat them and is one of those people I go to for advice when I don’t know where else to turn.  And his Facebook session was sending out phantom messages without his prior knowledge.  A little scary when you get right down to it.

But wait, it gets just a bit scarier for me.

Fresh on the heels of the Facebook incident, I came across an interview on a security website I visit now and again in which the interviewee offered his opinion that security threats from social media sites are greatly exaggerated.  Really?  Based on what?  Here I am having just been presented with evidence that the threats are real, swift and plentiful and I’m being told just days later that it’s really not that bad.  And why I’m writing about it here is because although the person being interviewed is not offered as a security expert, the website itself conveys a certain degree of legitimacy.  The opinion was followed up by a recommendation that if you’re concerned about the threats imbued in the use of these sites that you should simply not use them. Hmmm.  My takeaway from the interview boils downs to “security threats from social networks sites are not so bad” and “if you’re concerned about threats, don’t use them.”  So your choices are either ignorance or avoidance; nice.

I remember way back when Palm Pilots first became popular.  Corporate IT reacted by banning them, claiming it would be a support nightmare.  Not long afterward, the use of personal email became pervasive and people wanted to be able to access it from their work place.  Corporate IT reacted by blocking access to most common external email sites.  A short while later, USB storage devices started showing up and almost a minute later corporate IT reacted by, you guessed it, banning them.  Fast forward to 2010 and smart phones (the modern day equivalent of the Palm Pilot) are common place within corporate infrastructures, USB devices are allowed, and the demand for access to external emails has subsided quite a bit (thanks to the aforementioned smart phones).

Now the greatest threat presented by the most recent wrinkle in the ongoing evolution of technology is access to social media sites.  I keep reading articles and coming across polls exploring whether or not companies should allow access to Facebook and LinkedIn.  I’m wondering why anyone seems to think it’s optional.  Exactly which technological advance has corporate America successfully derailed since technology first landed on our desks 40 years ago?

Here’s my take on all of this:

  • First, the threats presented by social networking sites like Facebook, MySpace, and LinkedIn are real.  Hackers were among the first to see the potential of these social networks and have quickly moved to take advantage.  I’m hammered on Twitter with suspicious links and receive odd communications via Facebook all the time.  And I consider it remarkably irresponsible for anyone remotely having to do with information security to claim anything else.
  • Second, you’d better figure out how to safely manage use of social networks.  While I can make an intelligent argument why all but the professional social networks should be blocked by your Web filters, I’ve personally witnessed over the not quite two years I’ve been using Facebook that it’s fast becoming the most common way for people to keep in touch.  Accordingly, your users will continue to seek out ways to access their network of choice and bypass your controls.  So you have a choice: Try to stop the next advance in the digital evolution or figure out a way to manage it better.  But remember, historically telling users to not use something and trying to prevent them from doing so has proved to be a flawed and largely ineffective  strategy.
  • Third, and this is a biggie: Educate your users on the types of threats they’re likely to encounter, how to identify them, and how to handle them when they appear.  Rather then spending all of your time trying to prevent this already entrenched advance in technology from being used, split off some of that time to prepare your user community on best practices.  And have rules in place so that if someone fails to follow them you retain the option to take action.
Remember that there’s historical precedence proving that it’s pointless to stop the advances these networks are making into our professional lives.  So what it comes down to is either adapt or suffer the sting of its blade.  But whatever you do, don’t ignore the risks presented by technological advances and don’t ever assume you can safely eliminate them.
Check back next week when I’ll share with you why FDIC Chairman Sheila Bair remains my favorite person in Washington.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Yetanotherdamnscreenname
    I see that there is all manner of approach and opinion when it comes to new technology and it's implementation in the corporate world. My first reaction as a security professional whenever a new techology becomes publicly available is to block it's use. Personally, I can't see any other responsible alternative, given the level of vetting anything new recieves when marketed to the general public. The attitude seems to be "security be damned! Let's sell this new widget, get users hooked on it and then worry about it's vulnerabilities.". So, until a new techology has matured, shown it's vulnerabilities and susceptability for abuse, it should continue to be blocked until a secure method of deployment and use is determined. That's not to say that new technology shouldn't be embraced, but on the flipside, there needs to be a legitimate business justification before it should be allowed on the corporate network. For me, Facebook and the like simply don't provide that justification. I can't see any additional value that a simple email account or corporate website doesn't already offer. Especially given the potential for security vulnerabilities. If my users can't access their twitter accounts, oh well, they will get over it. If, however, data or intellectual property is compromised, it's my neck, not the user who clicked on the bad link. Perhaps it's because of the blending of personal and professional use. If I have a corporate email account, I'm going to behave in a professional manner and with the proper mindset. Whereas with a personal social networking account, I may be less on guard, play with the little apps and toys that are made available (which is where the security nightmare begins). You, yourself even state that a highly experienced and skilled security professional can't even guarantee that his faceboook account is secure. What chance then do normal, corporate users have of being secure? Does that sound like a technology that is so necessary as to jeopardize an entire business?
    30 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: