Towards the end of 2011, the McKinsey Global Institute released “How social technologies are extending the organization.” According to the survey, companies are increasingly seeing the benefits of using social technologies both for internal and external purposes – for example, communicating with customers or for integration with partners and suppliers. What is the security impact of this trend? What should security teams think about?
Security Issue #1: It’s all about sharing
Different companies that enter the social arena attempt to also use these tools as collaboration suites for internal, sensitive business data. These, of course, require different levels of access controls. This awkward approach of using a sharing platform to restrict data will surely yield data breaches. The problem with this approach is not flawed access controls or privacy mechanisms. Rather, this oxymoron-like approach tries to set boundaries on a platform which is inherently all about sharing. Instead, organizations should keep an operational copy of all their data in a business system that can provide decent access controls. Then, the data that is to be made public can be exported and posted to social network. In this manner, restricted information is kept inside the business systems (regardless of whether they are on premise or in the cloud). On the other hand, public information can be retrieved and published on the social platform.
Security Issue #2: It’s an open party
Another problem is the lack of control over interactions with members of the social platform. In the real world, we choose with whom to socialize, and where. We don’t have this type of control in the cyber-world. In this online social scene, anyone can get away with comment spam, defamation, false claims and bad language. A company targeted by this type of vandalism suffers from brand name erosion. Consequently, the followers of the business – those individuals for which the company entered the social-sphere to begin with – are quick to leave the party.
Organizations need to ensure that their social environment is kept clean. Enduring this habit is absolutely necessary, although not an easy task – requiring resources in a proportionate manner to the popularity of the business. Chores include sifting and sanitizing comments as well as close engagement with the social network in case of defamation.
Security Issue #3: You are only who you say you are
The third inherent issue of social networks is the lack of trust and proper identification. For businesses this means that the social platforms do not provide a solid way to tell apart the real owner of a brand from imposters and imitators who try to take advantage of the popularity of a specific brand, to abuse or to erode it. At the other end, it is not possible to verify the identity of message writers and there are no real tools to evaluate the trustworthiness of the messages or their content.
Social Media and Security Meet Automation
Failure to recognize these concepts which social networks are built upon can lead to general brand erosion or attack campaigns targeted against the enterprise’s social circle. But together with the increasing usage of automation, and the organization is prone to social network mayhem. The past year has offered a number of examples as to how automation by attackers is picking up on social networks:
• In February 2011, the Lovely-Faces.com Website displayed 250,000 user profiles that had been scraped from Facebook’s Website. The Lovely-Faces.com creators used an automated “Facebot” to scrape one million profiles to a Face-to-Facebook database. Then Facebook profile photos were analyzed by facial recognition software to classify users into categories such as “easy going,” “smug,” “climber,” “sly,” and “funny.” Facebook users were then showcased on the Lovely-Faces.com Website.
• In mid-2011, Cyworld – a South Korean social network boasting about 35 million users - was hacked. Hackers were able to get away with a lot of personal data on South Korea residents, including phone numbers and addresses. This incident clearly highlights the importance of data that can be found on social networks. While the social network claimed that foreign governments were behind this hack, it comes to show that data is not only a prime target for commercial hackers but also for governments who are interested in dishing up information on citizens of any given country.
• In September 2011, another group demonstrated an application called FBpwn that automates the process of “friending.” The application was released as a proof of concept to automate the theft of personal data by creating a collection of all personal information, including photos, from those who accepted the friendship request. This tool became popular instantly upon release with about 5K downloads within the first week of its release.
• As recently as two months ago, a group of researchers demonstrated the power of “social botnets.” These are small arrays of scripts that pass themselves as real people. However, these accounts can automatically grow a network of friends of actual real accounts. The researchers ended stealing 250GB of personal information within just 8 weeks. Interestingly, Facebook does have features to protect this type of automation, called the Facebook Immune System. However, the researchers of the social bots were able to bypass these automation detection mechanisms by slowing down the scripts.
The Right Solution: A void space
Different social media platform providers are attempting to fight issues such as automation and fake accounts from within, such as the aforementioned Immune System project. Google+ has a “verified identity” feature that allows brands, celebrities and generally heavily-followed people to verify their profile. However, these initiatives are still quite immature, and there’s a clear conflict of interest between social networks’ attempt to remove fake accounts and their desire to show constant growth.
To correctly address these problems, solutions must be incorporated into existing platforms by the enterprises themselves. These third-party solutions should offer trust and data control services over the social media platform. I don't believe such a solution exists, which leaves a void space ripe for research. If any of you have such ideas, there is no better time than the present to start tackling the problem.