Entries Tagged 'Security' ↓

Tuesday at Gartner’s Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control or even block its use is akin to monitoring employees’ home phone calls and rifling through their postal mail.

“All this message traffic is not in your infrastructure,” Walls said. “It all takes place out there in the cloud,” plus it can be accessed from anywhere, and users’ privacy settings can make monitoring nearly impossible. “At the root of it is staff productivity, and security isn’t responsible for monitoring and managing the productivity of the organization.”

Some believe social media represents a growing platform for malware distribution, but Walls countered that argument, noting that antimalware vendors he’s spoken with say social networks are being victimized by the same malware plaguing email and websites. “So if I’m going to block social media on the basis of malware distribution,” Walls asked hypothetically, “why not block email?”

via searchsecurity.techtarget.com

The article goes on at some length to chronicle Walls’ arguments against blocking social media in the workplace, even making a vital point that has been at the heart of my argument: Organizations will, he said, come to realize the value of hiring someone who possesses a vast social network. “The most valuable people,” he told the audience, “are going to be the ones who demand social media the most.”

The entire post is well worth your time particularly if you’re trying to make the case against blocking in your organization.

Cross-posted from my primary blog, a shel of my former self

In a comment left recently to a post I wrote for Stop Blocking back in October 2007 about malware on Facebook, David Jones with CommerceMicro wrote:

Stupid, out dated information.

We have users that repeatedly get infected with viruses and spyware no matter what level or type of antivirus and antispyware software we install. It’s rather odd that ONLY THOSE particular users get re-infected day after day and that they all have MySpace accounts, FaceBook accounts, or whatever. Their employers have to continually pay us to come and clean these infections.

My reply was a bit terse. I asked Jones if he believed all the companies that don’t block access were lying about not encountering the problems he cited. (And no, I wasn’t snarky enough to point out that “outdated” is one word.)

The security issue does, however, appear to be supplanting productivity concerns as the main reason companies block access to Facebook and other social media sites. Among the dominant social networks, Facebook presents the biggest risk to company security, according to 60% of the respondents to a survey of 500 companies conducted by Sophos, an IT security organization. No other network comes close. MySpace ranks second, with 18% of companies identifying it as a concern, followed by Twitter (17%) and LinkedIn (4%).

The concerns are not illegitimate. The incidents of reported malware and spam attacks through social networks has jumped 70% since April of last year. Social networks have become common launching pads fore a couple of particularly nasty worms. The risk of infection, though, is not the only security issue that keeps IT staff up at night. Employees’ individual behavior represents a risk, particularly as web-unsavvy employees fall prey to phishing and other devious ploys. And then there’s the fear that employees will share information they shouldn’t.

Sarah Perez goes into considerable detail on the Sophos report in her post on ReadWriteWeb. Perez also notes that even Sophos isn’t advocating an outright block, despite the study’s findings:

Unfortunately for those in charge of enforcing corporate security, simply blocking Facebook and other social networks via URL is not a realistic solution anymore. The networks are often a large part of a company’s marketing and sales strategies, notes Sophos, meaning they cannot be blocked outright. Instead, companies are encouraged to use a unified approach for mitigating threats that combines data monitoring, malware protection and granular access for their employees.

A Financial Times article (free registration required) has the same advice, noting that organizations have too much to gain from employee interactions on social networks. The article, penned by the head of an information risk management and e-discovery firm, rightly notes that leetting employees access social networks from work gives them “the ability to locate the right people, information and expertise quickly, but they also greatly aid external networking, sales and marketing activities.”

The article (which I discovered on the Idea Peepshow blog, notes thyat 89% of businesses in the UK have no policies governing employee use of social networks and calls for companies to establish and enforce such policies.

As I’ve noted before, protecting the company is a matter of ensuring the proper network safeguards are in place (such as anti-malware/spyware software and the latest virus definitions) and that employees understand their responsibilities.

It works in a lot of companies that don’t block access. It can work in yours.

