My daughter wants her own Facebook page. Desperately. All her friends are on there, and they’re tweeting, too, so I am told.
She might well be right. In a February 2010 study, Pew Research found 73 percent of wired American teens now use social networking sites, up from 55 percent in 2006.
But I’m not convinced. Despite the requisite security software I keep on her computer and the white lie that “I know everything you do on the Internet,” throughout the social networking world there are many risks, from clicking on attractive-looking but misdirecting hyperlinks to divulging personal information that could put her in danger. I’m not sure how to balance those risks against the personal reward she would gain from using social networking. 
Insurers find themselves in a similar quandary. The business wants to use social networking. Desperately. All their colleagues are doing it, or so they are told.
And they might just be right, particularly among the newest generation of workers. The aforementioned Pew study found while 40 percent of Internet users over age 30 used social networking, nearly three quarters of adults ages 18 to 29 did.
With the risks associated with social networking, more than half of U.S. companies report they have “banned” workers from using social networking sites such as Twitter, Facebook, LinkedIn, and MySpace, according to a late 2009 survey by IT staffing company Robert Half Technology. However, just how effective those bans are is another matter.
“Companies are trying to figure out their policies for use [of social networking], but it’s already in use in many areas of the company,” maintains Joshua Corman, research director at The 451 Group. “In fact, it’s less about a binary decision of ‘allowed’ and ‘disallowed’; it’s more about awareness, recognizing the benefits and managing the risks.”
“One of our challenges is understanding the value the business gets out of something such as social networking, because when we become aware of a threat that can take advantage of that vector, and we need to shut it down, we need to consider fully the business impact,” says Bruce Bonsall, chief information security officer, MassMutual. “Our approach is about balancing the business opportunity with the potential risks.”
(For more on social networking, click here and here.)
RISKS VS. REWARDS
The fundamental risk of technology-based social networking is the same as with face-to-face networking.
“The danger is you will reveal information about the business that can be exploited,” says Rick Caccia, who has 20 years of experience in enterprise security and currently is vice president of product marketing at ArcSight. “That can happen over e-mail. It can happen over the phone. It can happen in a meeting. So, the consequences are the same, but the venue of social networking has a much broader and more immediate reach.”
Additionally, social networking features that allow users to upload photos, audio, or video make it easier for employees to post sensitive company information, either at work or on their own personal time. Features that encourage user participation also make it easier to corrupt users’ systems with malware that can infiltrate networks and provide access to company data.
“The risks are massive,” says Adriel Desautels, chief technology officer, Netragard LLC, specialists in anti-hacking. “We’ve been able to penetrate the network of almost every single insurance company that has used social networking. So, when insurers use these sites, they always, always are increasing their overall risk profile. They need to assess carefully the business benefits against the risk of a potential single compromise.”
But those benefits can be compelling, as Corman illustrates from his own use. “Twitter can be used to be vain and socially distracted from work, but it’s also a spider web of intelligence when used correctly,” he says. “I’m connected to so many people that the benefits related to my primary job in terms of both knowledge and productivity are exponentially increased,” he says.
“It comes down to appropriate use,” he adds. “A hammer is neutral. It can build a house or crack a skull. It’s how the tool is used that makes the difference.”
Bonsall reports MassMutual’s IT security staff members use various forms of social networking themselves to keep abreast of early warning information. “We’re part of online forums where we can share information about threats. My staff and I text and IM about events in our off-hours. It’s part of the fabric of our lives right now—it’s second nature to a lot of people,” he says.
Those people include customers, as well. “What the business brings up all the time is this [social networking] is what young people are using, this is how they interact, and this is something we need to be part of. It’s how the world is evolving, and you can’t just stay out of it and not evolve with it,” says Bonsall.
“Given customers want to consume and share information, social networking can become a competitive differentiator, at least in the short term, for companies that artfully adopt the technology,” asserts Corman.
“Use of social networking also is important to be able to recruit young people by showing we are a forward-thinking company,” Bonsall adds.
As the business has made its case regarding benefits, MassMutual has opened up more access to social networking. “Initially, we were using content filtering to control outbound content, and we had most of the known social networking sites blocked. We then made some exceptions for some areas of the company and some pilot teams in marketing and HR,” explains Bonsall.
