Social networking sites like Facebook, MySpace, Twitter, and LinkedIn are a topic on everybody's lips today. Our kids communicate with them; our customers are on them; our employees request them, but how do they fit into my bank's strategic plan, and what are the risks associated with these sites? In this article, we will look at the security and technology concerns related to social networking sites.
Each year, McAfee Labs produces a Threat Predictions report listing the top threats they forecast for the coming year. This year, McAfee listed social networking threats as the top two in their report: "1.) Social networking sites such as Facebook will face more sophisticated threats as the number of users grows. 2.) The explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously."
Let's take a look at some of the social networking-related threats banks face:
Currently, the biggest threat to many social networking sites are phishing attacks. These attacks are very successful because we tend to trust Facebook and Twitter more than we do traditional email (where we have seen phishing attacks originate from in the past). When one of our friends posts on our Facebook page or Tweets a link on Twitter, we are more likely to blindly follow the link or open the application and end up on a spoofed website or with malicious software installed on our computer.
Based on Microsoft Security Intelligence Reports, phishing attack trends are moving from financial institutions to social networking sites. Prior to May 2009, the financial institution sector had always seen the largest percentage of attacks (usually over 50% of phishing attacks would be targeted at financial institutions on any given month); however, since May 2009, social networking sites have seen more phishing attacks each month. The last half of 2009 showed three months where social networking sites received more than 70% of all phishing attacks. This is a very dramatic shift in attack trends over a relatively short period of time.
In examining these statistics, I doubt the attackers have decided to stop going after the money (financial institutions). Instead, I think financial institutions have done a good job of stopping many of the traditional attack avenues (e.g. phishing emails directly to the bank), so the attacks are finding new vectors we have not addressed as well (e.g. social networking sites).
Due to the integration (or I like to refer to it as collision) of social networking sites and business applications, we are beginning to see a new threat emerge from social networking sites... reputation risk. For example, Outlook 2010 released with a new "feature" that allows you to integrate your email with social networking sites like LinkedIn, MySpace, and soon-to-be Facebook. So, when you receive an email, it will pull the person's picture and status updates from these sites and display them at the bottom of the email. It integrates the information from the social networking sites based on the email address listed on each account.
What does this mean for your bank? Let's say you have a Loan Officer that is using his bank email address for MySpace or Facebook; we will call him Sam. Sam uses a questionable picture for his MySpace profile and over the weekend posted an offensive statement as his status update. Then, on Monday morning, he sends an email to one of your best customers who has just upgraded to Outlook 2010. When the customer opens the bank email, he sees the profile picture of Sam and his offensive statement.
Footprinting & Information Gathering
If we create a bank social networking site (on Facebook or Twitter), many of our "friends" or "fans" will likely be our customers. This makes it much easier for attackers to gather information about who our customers are and, therefore, makes it easier for them to send targeted phishing attacks (spear phishing) against our customers.
In addition, if our employees include work information on their personal profiles, this information can be used by attackers to successfully implement social engineering and spear phishing attacks.
There is a risk in not addressing social networking sites at all. In the 90's, many banks did not go out and quickly reserve an Internet domain name for their bank (e.g. www.bankname.com). This is because they either did not foresee or consider the business value of the Internet. Ultimately, by not seeing the purchase of an Internet domain name as a strategic objective, many banks ended up with domain names that are less than ideal (e.g. www.banknameonline.net).
Right now, it is debatable whether Facebook, LinkedIn, or other social networking sites will have significant business value; however, there is risk in not considering them in our strategic planning. At a minimum, we should consider reserving the domain name for key social networking sites (like Facebook and Twitter) and taking ownership of bank business accounts on sites like LinkedIn where many business accounts are already present. To register your bank name on Facebook, you must first create a page and have 25 fans. Then, an administrator of the page can go to www.facebook.com/username to select a name (e.g. www.facebook.com/bank.name). For Twitter, the name with which you set up the account becomes your domain address (e.g. www.twitter.com/bankname). Most banks already have accounts on LinkedIn; they just need to be managed. You can do a search for your bank on LinkedIn by going to www.linkedin.com/companies.
Compliance & Privacy Risk
Right now there is not a lot of regulatory guidance regarding social networking sites; however, I am sure applicable FILs and Bulletins are coming in the near future. For now, general compliance and privacy rules and guidelines should be applied to social networking sites in determining risks and controls.
What are other banks doing?
During a training event sponsored by CoNetrix on April 28, 2010, we asked more than 80 bankers questions about social networking controls. Of those surveyed, 23% said they had a bank Facebook account and 15% said they had a bank Twitter account. However, when asked if they had personal accounts, 75% said they had a personal social networking account (with Facebook being the most popular at 68%). When asked how banks were managing and controlling social networking sites, only 7% said they had conducted a formal risk assessment. In addition, only 21% said they addressed social networking in their policies with only 14% requiring employees to sign off on the policy.
What are some controls I should consider?
Many institutions are implementing technical controls to keep employees from accessing social networking sites while on the bank network. For example, during the survey we conducted on April 28th, 71% of banks said they currently restrict social networking sites through some sort of technical controls (e.g. web filtering). This at least helps protect bank systems from many attacks while employees are connected on the bank network; however, most technical controls do not address mobile devices, like laptops, when they leave the bank network.
Policies and Procedures
Social networking sites need to be clearly addressed in bank policies and procedures. Your policy should identify whether you plan to have a bank social networking site and, if so, what sites the bank will maintain and how. It should state whether or not your employees are allowed to access social networking sites on bank systems or during bank hours and, if so, which ones and with what restrictions or guidelines. You also need to make a decision on allowing bank employees to use their bank email address on social networking sites, or even if they are allowed to mention the bank on these sites. Finally, you need to make sure these decisions are rolled into the Acceptable Usage Policy (AUP) signed by all employees.
What Should I Do?
- Get Educated - treat social networks like any other risk and/or opportunity.
- Conduct a formal Risk Assessment.
- Make a Plan - at a minimum, monitor.
- Define Controls – both policy and technical.
- Regularly Review - these sites are changing frequently; we must schedule time to regularly review the risks and our controls to ensure we are staying on top of security concerns.