IT@Intel Blog

Previous Next
Click to view Matthew Rosenquist's profile
18

What are the risks to company employees embracing new social medial applications, such as Facebook, Myspace, IM, Twitter, etc. at work?

I recently had a great discussion with Josh Bancroft, an Intel software engineer deeply entrenched in the social medial world (truth be known, Josh has been a champion in this area for a while and Intel owes much of our social media maturity to Josh and others like him). Josh recently started a blog on this topic and is getting some great responses. Check it out!


Here is my position:

Corporations institute security mitigations to control and manage risks to the corporate network, systems, data, reputation, customer goodwill, liability protection, etc. Many of these new social applications expose employees to a new set of social engineering threats. Connecting to these services from company machines across corporate networks exposes potentially critical assets as well.

The benefits are undeniably great for these tools, but should corporations embrace such potentially risky communication channels? If so how?

Anytime an employee makes a connection through the corporate firewall to an external internet location, the risk meter goes up. Email is a perfect example. Uncontrolled email, as an example, would be a huge risk. Without spam and malware filters, a corporate network connected to the Internet would surely be overwhelmed. Organizations have instituted such security controls to manage the risk to an acceptable level. But with the rapid introduction of new social tools, designed to transverse proven security controls, how should companies manage the new risks?

What is worse, these social platforms may be used by savvy attackers, to profile targets and directly go after one of the traditionally weak links in any security program, the human element. Employees can be swayed to download malware and divulge sensitive information which can lead to tremendous compromises of corporate assets.

What to do, what to do. With my security hat firmly bolted on, I say employees must comply for the greater good, which means balancing function with security. Normally, corporate information security policies are in place to control what is allowable. Policies are formal means for management to determine the acceptable level of risks, thereby defining the function/security balance.

So how do we get beneficial social interfaces integrated into the corporate computing landscape? Well, it really is a senior management decision to accept the risks. Such an effort usually begins with a risk assessment to determine where on the risk spectrum it would be and what potential cost effective security mitigations could be applied. If senior management is willing to accept the residual risks, then it is time to move forward. With the sheer number of new social interfaces being introduced, it would be unlikely all would be embraced. Some, if not many users may be unhappy, but this is the cost of effective, efficient, security assurance in the corporate setting.

But what if the end users collectively ignore these policies? What responsibility does security management have to insure due care and due diligence are maintained? Security must consistently follow their rules of engagement. It is entirely tough enough to keep the environment secure without employees subverting policies. I recommend detection and enforcement as well as collaborating with the end users to determine if a middle ground can be found to meet the business need while maintaining the integrity of security. We are all in this together. We will succeed or fail together.

Tags: security, information_security, corporate_security, risk, optimal_security, model, matthew_rosenquist, rosenquist
Average User Rating
(1 rating)


Add a comment Leave a comment on this blog post.
Sep 26, 2007 11:30 AM Reply Click to view Bob_Duffy's profile Bob_Duffy

I see both sides here. Facebook is a legitimate business tool. It is a legitimate form of communication. People argued 15 years ago about email, and open Internet access. I remember having to convince my management 10 years ago that we could open http access to each desktop.

Issue with Facebook is it has lots of private information and connects you to people on a server that holds that information outside of the firewall. I suspect we will eventually see Facebook for the enterprise. Something that sits behind the firewall so intellectual property can be secured.

However if the argument is that it wastes time and contributes to an unproductive workforce, as commented on Josh's blog, all I have to say is that I consider my friends on Facebook to be some of the most productive hard working people I know.

Sep 26, 2007 12:32 PM Reply Click to view josh.hilliker's profile josh.hilliker in response to: Bob_Duffy

Here's an extract of what I posted: "Here’s my view. Security for any corporation is a key element of a company’s success, either from physical or cyber, the threats are real & risks are something that can be measured. Most new capabilities upon entry are deemed as a risk until further analysis can be completed & the true risk can be understood across the IT & Security teams. These are more data points then an opinion. Now for my opinion, for any tool there is a positive & a negative on how you utilize. For social media it is a gray area for how the Enterprise adopts & institutionalizes the already growing toolset of Web 2.0 to Web 3.0 tools. When you start to apply the enterprise vision on a gray area, you start to see the differing views & you start to blend the social aspects outside of work with how the company operates with it’s End users, Fellow Travelers & Employees. The real test is how do you take this very powerful tool set & extrapolate a true business value that can be connected to changing the business for your company. "

Sep 26, 2007 12:50 PM Reply Click to view Laurie Buczek's profile Laurie Buczek

I think a significant challenge for social media based tools is that a large population of executives within the corporate world (CIO, CEO etc.) currently do not see the value of social media to their bottom line. Unfortunately by the time a risk assessment is done and CIO's see the business benefit, we may be too late. Facebook may no longer be the social networking tool du jour. So in reality the problem becomes how do we most fast "enough" in emerging technology adoption- espeically social media tools- while mitigrating the risks.

