How Social Media Can Compromise Your Company’s Security Posture

Jenn Miller
August 31, 2010 | COMMENTS

The unbridled use of social media in the workplace represents a growing area of risk to an organization's information security posture. Social media networks present two distinct attack vectors: information leakage and false trust.

Hackers, red teams and experienced penetration testers have used OSINT (open source intelligence style information gathering) for years. But now that social media use has reached critical mass, it is relatively simple to garner information about your company's employees, your organization and even your IT infrastructure. Using social profiles, information parsed from tweets, business directories, job postings, etc., cybercriminals can put together a complete dossier on employees of a target company without any ‘real' hacking.

Employees most often use social media both at home and at the workplace without differentiating between the two. On social media networks, users create profiles, manage privacy settings, and grant permission to who can and can't view their profiles. This creates a false sense of trust, where an individual feels comfortable disclosing detailed personal information about their life whether it be regarding relationships, issues at work, contact info, travels plans, likes and dislikes.

In addition, because they believe they are within a “walled garden,” they are more apt to click on unknown links (because they are recommended by a “friend.”) Link shorteners can heighten the risk as a full executable string can hide behind what appears to be an innocuous link. Clicking on an unverified link is a risk that could lead to a full system compromise if a malicious website is behind it and there is potential for the introduction of viruses and malware to the organization's network.

The complete list of threats and vulnerabilities from social media in the workplace is long. Other examples include: phishing attacks, disclosure of private company info, brand/reputational damage, harassment and privacy violations.

Social media is not going away. More likely, the number of users and time spent on social networks will continue to rise exponentially, and your security risk will rise with it. Here's what you can do about it.

Five Tips to Improve Security against Social Media Threats

1. Determine if social media use is necessary for your business. The security risk that social media presents for a company is significant. Whether or not to allow its use in the workplace is really a question of risk vs. benefit. If banning it outright seems too Draconian, consider limiting use to only the people that need it to perform their job function.
2. Provide training and security awareness to employees. This should include policies and procedures such as personal use in/out of the workplace, business use, nondisclosure of business content, and disallowed activities (installing apps, playing games, etc).
3. Use content monitoring technologies.
4. Encourage URL lengthening tools like TinyURL to decode and verify shortened links.
5. Keep your hardware, software, anti-virus, and critical security patches up to date.

Redspin offers penetration testing, security assessment and IT audit services to banks and credit unions. Miller's blogpost may be viewed at www.redspin.com/blog. Reprinted with permission.