The unbridled use of social media in the workplace represents a growing area of risk to an organization's information security posture. Social media networks present two distinct attack vectors: information leakage and false trust.
Hackers, red teams and experienced penetration testers have used OSINT (open source intelligence style information gathering) for years. But now that social media use has reached critical mass, it is relatively simple to garner information about your company's employees, your organization and even your IT infrastructure. Using social profiles, information parsed from tweets, business directories, job postings, etc., cybercriminals can put together a complete dossier on employees of a target company without any 'real' hacking.
Employees most often use social media both at home and at the workplace without differentiating between the two. On social media networks, users create profiles, manage privacy settings, and grant permission to who can and can't view their profiles. This creates a false sense of trust, where an individual feels comfortable disclosing detailed personal information about their life whether it be regarding relationships, issues at work, contact info, travels plans, likes and dislikes.
In addition, because they believe they are within a "walled garden," they are more apt to click on unknown links (because they are recommended by a "friend.") Link shorteners can heighten the risk as a full executable string can hide behind what appears to be an innocuous link. Clicking on an unverified link is a risk that could lead to a full system compromise if a malicious website is behind it and there is potential for the introduction of viruses and malware to the organization's network.
The complete list of threats and vulnerabilities from social media in the workplace is long. Other examples include: phishing attacks, disclosure of private company info, brand/reputational damage, harassment and privacy violations.
Social media is not going away. More likely, the number of users and time spent on social networks will continue to rise exponentially, and your security risk will rise with it. Here's what you can do about it.
5 Tips to Improve Security Against Social Media Threats
1. Determine if social media use is necessary for your business. The security risk that social media presents for a company is significant. Whether or not to allow its use in the workplace is really a question of risk vs. benefit. If banning it outright seems too Draconina, consider limiting use to only the people that need it to perform their job function.
2. Provide training and security awareness to employees. This should include policies and procedures such as personal use in/out of the workplace, business use, nondisclosure of business content, and disallowed activities (installing apps, playing games, etc).
3. Use content monitoring technologies
4. Encourage URL lengthening tools like TinyURL to decode and verify shortened links.
5. Keep your hardware, software, anti-virus, and critical security patches up to date.
Written by Jenn Miller for Redspin, Inc.
Check out our information security blog http://www.redspin.com/blog
About Redspin
Redspin delivers the highest quality information security assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in areas such as healthcare, financial services and hotels, casinos and resorts as well as retailers and technology providers. Some of the largest communications providers and commercial banks rely upon Redspin to provide an effective technical solution tailored to their business context, allowing them to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios.
Contact - info@redspin.com
Hi nice blog, very informative for me, Thanks!
ReplyDelete