Security Issues Abound as Social Networking Goes to Work

Employees use two types of social networking sites. They bring their Facebook, MySpace, YouTube and other identities to the office. At the same time, they use professional social networking – LinkedIn and others – for more “official” duties.

It has the potential to be a major problem. This Newsfactor piece based on Forrester research identifies social networking as a key element of the ongoing corporate Web 2.0 wave. By 2013, the firm says, social networks will constitute a $2 billion chunk of what will be a $4.6 billion sector.

Hopefully, organizations will catch up on the security front. The piece says that only half of Web filters deployed by Barracuda Networks are blocking MySpace or Facebook. Those who are doing so are trying to guard against virus and spyware and to maintain employee productivity. It would be interesting to understand how many of these organizations understand that social networking sites are great avenues for phishing and other social engineer exploits, and for dishonest or ignorant employees to send vital information beyond the firewall.

This is a nice CNN overview of the flow of social networking into the corporate space. What the author doesn’t say is that the evolution of social networking from consumer to business use is precisely what happened with cell phones, Wi-Fi and other tools: People used them in their private lives, liked them, and brought them to work. In this case, the writer says, more secure, corporate-aimed offerings are available. Yammer, for instance, is a business version of Twitter. Other corporate social networking newbies, according to Forrester, include Awareness, Communispace and Jive.

One of the advantages of the fact that new technology has moved from the consumer to business world so many times in the recent past is that experts consider the security issues more quickly. There seems to be a bit less denial. This Legal Technology piece offers a good description of social networks, and references a Black Hat presentation that looked at insecure features of social networks and identified the biggest vulnerabilities. They include cross-site request forgery (CSRF), cross-site scripting (XSS) and the lack of a mechanism to validate the security of customer applications. The writer offers seven tips for safely using and administering social networks.

This is not all theoretic: Business people are using social networks – and the bad guys are going after them. For instance, SPAMfighter cites reports from The Washington Post’s Brian Krebs about spear phishing attacks against about 10,000 LinkedIn members. The story says social networking sites often are the target of spear phishers because users are used to getting e-mail from other members. This e-mail purported to come from support@linkedin.com and carried the subject line “Re: business contacts.” Recipients following the instructions in the e-mail installed a malicious program aimed at stealing sensitive information from the computer.

There is a lot to worry about. Dark Reading offers a scary vignette on how dangerous a social networking site can be. The big problem is that there is no way to simultaneously optimize security and interactivity. To a great extent, emphasizing one comes at the expense of the other. Dark Reading runs through some of the problems, and links to pages that describe in more detail seven of the most dangerous activities: impersonation and targeted hacks; spam and bots; “weaponized” applications; XSS and CSRF; identity theft and corporate espionage.