Sep 26, 2007 1:52 PM Reply Click to view jabancroft's profile jabancroft

First, a rant. We've GOT to fix it so people can leave anonymous comments, or at least leave some kind of comment without having to go through the long, invasive, spammy "create and account" process here. Srsly. :-) It's a HUGE wall I just had to climb over, just to post a comment. It's keeping people away in droves. Droves, I say! :-)

Matt, this is a great post, and I'm glad we're having this discussion. Thanks for being a good sport. :-)

I'd like some clarification from you on a couple of things you said.

First, can you elaborate on your statement "new social tools, designed to transverse proven security controls"? I know we're talking about Facebook here, but I wonder if there's a misunderstanding here. I don't see how Facebook, Twitter, or any other social networking site is different from any other website out there.

Technically, they're all just HTML over HTTP on port 80, exactly the same as any other web site out there. Am I missing something that makes Facebook different enough from a "regular" website to make it an increased security risk?

Socially, yes, people are opening themselves up for social networking attacks. But we get those from every angle these days - phishing emails, worms that spread via IM, etc. That's why we have all that required security training that we have to sit through every year that teaches us how to recognize and avoid social networking attacks.

I contend that the best line of defense is to educate employees how to "not be stupid", and mitigate the technology risks where it makes sense (spam filters, antivirus, etc.).

I just don't understand what's so different about these sites from, say, Amazon.com that we have to spend time and money on a risk assessment, decide what "to do" about them. We don't have "to do" anything that we're not already doing.

Looking forward to your thoughts! :-)

Sep 26, 2007 1:58 PM Reply Click to view jabancroft's profile jabancroft in response to: jabancroft

On, and here's another gripe about the site. How come my name displays as "jabancroft" when I have entered "Josh Bancroft" as my "real" name, and told it to "Show"?

And how come I can only pick from a selection of 20 canned (boring, IMO) images for my avatar? Why can't I upload my own avatar image?

Sep 26, 2007 1:58 PM Reply Click to view CommunityAdmin's profile CommunityAdmin in response to: jabancroft

Rant noted. Opening guest comments has been in process since our discussion yesterday. This change will take place shortly.

Sep 26, 2007 3:59 PM Reply Click to view CommunityAdmin's profile CommunityAdmin in response to: jabancroft

jabancroft is your user name. Hide or show items relate to what shows in your profile. So you are showing your full name in your profile.

Per legal restrictions Intel web properties cannot allow for copyright images to be posted, thus a library of avatars is provided. That library will build.

You can add feature enhancements to the Wish List Wiki:
http://communities.intel.com/click.jspa?searchID=1534&objectType=102&objectID=1090

Sep 26, 2007 4:38 PM Reply Guest Anonymous Friend

Good post guys... keep it up!

Sep 26, 2007 6:10 PM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: Anonymous Friend

Josh,

To answer your first question, I am really talking about any of the new social mediums which rely upon a company backbone of technology for the actual communication. Facebook is just one example, but I am thinking much broader, including IM clients, VOIP technologies, tools which bring in customized feeds and content, remote control/monitoring/backup setups, or unassisted file-transfer type of capabilities. Any such communication between an employee using a company system, over a company network, to establish a two-way link outside of the corporate circle of trust, potentially increases the risk to the computing infrastructure, intellectual property, liability protection, and the stability of operations.

By nature, a social network is about communication and sharing. Nowadays this includes not only text or a warm voice, but video, files, documents, and other types of files, data, and information. Here lies the problem.

Security is half technical and half behavioral. Technology both provides attackers with a super-expressway to conduct malicious acts as well as defenders the means to cost efficiently automate tools to provide protection. This is an ever evolving tug of war where both sides use technology to jockey for position, gain intelligence, and conduct offensive/defensive stratagems. Normally attackers innovate and the defenders follow the attackers.

Controlling the network traffic is one of the foundations for providing corporate information security in our day and age. For those services which require communication to the wild Internet, companies typically choose to invest in programs which protect against the most common types of attacks. Firewalls, DMZ’s, anti-virus, web proxies, spam filters, etc. In order to work properly these tools require an understanding of the traffic and what is allowable or not allowed. The new social mediums may subvert these valuable controls through sometimes ingenious means of communication transport. In doing so, they may allow an attacker or their code, access to areas they do not belong.

