Sophos Cloud Optix
Facebook’s potential to ruin (or make) your business is a common news topic.
The articles often leave me with a vague sense of unease. I worry about my, and my users’, privacy. How do I distil this unease into a clear threat that I can roll my sleeves up and combat?
The risks often focus on individuals, but I’m paid to protect the company I work for. Should I still worry? The answer is – unfortunately – yes! A threat to your users is often also a threat to your business.
To understand these social networking threats I’ve tried to put them into a couple of well-known buckets: system compromise and data/reputation loss.
System compromise
How can a website compromise your network or servers? Content linked to and posted on social networks is just as likely to be malicious as the rest of the web. Unless your friends are all paranoid computer security experts, you shouldn’t trust their sharing of the content as a vouch for its legitimacy.
With malicious apps, clickjacking, and theft of accounts, there is every chance your friend didn’t intend to post that link. Or maybe the cute puppy video was intentionally shared but had some unknown and unfortunate side effects.
The good news is that web threats have been around for a while and your existing investment in web filters and anti-virus will help.
But there is a problem.
Many sites, including Facebook and Twitter, are starting to offer https throughout and not just at login. Although this is broadly a good thing, it has implications on network-based web filters.
TLS (Transport Layer Security) is designed to prevent eavesdropping and your appliance may be unable to decipher the encrypted stream, potentially turning it into the equivalent of a noisy and expensive network cable.
Some network-layer filters can get round this by intercepting the encryption, but this has other implications and can raise privacy concerns. Endpoint-based web filters can intercept the traffic after encryption which can circumvent the problem.
Users’ personal data can also represent a risk to your systems. Birthdays, names of pets, birth places, and favourite colours are all regularly published for friends, friends of friends and, often, the entire world. This info is gold dust to an attacker. Tricking password reset procedures can be as simple as cutting and pasting answers from a user’s profile page.
Even if your password reset procedure keeps the helpdesk in-the-loop, don’t underestimate social engineers. Armed with intelligence to impersonate a user and a helpdesk employee, hackers are better able to weave a very convincing narrative.
Compromise via personal info is particularly interesting as it’s hard to mitigate. Banning social networking from all corporate systems will not help. As long as the data is accessible to an attacker your systems are at risk. Education is the best defence.
Data and reputation loss
These are the direct threats. If your users are conducting company business on a social networking platform, investment in protecting your own infrastructure is of little help.
Gaining a real understanding of how users work is key. If employees are using alternative platforms for collaboration you have to ask why – maybe the provided tools aren’t adequate?
When trying to combat “Shadow IT”, carrots often prove more useful than sticks.
Providing a good, secure solution will always trump a policy that tells users they can’t do something. Although very public platforms like Facebook are probably too risky for most business, other social collaboration tools exist which might satisfy demand.
Encryption can also be a great tool. If you are confident only authorised staff have the correct decryption keys, why not let them store stuff in the cloud?
The carrots are important as the sticks are limited. Data Leakage Protection can help (make sure it can handle the https problem). Web filters are also useful but are a blunt tool, rarely offering much more than a crude “allow or deny” for an entire site.
Policy and, just as importantly, education are still key components. Making sure your users understand why something is not allowed will go a long way towards encouraging good behaviour. An oft-publicised concern is the off-the-cuff employee tweet or wall post. When sharing your thoughts to thousands becomes a 10 second simple operation, it’s no wonder people make mistakes.
Education, complete with examples for users to understand the scenarios, can go a long way here.
I find the most effective form of engagement is probably via the very platforms you’re worried about.
Actively participating in the social web has many advantages. Firstly it’s a great way to spread a message: “Like” or tweet good stories which highlight dangerous behaviour. Secondly, the threats are complicated and dynamic. Only by participating will you really get a feel for how people behave on these platforms.
As they tend to already know about the risks, security-aware people are often the most reluctant participants on social networks. Unfortunately, in behaving this way the very users who are best placed to guide and help others are absent where they are needed.
Lastly, at the risk of sounding like a snooping killjoy, participating with colleagues in a public forum ensures I’m party to the discussion. This allows me to spot and advise (usually offline!) if I think conversations or comments are maybe a little too work-related, before they become a real risk to the business.
Of course I don’t attempt to “friend” or “follow” everyone I work with, nor do I spend all day monitoring my colleagues. Simply, by being involved, I’m in a better place to offer advice. Some friends and colleagues may also take your lead and help spread good, safe behaviour outside your immediate sphere.
There’s a final “special case” which is worth covering separately if you actively use social networking to promote your business. In this case, you will likely have some high profile, high-risk users who you will want to consider specifically. These users and their accounts, by virtue of their role, will likely have direct access to communicate with a large number of your customers.
Accounts should be protected appropriately with long passwords and preferably backed up with a second authentication factor. Facebook and Google now both offer SMS-based 2-factor authentication, make sure it’s used!
Separating users’ real accounts from the ones related to your business introduces a sensible barrier. This helps prevent, for example, a clickjacking attack on a user’s personal account posting an inappropriate link to your entire customer base.
Consider the value of these accounts to your company. With Twitter, particularly, an employee could find themselves in the sole privileged position of controlling the premier communication line to your customers. What if they leave? Maybe on bad terms? Settling tricky issues about account ownership is probably best done beforehand.
If setting up a company persona, there are some specialist services which will take over the master password to your account and handle delegating access to individuals in a controllable and revocable manner.
Social network map, social network fingers, business people cartoon, social network speech bubble and man on laptop images courtesy of Shutterstock.
Great piece and something I've had experience of in the past. I was working for a media company where large data files needed to be transferred between client and suppliers alike. In the days of old direct ADSL was the method used this then progressed onto FTP. What happened was as the company expanded with a less technical userbase we misjudged the needs of the users as dropbox came to the fore. Instead of using the "technically difficult" FTP system users started to transfer files directly through DropBox. We tried the stick method and failed but when we sat down and asked them why they used DropBox the above "technically difficult" became apparent. The solution to our problem? We used our internal developers to code a swanky front end for the FTP system including client/supplier specific security features and all was well.