For several years now, I’ve presented at a number of industry events, hosted webcasts, written blogs and done everything I can to spread awareness that social media is one of the top malware delivery vehicles. And while this fact remains unchanged, I still believe corporate IT policies that ban social media usage in the workplace are downright worthless.
While banning social media use altogether would be the easy way out, research shows that such a move wouldn’t necessarily be a successful strategy. In fact, the opposite is true, as a recent Cisco study suggests that 64% of college students plan to ask about social media policies in interviews, and 24% say the answer to that question might make them pass on a job offer. In my experience, many employees have openly stated that a total ban on social media technology would make them look for a work-around that you can bet would be in violation of IT policies.
Create Policy
So, regardless of how management chooses to embrace or reject (hopefully embrace) social media, it is here to stay. And because every company is different, it follows that social media policies will vary wildly from organization to organization. But there is one universal must of a social media policy: you need one. Write it, disseminate it and enforce it. Even better, don’t make it ‘shelfware’, and don’t write it in legalese – make it something anyone from the mailroom to the boardroom can understand and follow.
Educate Your Users
While developing policy is key, so too is educating all employees, contractors, and anyone else with access to your network about the risks. Policies mean nothing if no one knows anything about them. User education should be engaging and comprise information they need to know. Flooding them with tons of technical data will only get users to tune out during training and waste everybody’s time.
For all the ink dedicated to the subject, social media is not the enemy. It’s not evil in and of itself. Simply put, it’s not going anywhere anytime soon. Security professionals are often guilty of targeting a new trend and setting it up as the scapegoat. The fact of the matter is that the bad guys care about social media in one way only: as a way to run a malicious executable on a machine in your environment.
Implement Layered Security
What we have to remember here is that social media is nothing more than a delivery mechanism, and I believe that one of our biggest faults in network security for years now has been to focus on the delivery mechanism du jour. We're not focusing on the endgame.
Again, if we would change our sights to preventing malicious software from executing within the environment, we wouldn't have to care so much about the delivery mechanism. The delivery mechanism has put us in an arms race with the bad guys that we simply cannot win.
We're outmanned, we're outgunned, and clearly it looks like our adversaries have a better imagination than we do when it comes to learning the ins and outs of the latest malware delivery mechanisms.
Fortunately, it doesn’t take much imagination to practice good security hygiene. Instead, it takes discipline. That discipline is practiced every day by ensuring endpoints are well-patched, users are trained about the risks, policies are enforced through monitoring and blocking technologies, and sensitive information is well-fortified within the network. Here are four security fundamentals:
- Strong Endpoint Management: When systems are well-patched and free of vulnerabilities, social media attackers won’t find an easy attack surface. Similarly, a system protected by whitelisting simply won’t allow a user to download a piece of malware masquerading as a video codec or browser update.
- Rule of Least Privilege: Attackers love it when organizations give their employees more access to systems than they really need. The more permissions users have to access network and database resources, the easier it is for a hacker to turn an attack on an isolated machine into a full-blown raid of the organization’s most precious information.
- Network Segmentation: When stores of personally identifiable information are intermingled with copies of flyers for the annual picnic, attackers find it easier than a summertime scavenger hunt to find company treasures. It is critical that IT segment the most sensitive data stores from the rest of the network to make it harder for attackers to pivot from the endpoint to get to them.
- User Monitoring and DLP: It’s not just the attackers that are endangering information. Without oversight, insiders can either purposely or inadvertently post sensitive information onto online sharing sites and send them virally via social media sites. Monitoring and technological enforcement of policies ensures that your organization is alerted to and acts on bad user behavior that puts the whole network at risk.
There’s clearly no putting social media back into Pandora’s Box. As IT professionals move forward in this new era, the only way to keep up with the threats is to face the reality of social media use head-on. And by focusing on the aforementioned security fundamentals, you and your organization will have a fighting chance.
Paul Henry is one of the world's foremost global information security and computer forensic experts, with more than 20 years of experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. Henry is a principle at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension. Throughout his career, he has played a key strategic role in launching new network security initiatives to meet the ever-changing threat landscape. Henry also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia. He serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics, including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, firewall architectures, security architectures, and managed security services.