“We’ve now modified the policy to allow everyone access to sites such as LinkedIn, which has more of a direct business benefit and is not just on the social side. But our policies will continue to flux and evolve as we learn things in order to take advantage of business benefits,” he says.
CAUSES OF LOSS
Perhaps the most vexing problem for insurers is, while they have worked diligently to prevent loss to corporate data and preserve the privacy of personal information, loss can happen because of simple carelessness.
“We are a highly regulated financial industry, and we have an obligation to monitor our distribution network to make sure it’s not making inappropriate claims,” Bonsall says. “You can’t do that monitoring easily with every type of social media,” which is another reason behind MassMutual’s decision to limit permitted access primarily to LinkedIn at this point in time.
Hackers also can use bits and pieces of information to put together coordinated attacks. “The best way to hack isn’t to write a worm or OS hack, it’s to use the information people volunteer,” Corman says.
“The amount of information people freely give up is disturbing,” he continues. “I don’t have to do a ton of research and go through your garbage anymore to get this information—people put it out there all on their own. Volunteering information about your customers is a big no, going back before this technology, but it’s more important in the immediacy of this technology. The easiest way to hack is through manipulation.”
That manipulation—social engineering—works precisely because of the social nature of sites. “Social networking has a built-in mechanism of trust,” Caccia says. “With e-mail and the Web, there was no implicit mechanism of trust—anybody can send you anything. But with social networking, you create trusted relationships, and you mentally ‘clear’ them, so your defenses automatically are lowered the way they’re not for other communication venues.”
“Social networking develops communities where people congregate, and where people congregate is where criminals are going to be,” says Bonsall. “It’s predators hunting at the watering hole.”
Technical attacks are facilitated by social networking in two ways. First, profile information on users’ public pages makes it easy to create personal, believable messages to those users. Second, when users get a message from a trusted source, they’re more likely to act on it. “It’s much easier to get around technical constraints that were an issue before,” Caccia says.
A recent Netragard penetration test illustrates how readily employees can be socially engineered. First, Netragard did social reconnaissance to search for Facebook users who listed their place of employment in their profile. It combined that with technical reconnaissance of the client company’s Web site to identify any vulnerabilities and found a cross-site scripting vulnerability, which allows an attacker to inject code into a Web site that is viewed by other users.
Netragard built a profile claiming to be that of an employee of that company. “We found most of the company’s employees who used Facebook were men between the ages of 20 and 40, so we created a profile of a 28-year-old woman,” Desautels says. Netragard added a profile picture of an attractive model, gave the profile credibility by including workplace details gleaned from other employees’ Facebook pages, and had the bogus employee join the company’s Facebook group.
After a few days of making “friends,” communicating, and sharing benign links, Netragard posted a link that took users to a HTTPS-secured page it had designed that mimicked the customer’s Web site and contained an official-looking warning company security may have been compromised. Users were asked to verify credentials.
“We used those credentials to gain access to the majority of systems on the customer’s network, including the Active Directory server, the mainframe, firewall control, and critical business control systems,” says Desautels. “Ironically, one of the credentials we obtained was provided by our contact at the company who knew we would be conducting a test.”
It’s not just employees who volunteer information useful to hackers. “When we do an attack simulation, we look through employment sites for the type of skills employers are seeking, which gives us an indication of the technology in place or planned,” Desautels says. “That gives us additional knowledge to exploit potential weaknesses in their systems we wouldn’t have had before.”
TECH FIXES
Technology controls do have a place in social networking security best practices. “You can use existing technology controls. You should block obvious ports. You should use a firewall. You can use URL and content-filtering technology, neither of which will stop someone who wants to get around them but can help keep honest people honest or stop people from doing stupid things,” Corman says.
Desautels recommends if only some company employees, such as in HR or marketing, are provided access to certain social networking venues, a wall of separation be built in the event a breach occurs. “Companies should use a secure architecture that isolates those users so that if those users’ machines are compromised, they can’t perform distributed metastasis,” he advises. “In the worst case, a hacker gains access, realizes he’s locked out of the network, and defaces your Facebook page in retaliation. It’s a marketing risk, but it’s controllable.”
Still, there are limits to technology fixes to social networking problems. Companies that try to put in place ultra-restrictive policies may find savvy employees find their way around them or simply may find networking sites to use that aren’t on the blocked list.
