NetworkingCUNA Councils ConnectList Serve File Library All Past Conferences 2012 Conference  Tools & ResourcesWhite PapersNews Archive In the Spotlight Council Web Polls Job Center Additional Resources from CUNA Take ActionCompliance ResourcesRegulatory & Legislative Resources BookmarksCUNA HOMECUNA Councils HOME Other Useful Links & Resources |
Threats Evolve, So Must SecurityCUNA’s E-Scan Newsletter
Each year, McAfee Labs produces a threat predictions report listing the top threats they see in play currently, or ones they expect to become widespread. For 2010, McAfee listed social networking threats as the top two items in their report: 1. Social networking sites will face more sophisticated threats as the number of users grows. 2. The explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously. The popularity of social networking sites such as Facebook, MySpace, Twitter, and LinkedIn now extends their reach beyond purely personal applications. These services—and the attendant risks—now affect customers, members, and employees. Some of the social networking-related threats financial institutions face are detailed by Russ Horn, chief operations officer for CoNetrix ( conetrix.com ), a network consulting and security services firm, writing in Texas Banking magazine. They include: Reputation risk Due to the integration of social networking sites and business applications, Horn sees a new threat emerge from social networking sites—reputation risk. For example, Outlook 2010 will be released with a new feature that allows integration of e-mail with social networking sites. An e-mail message then will pull a person's picture and status updates from these sites and display them at the bottom of the e-mail. Horn's fear is an employee who somehow links his e-mail address at the financial institution with his MySpace or Facebook account. A questionable picture or an offensive statement goes out to one of your best members who has just upgraded to Outlook 2010, and the resulting problems become obvious. Additional risk accrues if the financial institution creates a social networking site, with "friends" or "fans" among customers or members. This makes it easier for attackers to gather information about those customers and, therefore, makes it easier for them to send targeted phishing attacks. If employees include work information on their personal profiles, attackers can use this information to successfully implement social engineering and spear-phishing attacks. Strategic risk There is a risk in not addressing social networking sites at all. Horn sees it as comparable to the failure during the 1990s of institutions to quickly reserve an Internet domain name. Right now, it's debatable whether Facebook, LinkedIn, or other social networking sites will have significant business value. There's a risk, however, in not considering them in strategic planning. At a minimum, institutions should consider reserving the domain name for key social networking sites (like Twitter) and taking ownership of institutional business accounts on sites like LinkedIn. Compliance and privacy risk Right now there is not a lot of regulatory guidance regarding social networking sites. For now, Horn recommends you apply general compliance and privacy rules and guidelines to social networking sites to determine risks and controls. To find out how financial institutions are managing and controlling social networking sites, CoNetrix surveyed more than 80 financial institutions earlier this year. Only 7% had conducted a formal risk assessment. In addition, only 21% had addressed social networking in their policies, with only 14% requiring employees to sign off on the policies. Controls that Horn recommends institutions consider include: Technical controls: Certain controls, such as Web filtering, keep employees from accessing social networking sites while on the institution's network. This at least helps protect the systems from attacks while employees are connected on the network. Most technical controls, however, do not address mobile devices when they leave the network. Policies and procedures: Social networking sites need to be clearly addressed in policies and procedures. Identify whether you plan to have an institutional social networking site and, if so, how that site will be maintained. State whether or not your employees are allowed to access social networking sites on your systems or during work hours and, if so, with what restrictions or guidelines. Also, decide whether you allow employees to use their work e-mail address on social networking sites, or even if they are allowed to mention the institution on these sites. Finally, make sure these decisions are rolled into an “acceptable use policy” signed by all employees. This article originally appeared in CUNA's E-Scan Newsletter. Reprinted with permission.
Post this page to:
CommentsPowered by Comment Script
|
|||
|
|
| Membership Application |
| Renew Membership Online |
| Membership Benefits |
| Member Directory |
| Update Member Information |
| Frequently Asked Questions |
| CUNA Councils Connect |
| List Serve |
| File Library |
| Job Center |
| Bookmarks |
| White Papers |
| News Archive |
| Job Center |
| In the Spotlight |
| Web Poll Archive |
| Additional Resources from CUNA |
| 2012 Conference |
| 2011 Conference |
| All Past Conferences |
| Sponsorship Information |
| Webinars/Roundtables |
| Best Practices Awards |
| Scholarships |
| CUNA Council Calendar |
| Speaker Proposal Form |
| Our Mission |
| Bylaws |
| Executive Committee |
| Committees |
| Get Involved |
| Council Staff |
