Social networking security still a gray area for some customers

While there are many companies today that have embraced the use of social networking sites, there are still some that are skeptical. No matter how customers view social networking, there are some inherent security issues that need to be addressed. VARs and solution providers can help educate customers with social networking security.

Social networking security is an emerging business opportunity that VARs are well-positioned to support, both with technology and consulting and management services. Not only is social networking an often-underestimated threat to corporate information security, but it's also an alluring target that creative attackers are increasingly attempting to exploit.

The popularity of social networking has exploded during the past two years, for reasons such as reconnecting with old friends or meeting new ones on Facebook and Myspace, trading short messages on Twitter or sharing links and recommending content on Digg. Facebook, for example, reported 300 million users in September 2009, a membership number that has tripled in about a year.

Amid that growth, social networks have realized the need to improve the security of their infrastructures. They have invested heavily in recent months in network traffic anomaly systems, which monitor out-of-control Web applications, and other security tools that scan user-generated pages for malicious content. Additionally, Facebook recently inked a deal with McAfee Inc. to beef up its account-remediation process with a free malware-scanning tool, as well as provide antimalware software to its users.

While some organizations have realized that social networking technology can represent a unique opportunity for business-centric collaboration among employees, most companies don't know quite what to make of social networking sites. Many organizations either ban them completely, concerned about productivity, acceptable use policy and security, or ignore them, unable or unwilling to directly address the risks that come with enterprise-wide social networking.

Cybercriminals have noticed these social networking trends and the reassuring trust users have when a "friend" sends them a link on YouTube, an exchange that often results in a Trojan being planted on their computer. Social networking-borne spam, phishing attacks and account hijackings are becoming more prevalent. The social networking worm Koobface began spreading through Facebook in 2008, and new versions of Koobface have propagated on Facebook, Twitter and elsewhere this year.

"History teaches us that the same types of threats are just going to migrate over to new technology," said Dave Marcus, director of research communications for Santa Clara, Calif.-based McAfee Inc.'s Avert Labs.

For that reason, experts say there's an emerging opportunity for VARs to help customers understand both the benefits and the risks associated with social networking, develop policies around its use and deploy the technologies and processes needed to enforce those policies.

Peter Firstbrook, research director for Stamford, Conn.-based analyst firm Gartner Inc., said social networking presents three main areas of risk that VARs can help customers address:

Malicious content -- Social networking users can easily introduce and spread malware to users' friends and followers.

Marcus said one common scenario used to spread malware is fake friend requests. Scammers setup fake profiles and trick victims into adding them as "friends," using that false trust to get others to click on malicious links or download malware-laden files.

"Users are clamoring for [social networking] without realizing it's a new window for malware," Marcus said. "There's a cornucopia of threats to get in unless you are watching correctly." Marcus said antimalware suites that are updated frequently are important to help mitigate the risk posed by malicious content, and that AV practice is something VARs can easily remind customers and help with when needed.

Productivity -- Some say the more time enterprise workers spend using social networking tools, the less time they spend doing actual work. However, others believe the enhanced communications tools enable workers, especially younger employees, to do their jobs better.

Firstbrook said while it's unclear exactly how social networking usage will grow and evolve within enterprises, it would be foolish to assume it won't affect the way employees, customers and businesses communicate.

"I would also argue that the fears of a productivity drain are also exaggerated and that blocking social networking will not automatically make a non-productive employee productive," Firstbrook said. "They aren't going to suddenly get down to work simply because Facebook is blocked. Good management style measures employee and business output, not input."

To that end, solution providers can help customers develop acceptable use policies for social networking. Firstbrook said the best bet would be to start the policy brainstorming process with studies that illustrate the pros and cons of social networking use, and let the findings dictate policy development.


Data leakage -- Many companies already struggle to come to grips with the many ways credit card numbers, patient information and other sensitive data can leak out of an organization, and social networking represents yet another potential exit point.

"This is a two-way medium," Firstbrook said. "They can say and do stupid things, and you don't know what they are saying and doing."

Experts say good social networking security starts with organizational policy, but technology can help too. Some of the most effective technologies may already be in place, including desktop antimalware, Web security gateways and data loss prevention.

Technology though works in tandem with sound policy. Firstbrook said social networking represents just one subset of a growing number of Web tools -- including blogs, wikis, chat rooms, instant messaging, webmail and hosted applications -- that can easily leak sensitive data, and data loss concerns from these risk vectors must be addressed by a comprehensive data management and protection policy.

Given these realities, VARs can help customers with technology and policy guidance regardless of how they want to address social networking as a business.

Technology partners can bring their experience to bear, said John Yoon, senior marketing vice president for Sandy, Utah-based Web security vendor Cymphonix Corp.

"It's not just a box sale. It's not just about blocking websites," he said. "It requires customization; it requires understanding the business."

Yoon recommends using Web security technology to perform an initial assessment of the extent to which an organization's users utilize social networking services and the sort of data leaving the organization's network. That way, the customer understands the extent of the risk and the effectiveness of existing controls. From that point, VARs can offer consulting services around social networking and other Web usage based on the organization's risk exposure. Another opportunity for VARs lies in ongoing management of the implemented security technologies.

"From a process standpoint, it's all about educating companies about the risks and benefits of social networking," Firstbrook said. "From a technical perspective, it's educating them about the need to implement better controls around the Web gateway."

Senior Site Editor Eric B. Parizo contributed to this article.

Dig Deeper on Managed network security services