Social Networking...or Social Engineering?

By: (CISSP, CISA, CISM, MCSA, MCITP)

Publication: The Colorado Banker , May/June 2010

With the explosion in new communication platforms, hackers are moving swiftly to capitalize in every way they can. While Facebook, MySpace, Twitter and other social networking/blogging sites used to be the domain of Generation Y, the trend is now for people of all ages to use these sites to keep in touch and spread information. However, the problem is you never know exactly what information is being spread and to whom.

For instance, consider the case of two employees of a large US financial firm that made news a few months ago. For simplicity's sake, we will call them Jack and Jill. Both had Facebook accounts, were Facebook friends, and sometimes communicated outside of work. Sounds like an innocent friendship, right? It was, until hackers were able to take control of Jack's Facebook account. The hackers then sent Jill a simple message, "Look at the pictures I took of us at the company picnic." Jill clicked on the link, expecting to see pictures from the picnic. Instead, she downloaded malicious software, allowing the hackers to take control of her company laptop. I'm sure you can see where this is headed: The attackers were then able to use her credentials to access the company’s network. The breach went undetected for approximately two weeks.

This example illustrates how the growth of social media, coupled with a lack of awareness among employees and employers regarding personal and potential business use, can increase a financial institution's reputational, liability, and operational risk exposures. This increase can be attributed to the institution having a social networking presence to reach customers, employees accessing social networking sites at work, and employees accessing social networking sites on financial institution-owned computers at home.

How can organizations manage this risk?

Treat social media as any other type of risk: Include social media in a formal risk assessment process. This risk assessment should help you gauge the level of risk, identify existing controls, evaluate the need for additional controls and ultimately, help the bank determine its approach to the use of social media by employees. All decisions should be based on this risk-based process.

What types of controls are available?

Controls will vary by organization, but some examples include technical restrictions, addressing social media in the Acceptable Use Policy (AUP) or as a specific policy, and security awareness training for employees.

  • Technical controls usually provide the greatest (but sometimes a false) peace of mind. Hardware appliances or software can be used to filter websites by web address, content, or category. Organizations can also set up a proxy server to force users through a filtering process even when users are physically offsite.
  • Identifying social media use in the AUP or a specific policy will help organizations provide guidelines for employees and mitigate risks, especially reputational risk. The policy framework should address whether social media can be used on organization-controlled systems (both at work and at home) and what information an employee is allowed to disclose regarding the organization and organizational activities.
  • Security awareness training for employees regarding social media is an ongoing process. It is not adequate to expect users to sit in a room for 8 hours once a year and retain that knowledge until the next annual training. Posters, memos, and emails regarding the evolving social media landscape can serve as reminders to be vigilant both at the workplace and at home. If there is a virus outbreak on frequently-visited sites (such as the Koobface worm on Facebook), use the occasion to inform employees about the hazards.

Remember, a chain is only as strong as the weakest link. With "always on" social media, the weakest link may well be your employees.