Blade Systems Alliance Applied Systems & Interop Research Lab (ASIRL) BSA/National University

Threat Protection In The Age Of Social Networking

Kurt Marko, Processor.com

3/1/2010

Social networks and other collaborative Web 2.0 sites illustrate an interesting case of cognitive dissonance within today’s business community. Many IT executives view them as just another time-wasting Internet pariah like shopping, sports, or video streaming sites. In fact, a survey last fall by Robert Half Technology of more than 1,400 CIOs found that 54% don’t allow employees to visit social networking sites at work for any reason. Bolstering this response, Cisco’s (www.cisco.com) ScanSafe Web content filtering unit found a 20% increase, to 76% of their customers, in the number of companies blocking social networking sites, which was the highest level for any filtering category.

While management frets over the effect of social networks on employee productivity and company reputation, their workers have a different view. An April 2009 study by Deloitte LLP found that 22% of employees use social networking sites at work five times a week, and 53% feel these activities are none of the company’s business.

CIO objections aside, many business units are now reliant on social networks, blogs, and tweets as important tools for connecting with potential customers and employees. As Burton Group Senior Vice President and Principal Analyst Dan Blum points out, IT can’t very well block these sites when their marketing and PR people are expected to use them.

Social sites pose more than just productivity risks; they are powerful, effective vectors for spam, malware, and targeted phishing attacks (so-called spear phishing). The latest Sophos Security report found a 70% increase in the number of firms reporting spam or malware (now one-third of all companies) from social nets with 72% feeling these sites endanger business security.

Web 2.0 Threats

“Most organizations have a Web 1.0 security strategy,” says Tim Roddy, senior director of product marketing for Web, mail, and network DLP security at McAfee (www.mcafee.com). Such a strategy is reliant on databases categorizing sites based on content or metadata that’s ineffective against dynamic, unmoderated Web 2.0 sites filled with user-contributed content.

This all-or-nothing strategy is unrealistic for sites such as Facebook, says Blum: “It’s like throwing the baby out with the bathwater.” Roddy says the bidirectionality of social sites makes them not only ideal vehicles for spreading links to malicious, malware-invested hosts, but also avenues for data leakage—unauthorized, often inadvertent, releases of sensitive company information.

Social networks are a favorite target for spreading malware largely because companies and users have become much better at blocking direct network attacks and mass email using firewalls, spam filters, and common sense. Aaron Higbee, CTO of the security consulting firm Intrepidus (www.intrepidusgroup.com), says hackers are looking for soft targets behind corporate firewalls using client-side attacks that seek to entice unsuspecting users to click a booby-trapped link or embedded, obfuscated Web object (such as an image, Flash object, or PDF link). He says messages from social networks serve as an effective delivery mechanism because the sender name is easily spoofed to look like a friend the recipient trusts.

Social networks are also emblematic of a changing online sociology, according to Blum, in which the density of personal information easily accessible has never been higher—a virtual gold mine for social engineering attacks. Higbee agrees that information harvested from social networks is invaluable in creating effective, convincing spear phishing email messages.

Countermeasures

Resisting threats from social networks entails a three-front defense, according to Blum: increased user awareness of the risks and threats, more sophisticated Web filtering (keeping the bad stuff out), and data leakage prevention technology (keeping the good stuff in).

Higbee believes the first and best line of defense is a savvy, watchful user population. “You can’t solve this entirely with technology,” he says, because filtering often fails to detect spear phishing attacks because unlike spam, they typically appear to be legitimate messages from colleagues or friends. He suggests IT adopt an active training approach with simulated social networking attacks using tools specifically designed to emulate spear phishing exploits and track employees’ responses. Should someone mistakenly fall for the simulated pitch, “the tool takes advantage of a teachable moment to help people understand what they did wrong,” he adds.

What Roddy terms Web 2.0 filtering goes beyond simple URL filters at the network gateway by inspecting actual Web content looking for code (JavaScript, Visual Basic Macros) or embedded objects (Java applets, ActiveX helpers, Flash, or PDF objects), with suspicious intent. He says Web 2.0 anti-malware engines handle not only downloadable files, but also active content and scripts for which no malware signature exists. Content filters are often coupled with reputation-based filtering that verifies the identity of the linked sites, ranking each with a reputation or trustworthiness score aggregated from millions of user responses.

New Problems, New Policies

Traditional client-side anti-virus and antispyware programs are still important. However, they only work with downloaded content, says Roddy. In addition to increasing user awareness through training, experts agree that companies need Web 2.0-updated acceptable Internet use policies that include specific enforcement mechanisms and infraction sanctions for violations.

Web filtering has traditionally taken place on the network perimeter, but there are two problems with this walled-garden approach: The appliance adds capital and administrative expenses many SMEs can’t afford, and it does nothing to protect mobile users outside the firewall. Blum says endpoint products help somewhat, but an emerging alternative is cloud-based proxies, in which all Web traffic, whether originating in the office or from an employee’s laptop at a hotel, is routed through an external filtering infrastructure. These offer the traditional SaaS advantage of low startup costs and usage-based billing, plus the benefit of automatic updating and no administrative overhead.

Although it’s easy to get fixated on specific vulnerabilities presented by social networks, Blum says they need to be put in the larger context of an enterprise threat assessment. Only when a company understands its specific information assets and risks, likely attackers, and potential for loss can it prioritize the effort and expense required to address vulnerabilities from social networks. At a minimum, experts stress the need for basic endpoint security software and Internet usage policies and training, but the emergence of SaaS filtering solutions can provide a valuable and cost-effective augmentation to an SME’s security arsenal.

View the chart that accompanies this article.
(NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat)

Article by Kurt Marko for .