Social networks can also undermine a defense-in-depth strategy. Being able to predict, prevent, detect, and respond to cyber incidents is critical to maintain security assurance. Given the new features, communication methods, and rapidly evolving capabilities of these social network tools, it becomes terribly difficult to predict where the next vulnerability, exposure, or actual attack will occur. Preventing such attacks, both technical and behavioral in nature becomes exponentially difficult if security is not aware of all the potential ingress vectors. Detecting when weaknesses are exploited in the technological and behavioral posture can be a nightmare when a number of unknown tools are floating about on the network and in use by employees. This becomes especially sticky if employees begin to rely on such non-supported tools to conduct business.

The behavioral aspect is all about the people, both the targets as well as the attackers. I have a couple of different issues in this space. First, employees have come to expect security while at work. They assume the somewhat paranoid security professionals (I’m sure they don’t use those nice words to describe us) will protect them, their systems, and their data at work, regardless of what they do. It is bad enough to keep everyone secure on tools and systems we do manage, much less try to keep everything secure on systems we don’t.

Additionally, not all employees are at the same level of security awareness. As such, they may not conduct themselves in a consistent manner when dealing with these social tools. This becomes more of a problem when a group of fellow coworkers are communicating, thereby giving a false sense of security or privacy. Convenience is another issue. The possibility of two or more employees wanting to chat with each other about project status, workplace events, etc. is a risk when an unsecured communication channel is handy. Longevity also comes to mind. If no security problems crop up after a while, will employees’ security vigilance wane over time?

Aggregation of data. Put yourself in the shoes of a bad guy. Having information about a single employee is a pretty small target surface area. Having information about many employees opens many different doors. You can begin to understand the organization, reporting structures, areas of expertise based upon locations, susceptible targets for influence, persons to impersonate, etc. In the hands of someone proficient, this is valuable information and can be used to compromise the organization. This is the very reason people target the social sites when looking to compromise an organization.

One of my favorite aspects, living in the state with the most lawyers, is the potential for added liability. If a company allows a social network and permits employees to use it, does that constitute an expectation? If your manager uses some community site, would it be in your best career interest in using it too? If you put your personal information in such a social tool and become victimized because of it, can you sue your employer? Can an employer be held responsible of an employee uses these tools to do something harmful to others while on the corporate network, using a company computer, on company time?

Yes you are very correct, social attacks are pervasive. This is exactly why companies spend money on filters, training, and other controls. Employees’ sometimes activate these malware and data-mining attacks. Why would a company allow a different type of social attack vector into their network? The benefit would surely need to outweigh the additional risk or costs to mitigate.

I would contend there is a great difference between these services and a website. This is probably the reason they are so popular. In comparison to a website, which is typically a simple pull by the user, a community tool is stronger when designed to initiate communication from both ways. Web protocols are well known. The company can block known bad sites, scan attachments, disallow certain types of transactions, etc. The company does not control a social site and has less control of what potentially will come in or go out.

I see I am rambling on, so I won’t even touch on network performance impacts, user productivity, and additional opportunities for malicious insiders, etc.

Sep 26, 2007 6:27 PM Reply Click to view jabancroft's profile jabancroft in response to: Matthew Rosenquist

Thanks for that response, Matt, but I'm still confused.

Let's try this, Twitter style: Please explain, in 140 characters or less, how Facebook is different from any other web site - that is, technically, it's just files over HTTP, so why don't the existing measures cover it?

Sep 26, 2007 7:12 PM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: jabancroft

To answer your questions, can you tell me the following information: What information at maximum can you put into Facebook? What is the limit of communication, file sharing, and web-app control from Facebook, both currently and potentially in the future? - As a security professional, I must manage security for not just today but the future as well.

Can you estimate the vulnerability of the provider or the potential risk of compromise by systems accessing the service? Any estimate of the consequence if all actions and communications from employees are made public or are compromised? As this is a site which loosely establishes identity and associates credibility, can you estimate the potential damage if someone spoofs another’s identity, what damage that could cause? (ie, if I logged in as your best friend, would you or someone else launch a 'fun' program for me on your work system?). An attacker must find only one hole, or in this case one employee in a gullible moment, to get inside or do damage.

A social site, by definition opens communication channels. If those are not secured while on the company assets, then the risk goes up.

