Managing Access to Facebook: A Good Idea?
The increased use of social-networking sites by businesses has given IT managers greater cause for concern as a growing number of these sites lure users to share sensitive information. Indeed, many sites like Facebook have warned their users to be on the lookout for spam and other vulnerabilities. Nevertheless, the reality is that these sites are getting more and more users, which increases the likelihood of spam, phishing and other security threats infiltrating organization’s networks.
The Social-Networking Threat
Recently published statistics from security-software vendor Websense Inc. reported that of the top 100 most visited Web sites on the Internet, 90 percent were social networking, search and file-upload sites. During the three months in which the study was conducted, 60 percent of those sites hosted malicious code. Additionally, 45 percent of the sites have a 100 percent reliance on user-supplied content.
“A hacker's approach towards 'abusing' LinkedIn would be for the purpose of gathering information, since [with] LinkedIn and any other Social Networking solution, you can be whoever you want to be, or you can take the identity of whoever you want to be,” stated the report. “If you create an interesting profile, and through your profile appear to be a previous employee, then you can get a list of employees that you can send an invite to without having to know their email address.”
In the meantime, the report warned against several practices including:
- Posting detailed or confidential information on a profile
- Allowing everyone to see all social connections, which makes it easier for confidential information to leave a company
- Trusting connections and clicking everything received from them
Balancing Business Security with Online Needs
Whereas social-networking sites used to be the domain of gregarious high-school and college students, businesses are now relying upon them to find candidates and generate an online presence. “The interesting shift here is there are more and more business-related reasons why companies need to connect to these social networks,” said Dan Hubbard, Websense’s vice president of security research.
Attackers are taking advantage of the new trend. Security adviser Paul Asadoorian, who runs a weekly podcast on computer hacking and security issues, observed that in the advanced Internet technology world of Web 2.0 where blogs, private videos, wikis, RSS and social bookmarking are all on display, social-networking sites are a prime target for attackers.
To demonstrate the point, Asadoorian said he and his colleagues collected information about a fellow podcaster with the nickname Twitchy who did not have a Facebook account. Using Google to gather information about him, Asadoorian and his team created a false Facebook account. Several people started adding Twitchy as a friend, sharing information without knowing the account was fake. “If you put that in the context of an organization and create an account on a social-networking site, you can gain the trust of people and get information about a company,” Asadoorian said.
Still, Asadoorian agreed that many companies need social Web sites to advertise, post job vacancies or seek potential workers for hire. In this climate, IT managers must be aware of what company information is posted on social Web sites. “If you are in charge of IT security for an organization, you need to explore social-networking sites and see how they work,” Asadoorian added.
Reproduced from an article published by IT Security
© IT Security
The original article can be viewed here:
http://www.itsecurity.com/features/managing-access-facebook-080708/
Permalink Bookmark Digg this story
