Wednesday, December 15, 2010

Social Media and Information Security

Wikipedia defines information security as the process by which information is protected from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. When it comes to the Internet, information is generally secured through mechanisms such as login ID and password. Social media presents significant challenges to ensuring adequate information security not because of the technology but because of the habits of social media users. As described below, social media does not introduce threats that are social media-specific. Instead, social media makes the existing threats more effective because users are less vigilant.

If there is one overall benefit that social media has brought to bear, it is that social media has made us all more open and willing to share. There is much to be said about a society that values trust, openness and sharing. Through social media, users are increasingly sharing more and more of themselves. From family photos to what they’re buying, reading or eating to where they’re currently located as well as what exactly they’re doing there. Prior to social media the world was a place made of personal silos where people were more than satisfied keeping their private lives private. Once social media became broadly adopted the world generally became a more open society. In the grand scheme of human relations, this is surely a positive outcome.

Unfortunately, no good deed goes unpunished. And social media’s effect on society is no exception. While society has become more transparent in its online interactions, social media users have also become too trusting. Since most social media interactions are conducted with trusted parties such as friends, classmates, co-workers and other known persons, social media users tend to lower their guard when interacting on social media platforms. As such, social media platforms have become extremely attractive to criminals that seek to exploit the trusting nature of social media users. Further, the fact that millions of users congregate on these sites daily, provides an attractive return on investment for the criminal element. As a result, social media users are at a greater risk of exposure to the exploits of criminals. Internet security experts at Kaspersky Lab (http://usa.kaspersky.com) believe that malicious code distributed through social media is up to ten times more effective than similar attacks using e-mail.

A social media user’s confidential personal information includes everything from passwords to social security numbers to birth dates to items such as mother’s maiden name. This information is regarded as the Holy Grail to criminals who seek to takeover a user’s identity or account. In today’s digital age, this information is maintained by many organizations, including social media platforms. Through the use of sophisticated software programs such as keyloggers and techniques such as phishing attacks, criminals can easily gain access to the social media credentials (ID and password) of their victims. Once they gain access to a social media account, the criminals may deploy various strategies to carry out their plans. For example, it is commonly known that people use the same password for multiple computer systems. As such, once a criminal has access to a single social media account, the criminal may use the same credentials to attempt to access other social media accounts, online banking accounts, corporate computer systems, etc.

Another approach that may be taken by criminals is to use a hijacked social media account to gain access to other users’ accounts by sending a message from the hijacked account to the accounts of people within the hijacked user’s social network with the intent of tricking those individuals into visiting Web sites that install malicious software utilized to steal the login IDs and passwords. These information security breaches are generally successful for two main reasons – users assuming that messages sent within the social media platforms are legitimate and users not understanding how their actions can be exploited by criminals. While the techniques may differ, the goal is generally the same – to gain access to social media accounts that contain valuable information that the criminals can use for financial gain.

A complete discussion of information security is beyond the scope of this book. What is important to note from the perspective of developing an effective social media policy is that social media poses information security risk just as any other Internet-based application. The ultimate question regarding information security is whether organizations with large workforces can reasonably expect to protect themselves from the criminal element that seeks to exploit social media. The short answer is, “it depends.” Organizations can best protect themselves by not becoming the “low hanging fruit.” Ultimately it comes down to assessing the risk, mitigating the risk, training the staff and monitoring the results. All of which should be described in a formal written social media policy.

1 comment: