Social Engineering or Social Networking

New Dimensions in Employee Activity - developing a rapid response

Mark McDonagh CISSP, CISA, Security Expert at Netfort Technologies, considers three aspects of this issue currently capturing the focus of media attention, productivity, security and bandwidth utilization and offers pragmatic guidance in responding to these challenges.

Productivity - this area has generally received most focus. Estimates have been made showing the loss of 233 million man hours on a monthly basis, through employees ‘wasting time’ on the internet, “this results in UK firms losing more than £130 million a day from employees, who are supposed to be working, wasting time visiting social networking sites such as Facebook, or MySpace” quotes one employment law firm.

Internet security company SurfControl looked at the phenomenon, and found workers who keep a close watch on their Facebook profile page were costing their employers up to £2 billion a year.

In the more liberal environs, such as, Education we are seeing an externality of this behavior where computing resources are being consumed by students using social networking sites and limiting/preventing “fair” utilization by other users. Certain education providers have now blocked access from LAN connected resources to ensure fair distribution of resources - the merits of this response are considered later.

Security - we are only starting to see the impact of a new generation of security management concerns as the threats posted are multi-level and the vulnerabilities of social engineering, which exploit them, are only starting to gain momentum.

The mass worldwide take-up of high-speed, always-on broadband and wireless communications is facilitating the breakdown of traditional boundaries, both within organizations, between departments and in the blurring of the personal and business network activity.

Recent Research from Sophos shows that- "41% of Facebook users are willing to disclose personal information to complete strangers. Details such as employment history and mobile phone numbers found on Facebook could be used to launch corporate phishing attacks, security experts warn."

We need new solutions that recognize that the old methods of avoiding security risks from inappropriate employee behavior - i.e. place physical barriers around sensitive information and critical processes - are no longer effective and need to be replaced by a richer, more intelligent approach that can monitor and adapt to the increasingly empowered lifestyle of contemporary business executives “David Lacey, The Institute for Information Security Professionals & Jericho Forum”

Password Protected? Vulnerability to the involuntary exposure of passwords is a big problem; consider that 40% of people use the same password everywhere if, for instance their password is the name of their cat or street and they post full address details and pictures of their animals on Facebook, it might be very easy for someone to gain access to company resources via the network or their desktop computer at work, simply by obtaining this information.

“Facebook identity fraud” provides a particularly alarming scenario, occurring when a user registers the identity of another user on Facebook, allowing the exploitation of a known relationship. For example if an attacker saw an old school photo, of the person they wished to attack, they could create a Facebook account under the identity of a person that was in their class, this type of attack could be used to simply glean information about the person they are targeting, or the attacker could be more malicious and send the user a URL to a website hosting an exploit? The upshot of this is that there is no proper validation of user identity with social networking websites.

Falling out of this are a whole range of other issues for employers and employees to bear in mind:

  • Usernames can be email address - is it really appropriate that these are the corporate addresses of users
  • Employers could have a good claim to ownership of employees Facebook Profiles, if they are created in work time, potentially giving the employer user rights.

There is no routine validation of users. Personal information contained in profiles can be harvested by unscrupulous individuals, who can use it as the basis for scams, malicious attacks, or in the worst case by pedophiles to groom potential victims, often collecting small pieces of information at a time while slowly building up a bigger picture of their target without rousing suspicion. They can use multiple different identities to avoid detection.

Several worms, viruses and Trojans have targeted these sites, MySpace in particular. Hackers have also succeeded in manipulating user profiles and stealing user login information, heightening concern due to the fact, we recognized earlier, that many users will maintain login information for their social networking sites that is identical to the login information they use for their corporate network access.

Online Bullying and Harassment – a new threat

Many social networking sites include modules where users are encouraged to rate profiles they come across on the site, this relatively innocuous capability can lead to users being sent harmful comments, usually relating to personal pictures posted on the websites they can often relate to physical appearance and ethnic origins.

Offline bullying can be amplified online, due to the perception that there is a reduced likelihood of being caught and because bullies are not directly confronted by the consequences of their actions. Despite the perception, it is relatively easy to trace online bullies and the consequences of being identified can be very severe. Many online bullying activities are illegal and are frequently dealt with by the police.