Most web sites do not ask for personal or work information and store it remotely. Yes some do, but most don’t. Most web sites do not open unsecured, unfiltered, and unmonitored two-way communication channels. Most web sites don’t initiate the communication, as they are passive. Signing up for a community site is giving that service power: the power of knowledge, the power of personal data, the power to communicate to you. That is fine if it is your choice and your assets at risk. It is questionable if it is the corporate assets at risk and management is not the one making the decision.

Sep 26, 2007 7:52 PM Reply Click to view jabancroft's profile jabancroft in response to: Matthew Rosenquist

I'll let Facebook speak for themselves with regard to what information they store, and what they do with it, on their own Privacy and Security page:

http://www.facebook.com/help.php?page=9

It's kind of funny that you say "most web sites do not ask for personal or work information and store it remotely", because until a few hours ago, when anonymous comments were turned on here for communities.intel.com, it did exactly that. I had to wade through a long, arduous, invasive questionnaire, asking all kinds of information, like what my work title is, how many people are at my company, where I'm located, what industry I'm in, etc., all so I could create an account to post a comment. At a bare minimum, all you need to create an account for me here is a username I choose, a password I chooose, and (maybe) my email address. All the rest of the stuff smells like you're going to spam me, or put me into some kind of demographic database, or something. People HATE that. I hate that. Don't you? ;-)

Is that what you meant by "web sites asking for personal or work information and storing it remotely?" ;-)

Oct 2, 2007 5:38 PM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: jabancroft

Here is a timely CNet article discussing the risks of social networks in the corporate environment, by CNet Senior Editor Robert Vamosi. It includes an interview from Tod Beardsley, lead counter-fraud engineer for TippingPoint.

http://reviews.cnet.com/4520-3513_7-6780789-1.html?tag=nl.e757

Oct 2, 2007 6:37 PM Reply Click to view josh.hilliker's profile josh.hilliker in response to: Matthew Rosenquist

Matt - good article from cnet.. especially the NDA piece.. so it goes back to the risk dialogue.

Oct 4, 2007 2:43 PM Reply Click to view IT@IntelAdmin's profile IT@IntelAdmin

Peter Schooff had an interesting blog http://www.ebizq.net/blogs/news_security/2007/10/should_companies_ban_web_20_to.php about this discussion. "...there’s the idea that people using Web 2.0 tools might actually be doing work, where, in the case of sales, or networking, or keeping an eye on competitors, those tools are absolutely essential. Also, there’s the idea that if an employee is determined to break the rules, or actually harm or steal data from their company, no amount of "corporate policy" is going to stop them, and is exactly why a company needs strict access controls and good database security to stop the rogue employee.

If you haven’t guessed already, I am one for openness, and while companies should definitely do a threat assessment and shut down the most obvious Web 2.0 threats, as well as protect their data assets, but otherwise, just like information wants to be free, so do employees."

Oct 18, 2007 11:36 AM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: IT@IntelAdmin

In the news, a recent legal action has prompted one social media site to institute more controls to protect users.

http://www.infoworld.com/article/07/10/17/Facebook-to-beef-up-safety_1.html

This example brings up an ethical and corporate-responsibility question: If a company allows or indirectly promotes employees to use these services, are they knowingly exposing their workers to obscene material and offensive people? Would this contribute to a hostile workplace and lead to an increased liability footprint for the organization? Is this ethically responsible?

Oct 18, 2007 12:07 PM Reply Click to view jabancroft's profile jabancroft in response to: Matthew Rosenquist

Matt, dude, the WHOLE INTERNET is full of obscene material and offensive people. Short of a strict whitelist (only certain sites allowed - and that doesn't stop it from coming in via email), there's no way around that except to teach correct principles and let the people govern themselves.

I guess that sums up my stance on what companies should do WRT their employees being on the internet - teach them correct principles, and trust them to govern themselves.

Nov 16, 2007 3:28 PM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: jabancroft

Corporations have a responsibility to protect their computing environments, communication channels, business operations, reputation, and employees. As such, they should recognize Web2.0 tools represent a risk sufficient enough to warrant a thorough assessment to determine aid in making an informed decision to accept those risks, mitigate them in some manner, or deny access of those systems entirely.

“...the WHOLE INTERNET is full of obscene material and offensive people.” is not a worthwhile argument if employees or stockholders sue the company due to issues arising with an organization allowing Web2.0. It is also little consolation for outages which occur directly due to allowance of such social mediums.

I am not advocating disallowance of these tools and services, rather I recommend management take the time and care to diligently understand the risks and decide what will be allowable within their environment. Employees, shareholders, governments, and customers rightfully hold management to making those decisions and ultimately hold them responsible for adverse effects.