I spend a fair amount of time on StopBlocking.org debunking the myth of lost productivity so many people fear will result from employee access to social media. Productivity is just one of the two big fears expressed about employee access, though. The other is security; specifically, the prospects for the introduction of malware and viruses.

Nobody claims visiting Facebook or Twitter, in and of itself, will result in infection. The worry is that employees will load a seemingly innocent but actually malicious third-party app or click a shortened URL that leads them to page crafted to infecvt computers or relieve employees of confidential information.

I have no intention of minimizing the risks ever-present on the web. There’s no shortage of scumbags who want nothing more than to exploit you.

But let’s be clear: Simply blocking access is the lazy, easy way out. By taking steps to protect the company’s networks — steps that take a bit of work — your systems can remain pristine while your company can reap the benefits of employees who network with prospective customers and recruits while building higher levels of engagement with existing customers.

There are plenty of resources online that outline how to protect a network. One of the best I’ve seen appeared on ReadWriteWeb, authored just a couple months ago by Sarah Perez. She lists eight ways to keep your networks safe:

• Don’t assume a link is “safe” because it’s from a friend.

• Don’t assume Twitter links are safe because Twitter is now scanning for malware.
• Don’t Assume Bit.ly Links are safe.
• Use an up-to-date web browser.
• Keep Windows up-to-date.
• Keep Adobe Reader and Adobe Flash up-to-date.
• Don’t assume you’re safe because you use a Mac.
• Be wary of email messages from social networks (because email addresses can be “spoofed” by hackers).

Perez provides a lot of detail on each of these points — the post is well worth reading — but it all comes down to two workplace realities for companies that want to do business in the networked world:

• Employees need to be educated and held accountable.

• IT departments need to keep systems updated.

I’m routinely surprised by the number of companies I visit where every employee desktop is running Internet Explorer 6, where employees can’t update Flash or the Adobe Reader, where updates to software aren’t pushed out on a regular basis. I know IT departments are stretched thin and devote an inordinate amount of time to maintaining legacy systems because their budgets have been slashed. But failsing to keep employee computers updated is like the manager of a corporate auto fleet failing to change the oil or the air filter and letting employees drive around on bald tires.

As for employees, both IT and internal communications need to undertake an effort to educate employees about their own obligations when using the web — for work or no-nwork purposes. It’s incumbent upon companies to make their employees security-literate so they don’t follow unsafe shortened URLs (show them how to find out where the URL actually goes first) or respond to questionable emails.

As this blog has pointed out repeatedly, there are tremendous benefits that can accrue to organizations that encourage their employees to interact on social networks. The solution to the risks involved is not to simply shut off access, but rather to minimize the risk through good, old-fashioned hard work.

A colleague sent this screen capture to me. It’s what he got on his work computer after he tried to access this site, StopBlocking.org:

That’s right. Websense — maker of site-blocking tools — blocked this site. Now, Websense could have been truthful in its explanation for why it blocks access to StopBlocking.org. It could have said, “We’re not providing access to this site because if you read it and agree with it, you may no longer want to pay us for our products.” Instead, Websense resorts to dishonesty. In case you can’t read the small print, here’s what it says:

“Security risk blocked for your protection. This Websense category is filtered: Proxy Avoidance. Sites in this category may pose a security threat to network resources or private information, and are blocked by your organization.”

Let’s be clear: This is a WordPress blog and a WikiMedia wiki. It’s nothing but text and graphic images. There is no software to download, no forms to complete. You need a password to edit the wiki, but that’s just to keep spammers out. No personal information is collected as part of the password process. And you don’t have to be a wiki editor to read the wiki contents, so there’s no need to even get a password if you don’t want to contribute to the contents.

In other words, in absolutely no way is StopBlocking.org a security risk.

I can’t say I’m surprised. Any company that would make up numbers about lost productivity would make up excuses to mask the real reason they don’t want you to read the contents of a website.