Bandwidth

Social networking sites are also bandwidth hogs. The typical social networking web site will display content from various sources on the Internet, many referencing external videos, sites such as youtube.com, some of these sites do not contain any congestion control mechanism, which lead to business critical applications being deprived of bandwidth. The problem is exasperated when remote offices connect to the Internet via leased lines through Corporate Head Quarters. Some organizations have gone so far as to block youtube.com.

Another consideration is that, by association, your organizational image could be damaged, for example, an employee could post pictures of her hen weekend and her profile automatically associates her with the company she works for.

The Solutions - Policy vs Blocking
– taking a collaborative approach

Acceptable Usage Policies (AUP)

Despite productivity, security and bandwidth concerns, fewer than half of IT managers recently polled ban employee use of consumer-oriented social networking Web sites such as Facebook and MySpace.

Overall Employers trust their staff "to do the right thing" and write dedicated policies to educate staff about the implications (especially security) from a business and personal point of view.

The internet and email usage policy should be as comprehensive as possible, clearly setting out what the boundaries are:

  • What times these sites can be accessed
  • When they cannot be accessed
  • What can and cannot be posted on these external websites about your company or anything that would identify an employee of the company.

A well-drafted and widely communicated policy is essential. The Policy should say that any breaches would be a disciplinary offence and set out the potential sanctions that there would be for breaching that policy, so no one can be in any doubt, thus reducing potential disputes.

"We believe that good employers should consider allowing their staff personal use of the internet in general at the workplace, during break times, provided this is used responsibly and doesn't interfere with work or could compromise the employer's reputation," latest Trades Union Congress (TUC) publication Facing up to Facebook.

I have to agree that policy is necessary and the appropriate starting point but I am constantly shocked and disappointed with the level of implementation of pro-active usage policy put in place. It is usually after the horse has bolted that both HR and IT converge to manage the problem.

In a recent CIPD publication, a survey of 162 HR managers found only 10% had put a usage policy in place. On a more positive note, at least 20% were “thinking” about writing a dedicated policy. Policies need to evolve to reflect changes in user behavior.

I am a fan of AUP, if it is pragmatic and sensible as well as been enforced and monitored it can provide the most effective tool in allowing the pragmatic use of social networking sites from the workplace.

Blocking Access

The chief reason businesses block access to Web sites is to prevent the spread of spyware and other forms of malware, says Lawrence Orans, an Analyst at Gartner Inc. in Stamford, Conn. He estimates that about 20% of commercial organizations block
social networking sites.

Be aware that Facebook can be accessed via alternative portals, so Facebook.com although blocked can still be reached by typing www.facebook.com into Google’s “Translate a Web Page” facility, allowing complete access to Facebook, craftily disguised by Google’s URL.

Banning Facebook from work computers however, is not necessarily the best way to combat time wasting as the site encourages socializing, which in turn makes people happier to work longer hours. Only in the event, where there is firm suspicion that a social networking site presents a spyware/malware threat, would I recommend blocking user access.

The Netfort Solution
– A pragmatic approach to the Challenge

Some employers are panicking and banning social networking outright, as discussed above, this is probably an overreaction in many cases. Another response is simply to ignore the problem and hope that it will pass without affecting them or their business. We think it is better in both cases just to sit down with staff and work through a sustainable policy as a first step.

One of our larger customers recently asked us if we could produce a report of which websites their employees were visiting and how long they were spending on the sites each day. The results were very interesting to say the least. It formed the basis of understanding behaviors and usage patterns of computing resources. With this knowledge, they modified their AUP. With further monitoring they found that compliance was not effective with the AUP and in the end blocked the access.

This is an isolated case however and in other environs we have seen the behaviors modify and the acceptable/fair usage policy being embraced by users.

Social Networking should not be something employers fear but rather they should investigate how restricted access to new forms of information sharing could actually enhance business conduct. Facebook already hosts networks for employees at companies such as Apple Inc. and is preparing to launch a new feature that would allow it to act as a professional network utility. Collaborative software could be the key to successful interaction with suppliers and customers in the very near future.

“Even consider limiting access to lunchtimes or for an hour each day, rather than an outright ban. By banning Facebook, you might not be doing yourself any favors; you are in danger of isolating your employees and sending out the message that you do not trust them.

Also, those employers who understand that social networking is here to stay can turn it to their advantage by setting up their own company networks, allowing employees to build up relationships, and exchange ideas and information across the globe, and in turn they could become great brand ambassadors for you organization in future” – Personnel Today.