Security Basics mailing list archives
Re: Allowing access to social networking... securely?
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Mon, 18 May 2009 12:24:17 -0400
Dan, Response to your points: If your organization allows employees to access social networking from work you can guarantee that they will do so. Not only does this open up the known risks associated with SN, but it wastes a lot of man hours. Beyond that, I would suggest that people accessing SN from work are more likely to talk about potentially sensitive work related matters on those SN sites. Few organizations do proper web filtering. I would say only 1 organization out of 50 has web filtering in place that a smart 15 year old could not circumvent within half an hour. I agree with your point about desktop security. I don't believe security is compatible with an organization that gives every user local admin rights and says, "get to it." The fact that organizations spend a great deal of money on qualified security personnel and network security infrastructure, then turn around and allow their users to install whatever they want on their desktop is mindboggling. It must be extremely frustrating to work in an environment like that and be expected to keep the network secure. User education only takes you so far. Not everyone has a "knack" for computers, yet almost everyone is required to use them to get their job done these days. I know people that sit in front of a computer 8 hours a day at work and don't even own a computer at home, or a cell phone, or anything "high tech" except maybe a DVD player. If someone is not interested in computers they aren't going to learn enough to be running CommonSense 2009 and avoid compromise. My point: Unless SN is being used by the company for specific marketing purpose then it should be banned and completely blocked for ANYONE in the organization (even the admins/security/etc.). If your company has a Facebook/MySpace/Twitter profile, by all means allow a couple of people in your marketing department access - but that's it. My stance on things when it comes to security at work is completely authoritarian. At home, I don't believe in national "firewalls/filters" or any other such nonsense. But at work, you're not being paid to look at lolcats and rick roll your friends on MySpace. Some large organizations have considered a default deny web browsing policy with a very narrowly defined white list of specific sites required in order for personnel to perform their duties. A few organizations may have implemented such a scheme. Does anyone know of anything of that nature having been put in place? Was it successful? Steve Mullins On Thu, May 14, 2009 at 11:16 AM, <krymson () gmail com> wrote:
I like your list, so I think my stuff below will just be additive. Policy: Someone needs to have oversight on what your company is putting out on these social networking sites, especially if you're using business-branded accounts. You probably don't want to learn about mistaken posts only a day later after 20 people notify your customer support reps. Web Filtering/Network: If your company wants to leverage social networking for business purposes, but not open it to all employees (silly productivity concerns...), be sure you have it limited only to those people who need it. This should greatly reduce risk. If you are using shared business-named accounts on these sites, log access to them as much as possible so you know who announces/changes what. Desktop security: Don't run as admin. If possible, get users to run Firefox+NoScript for their social network browsing. Don't set your browser to remember passwords for sites forever. User education: Teach users to always log out of sites as much as possible, especially when they're done looking at them for a while. Keep informed about security issues on these sites. When a worm is running around user profiles on Twitter, for instance, your Twitter users need to be a bit more careful, especially with business-branded accounts. It wouldn't look good for your CompanyOnTwitter account to suddenly be spamming tweet links to your whole list saying, "Go here to be pwned." If your whole business will be allowed use of these sites, then have someone ready to announce any heightened issues. Inevitably business-related social networking will probably take place offsite at a local hotspot, conference, or from home. Teach users to always use or bookmark login pages using https to avoid having your account snarfed. Rotate your passwords, whether shared accounts or not. Many sites never force you to change, but you should do your best to apply normal business password policies to business-related social networking sites. Don't reuse passwords. Know who has access to them (this includes the email account of the "forgot password" features). Strongly evaluate client apps that tie into the social network sites, or other "aggregate" sites that purport to manage all your accounts under one front page. Specifically be aware which of those require your account information be stored in a place they control. Would you give me all your account info so I manage it for you? I hope not. :) Likewise be aware if clients are transmitting via clear text or not. Lastly, of course, have a policy about acceptable-use of social networking sites, and acceptable-use when representing your company. There should be little question about what is or is not appropriate to post or do. <- snip -> I am sure many of us are seeing the shift from the standpoint that social networking (SN) is evil and should be blocked, to one that views SN as a business tool and full of opportunity. I believe this is true for many organizations. However, as many of us are aware, SN is full of malicious code and techniques to trick users into giving away information or attacking their system. The questions I would like to pose to the list are as follows: What, if anything, should be done above and beyond standard security controls to protect against the potential risks of allowing access to SN? Let me define standard controls: Web Filtering: the solution must be able to filter both unencrypted and encrypted traffic and also scan the flows with an AV engine. I do not know of many solutions that can look inside SSL other than Bluecoat. Strong perimeter firewall rules: This is obvious to most people, but a strong egress filter is a must. Workstations should have ZERO access to external networks directly. All web traffic should be directed through a proxy that terminates their sessions. This is important because malware will typically try to exit the network via a standard port (80, 21, 53, 443) to make a two-way connection to its evil master. Another issue is if your proxy simply forwards SSL traffic, you are dead in the water. Desktop security: I believe desktops should not be running just AV. It should be something more intelligent such as HIPS. Cisco Security Agent (CSA) comes to mind. The desktop must be able to stop attacks without signatures. Also, lock those desktops down! Take away admin access. User Education / awareness training: I think this may be the area that has the greatest potential for improving an org's security. If you must allow access to sites that are known as highly-malicious, you should train your users about these dangers and how to avoid them. One thing that I have found that greatly improves this process is making sure the employee understands this information will not only benefit them at work, but also in their personal life. Policy: all of these areas (and others) should be addressed in an information security policy but I am not going to go into the details of this. So, I am curious what your thoughts are on my points and what other improvements may be made to reduce the risks associated with SN. -Dan ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Allowing access to social networking... securely? Daniel I. Didier (May 08)
- Re: Allowing access to social networking... securely? Kurt Buff (May 20)
- <Possible follow-ups>
- Re: Allowing access to social networking... securely? krymson (May 18)
- Re: Allowing access to social networking... securely? Stephen Mullins (May 19)
- Glassfish Apache and Tomcat All attONCE ? Mattias Hemmingsson (May 19)
- Re: Glassfish Apache and Tomcat All attONCE ? Carsten Heesch (May 19)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 19)
- Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
- RE: Allowing access to social networking... securely? Ian Bradshaw (May 20)
- Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- RE: Allowing access to social networking... securely? Robin Smith (FaceTime) (May 21)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 21)
- Re: Re: Re: Allowing access to social networking... securely? lmaia (May 21)
(Thread continues...)