The UK’s Trades Union Congress has published a three-page brief outlining its position on how companies should deal with social networks like Facebook. THe PDF document covers four main issues…

• Productivity – “We believe that good employers should consider allowing their staff personal use of the internet in general at the workplace, during break times, provided this is used responsibly and doesn’t interfere with work or could compromise the employer’s reputation.”
• Personal conduct — “Employers may have some valid concerns about the way their employees conduct their personal lives, such as breaches of commercial confidentiality or damaging the company’s reputation by slandering co-workers or clients…(but) we’re concerned that some companies may be over-reacting to this increased level of knowledge about what their employees say about their work.”
• Recruitment — Any employer who takes equal opportunities in recruitment seriously should not be considering this. As only a minority of potential staff will have public profiles on social networks, using information from this source can give an unfair advantage or disadvantage to certain candidates. ”
• Security – “If employers help staff with training on IT security and identity theft, those staff will also have a better idea of how to minimise security risks to themselves and their company on social networking.”

These are just excerpts; read the entire document. I have to disagree with the TUC’s recruiting stance. After all, if I have a Facebook profile that helps me win a job over somebody who doesn’t, all I’ve done is exercise some initiative to make myself more marketable than the competition. It’s not the candidate’s problem that others haven’t figured out that a solid online presence can help you get hired.

The irrational urge to block employee access to online content often results from a kind of mass hysteria: Somebody makes a claim and others blindly accept is as fact — especially if it was reported in the mainstream press.

Such is the case with one of the most oft-cited reasons for companies to block access to Facebook. No, not worries about lost productivity (which still ranks as most frequently cited rationale), but worries about the risk Facebook poses for infecting a company’s servers. It was reported that Facebook’s open API is leading to the development of apps that contain malware.
>p>
Well…not exactly. It’s actually “scareware.” And it’s not coming from any of the third-party apps, but from Facebook’s own “Facebook Flyers” application. As noted in a piece from Mashable:

These ads that show up on your Facebook pages in a similar manner to content-specific Google Ads has been found to be scamming folks left and right. Some of the discovered ads are posing as a dating service, redirecting you to a site that says “Your machine could be infected” and then onto a site for a product called Malware Alarm.

The people behind such marketing are still scum, but let’s be clear: This is a far cry from downloading a virus, yet that’s exactly the reason cited for blocking employee access to Facebook.

It would be nice if the IT powers that be would check their facts before falling in lockstep behind these ethically-challenged marketers.

An article in SearchCIO.com asserts that the hoopla over companies banning Facebook access may be overblown. Citing a study by the InfoTech Research Group in Canada, the article by Shamus McGillicuddy contends, “Despite security and bandwidth worries, fewer than half of IT managers recently polled ban employee use of consumer-oriented social networking Web sites such as Facebook and MySpace.”

While it’s great to hear that 54% of companies aren’t blocking, the fact that nearly half are restricting access should cause jaws to drop. Nearly half of employees are kept from these services, resulting in lost business  opportunities and reduced employee engagement. It’s also hardly reassuring to learn that the main reason companies aren’t blocking is because they have other priorities and not out of a recognition that the benefits of providing access outweigh the risks.

The article also cites an American Management Association study that finds:

65% of U.S. businesses block connections to inappropriate Web sites, such as pornographic or sports gambling sites, a practice called URL filtering.The chief reason businesses block access to Web sites is to prevent the spread of spyware and other forms of malware, said Lawrence Orans, an analyst at Gartner Inc. in Stamford, Conn. He estimates that about 20% of commercial organizations block social networking sites.

Hmm. Malware and spyware are of greater concern than the Human Resources issues that could arise from such behaviors. But again, such filtering often inadvertently blocks inoffensive and useful content. Keeping employees away from porn and gambling — and malware and spyware — should be a management issue, not a technical one. (I don’t block anything from myself at home and my reasonably priced anti-spyware and anti-virus packages have kept my computer from becoming infected. )

Some may take comfort from these numbers. I find them alarming.