“Some vendors say they can prevent this [access], but they’re either deluding themselves or being slightly dishonest. You can use firewalls and different tech services to lock out traffic, but many of these [networking] services can tunnel through acceptable ports and protocols you can’t really block without shutting down the business,” Corman says. “It’s naive to think technology controls can sufficiently stop people.”
Another problem for insurers that is more difficult to fix with a technology patch is employment-related social networking crosses the boundaries of home and office. “It’s not clear how much difference there is between social networking for work and home,” Caccia says.
“With e-mail, you can get away with saying you can use your corporate account for e-mail, and Yahoo e-mail for personal mail, but that type of approach essentially is impossible with social networking because, in practice, that divide doesn’t exist,” he explains. “I’ve never seen employees have different accounts on the same site for different purposes, and the point of some social networking sites is to be used for multiple purposes.”
Bonsall asserts his biggest security challenge is the mobile worker. “It’s easier to control the data than it is to control people who are mobile, on the road, and have home offices. They’re an extension of our network. As a result, we have thousands of end points that potentially are vulnerable due to their association with social networking groups,” he indicates. “However, getting 80 percent control still is better than having no control.”
Companies also face the challenge of the resource cost of added network security. “There’s overhead with being able to monitor communications through different channels,” points out Bonsall. “If it’s just e-mail, you can do one level of monitoring, but IM requires another. Mobile, you have to worry about SMS. Social networking, another. And there’s not one product that typically takes care of all these needs, so there are complexity, cost, and support issues. It’s easy for the business to see the upside and the value of being able to communicate in new and various ways, but there is overhead burden.”
BEST PRACTICES
Therefore, best practices for social networking security need to incorporate fundamentally sound business practices for using the tools. That begins with asking the “what if” question, Desautels maintains. “People think a particular technology is really cool and really easy to use, but they don’t ask the ‘what if.’ If a system is easy to use and understand, it’s going to be easier to attack because it has a larger attack surface, and what if that happens? The chances of determined hackers getting in are as near as 100 percent as they can be once [hackers] have an attack surface.”
Insurers need to have policies that include what employees can say about their company regardless of where they use social networking. “You can’t restrict what an employee does at home on his own time, but you can control what information about your business is made public,” instructs Desautels. While the release of some information, such as company product strategy, is an obvious no-no, employees need to understand even benign work comments can have serious consequences.
“People don’t realize what they post on Twitter instantly is available to the entire world,” Corman says. “I’ve seen executives leave a tremendous amount of actionable intelligence via their Twitter accounts—comments such as, ‘I’m going out of town for two weeks,’ which means, ‘Rob my house.’ Or ‘I’m meeting so-and-so,’ which alerts people to who your customers are. It’s especially important for people who have access to intellectual property, as they embrace this media, to understand the need to maintain their confidentiality and avoid anything that can expose the business.”
“Part of the problem is social networking is expanding to people who have less of an ability to judge these types of attacks,” Caccia says.
MassMutual has an active approach to social networking behavioral best practices. The company also is developing educational content using Web 2.0 media, such as podcasts and YouTube videos on security issues.
“We do varied levels of education. We do lunch and learns. On rare occasions we send out e-mail blasts where there is a clear and present danger. We have an intranet site for our risk management group and a companywide intranet where we can post messages,” Bonsall says.
Engaging the business in education not only can improve security around social networking but also make it easier for IT security to put necessary controls in place.
“You can’t just run in and say, ‘Danger, run away!’ You have to understand what the business is doing in order to convince it of the risk vs. the reward,” contends Bonsall.
“It’s more about steering the use vs. choosing the use,” Corman says. “Social networking is here to stay. It’s disruptive. It’s one of the ways people want to collaborate, both work related and non-work related.”
“We are an insurance company, and our very nature is to assume some risk. It’s about managing it so that you gain value and opportunity without taking undue risk,” Bonsall says. “It’s always a balancing act.”
Ultimately the company has to err on the side of caution. “Sometimes we have to be the bearer of bad news that we’re going to rain on its parade because we find some sites to be risky,” he says. “It’s a catch-up game at times, because as soon as someone figures out a good business use for something, someone else figures out an abuse.”
So, will my daughter get that Facebook page she so desperately wants? For now, I’m erring on the side of an overabundance of parental caution, but I’m also working on my own version of a user-education plan to manage the risk of her unstoppable technological evolution. TD