Security Experts:

Hacking The Social Butterfly: Why Social Networking Continues to Threaten Companies

Social media can be a useful tool in promoting a company name. Used properly, the potential for marketing and increasing business is substantial. But, what about employee access to social media sites? Every day, employees on their breaks or during working hours use social media sites like Facebook, Twitter, MySpace, ICQ, wikis and photo-and video-sharing services. These are among the Internet’s fastest growing sites – perhaps more popular than personal email. Websites like LinkedIn can link sales representatives to a contact list, thereby expanding networks and reaching prospects.

Dangers of Social NetworkingIT security personnel are keenly aware of the explosion of social networking because of the risk it poses to a company’s network security and privacy. Basically, in today’s socially connected workplace, information flows freely between employees and online friends. The line between an employee’s personal life and his or her work life is blurry, and in that blur zone lurks the hacker, hoping for some sensitive data.

Executive officers and IT security personnel are still questioning who has legal ownership of information on social sites. Legal experts suggest that everything said or sent, in official business or by an employee chatting with a friend or family member, becomes the property of the network site.

But, what about the data posted using a company computer, iPhone or Smartphone? Is the business held legally accountable?

While companies work out those legalities, hackers are joyfully phishing their social networks.

A hack through a social media site is effective. Let’s say I am on Facebook and a message with a link from a known and trusted friend or co-worker appears. The message could say something like, “Great company party and I spoke with your boss about working with the company. Can you tell me about him?” Once you click the link, you unknowingly invite malware to invade your browser and get in the network.

It is difficult to avoid this trap. By design, social media is flexible, and its, Web 2.0 platforms, have a history of being easy to exploit.

Social engineering and phishing become simple. . The result is data or identity theft. It is easy because we are friendly by nature. We want to talk with people. We want to share. When it comes to strangers we meet on the street, however, we may abide by the old saying, “never talk to strangers.” Yet, for some reason, this doesn’t apply to social networking.

While most people would not divulge certain details to strangers, it is amazing what information they’ll share through social networking. Social networking sites are attracting hackers because of this phenomenon; and they are armed with all kinds of malware, such as spyware, viruses and online scams.

What can businesses do?

There are options, from the complete banning of sites to limited access. In extreme cases, a company could block all Internet connectivity. This may not be feasible, given that the Internet is crucial to most company operations. For companies that utilize different social networking sources, often their employees play a role, so blocking their use would make no economic sense.

The next option is to allow employees unrestricted access, confident that they will only use it during their lunch break. A company that is confident in their employees could use the honor system and trust that their employees would not download material on to the network. It is a high-risk move, given that employees are later discovered, in some cases, to be at the heart of a hack.

So, both options can backfire.

The middle ground monitors all activity. A company can control the use of social media, and when authorized people can access it at the office. In the case of a large Montreal Accounting firm, office computers were marked for “Authorized Social Networking personnel.” The rest of the workstations had social networking “blocks.” Junior accountants were not permitted pass the building’s security after 7 p.m. without permission from a senior executive. Senior executives were not permitted after 8 p.m., and no one was permitted to start work before 7 a.m.

Security shouldn’t stop there.

Those who are permitted access to social networking for company use need to be educated on hacker techniques, like phishing. Given that hackers are finding new ways to install their malware, corporate social networkers should receive updated training on how to defend against hackers.

Some companies may feel the need to use Web monitoring software to block access during the day. The same software can be used to ensure that all links or files downloaded are checked.

If a company wants to make use of a social networking profile for marketing purposes, access should be given to those who will be updating the company profile, and all information and content should be monitored.

And it isn’t getting easier.

According to a Nielsen report entitled “Global Faces and Networked Places”, two-thirds of the world’s Internet population visits social networking or blogging sites, accounting for almost 10 percent of all Internet time. That figure is likely to grow. The report goes on to say that the time spent on social networks and blogging sites is growing more than three times the rate of overall Internet growth.

Hackers are attracted to social networking sites, and as socializing on the Internet increases, we can imagine that hackers will be behind every message. It’s phishing 101, and it is appealing because of the ease in which one can launch spam and malware attacks.

If a company wants to make the most of social networking, they need to be aware of the security risks in order to stay ahead of the hackers.

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

view counter
Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler