Re: Allowing access to social networking... securely?

[Stephen Mullins <steve.mullins.work () gmail com>]

Dan,

Response to your points:
If your organization allows employees to access social networking from
work you can guarantee that they will do so.  Not only does this open
up the known risks associated with SN, but it wastes a lot of man
hours.  Beyond that, I would suggest that people accessing SN from
work are more likely to talk about potentially sensitive work related
matters on those SN sites.

Few organizations do proper web filtering.  I would say only 1
organization out of 50 has web filtering in place that a smart 15 year
old could not circumvent within half an hour.

I agree with your point about desktop security.  I don't believe
security is compatible with an organization that gives every user
local admin rights and says, "get to it."  The fact that organizations
spend a great deal of money on qualified security personnel and
network security infrastructure, then turn around and allow their
users to install whatever they want on their desktop is mindboggling.
It must be extremely frustrating to work in an environment like that
and be expected to keep the network secure.

User education only takes you so far.  Not everyone has a "knack" for
computers, yet almost everyone is required to use them to get their
job done these days.  I know people that sit in front of a computer 8
hours a day at work and don't even own a computer at home, or a cell
phone, or anything "high tech" except maybe a DVD player.  If someone
is not interested in computers they aren't going to learn enough to be
running CommonSense 2009 and avoid compromise.

My point:
Unless SN is being used by the company for specific marketing purpose
then it should be banned and completely blocked for ANYONE in the
organization (even the admins/security/etc.).  If your company has a
Facebook/MySpace/Twitter profile, by all means allow a couple of
people in your marketing department access - but that's it.  My stance
on things when it comes to security at work is completely
authoritarian.  At home, I don't believe in national
"firewalls/filters" or any other such nonsense.  But at work, you're
not being paid to look at lolcats and rick roll your friends on
MySpace.

Some large organizations have considered a default deny web browsing
policy with a very narrowly defined white list of specific sites
required in order for personnel to perform their duties.  A few
organizations may have implemented such a scheme.  Does anyone know of
anything of that nature having been put in place?  Was it successful?

Steve Mullins

On Thu, May 14, 2009 at 11:16 AM,  <krymson () gmail com> wrote:
> I like your list, so I think my stuff below will just be additive.
>
> Policy: Someone needs to have oversight on what your company is putting out on these social networking sites, 
> especially if you're using business-branded accounts. You probably don't want to learn about mistaken posts only a 
> day later after 20 people notify your customer support reps.
>
> Web Filtering/Network: If your company wants to leverage social networking for business purposes, but not open it to 
> all employees (silly productivity concerns...), be sure you have it limited only to those people who need it. This 
> should greatly reduce risk. If you are using shared business-named accounts on these sites, log access to them as 
> much as possible so you know who announces/changes what.
>
> Desktop security: Don't run as admin. If possible, get users to run Firefox+NoScript for their social network 
> browsing. Don't set your browser to remember passwords for sites forever.
>
> User education: Teach users to always log out of sites as much as possible, especially when they're done looking at 
> them for a while.
>
> Keep informed about security issues on these sites. When a worm is running around user profiles on Twitter, for 
> instance, your Twitter users need to be a bit more careful, especially with business-branded accounts. It wouldn't 
> look good for your CompanyOnTwitter account to suddenly be spamming tweet links to your whole list saying, "Go here 
> to be pwned."  If your whole business will be allowed use of these sites, then have someone ready to announce any 
> heightened issues.
>
> Inevitably business-related social networking will probably take place offsite at a local hotspot, conference, or 
> from home. Teach users to always use or bookmark login pages using https to avoid having your account snarfed.
>
> Rotate your passwords, whether shared accounts or not. Many sites never force you to change, but you should do your 
> best to apply normal business password policies to business-related social networking sites. Don't reuse passwords. 
> Know who has access to them (this includes the email account of the "forgot password" features).
>
> Strongly evaluate client apps that tie into the social network sites, or other "aggregate" sites that purport to 
> manage all your accounts under one front page. Specifically be aware which of those require your account information 
> be stored in a place they control. Would you give me all your account info so I manage it for you? I hope not. :) 
> Likewise be aware if clients are transmitting via clear text or not.
>
> Lastly, of course, have a policy about acceptable-use of social networking sites, and acceptable-use when 
> representing your company. There should be little question about what is or is not appropriate to post or do.
>
>
>
>
> <- snip ->
> I am sure many of us are seeing the shift from the standpoint that
> social networking (SN) is evil and should be blocked, to one that views
> SN as a business tool and full of opportunity. I believe this is true
> for many organizations. However, as many of us are aware, SN is full of
> malicious code and techniques to trick users into giving away
> information or attacking their system. The questions I would like to
> pose to the list are as follows:
>
> What, if anything, should be done above and beyond standard security
> controls to protect against the potential risks of allowing access to
> SN?
>
> Let me define standard controls:
>
> Web Filtering: the solution must be able to filter both unencrypted and
> encrypted traffic and also scan the flows with an AV engine. I do not
> know of many solutions that can look inside SSL other than Bluecoat.
>
> Strong perimeter firewall rules: This is obvious to most people, but a
> strong egress filter is a must. Workstations should have ZERO access to
> external networks directly. All web traffic should be directed through
> a proxy that terminates their sessions. This is important because
> malware will typically try to exit the network via a standard port (80,
> 21, 53, 443) to make a two-way connection to its evil master. Another
> issue is if your proxy simply forwards SSL traffic, you are dead in the
> water.
>
> Desktop security: I believe desktops should not be running just AV. It
> should be something more intelligent such as HIPS. Cisco Security Agent
> (CSA) comes to mind. The desktop must be able to stop attacks without
> signatures. Also, lock those desktops down! Take away admin access.
>
> User Education / awareness training: I think this may be the area that
> has the greatest potential for improving an org's security. If you must
> allow access to sites that are known as highly-malicious, you should
> train your users about these dangers and how to avoid them. One thing
> that I have found that greatly improves this process is making sure the
> employee understands this information will not only benefit them at
> work, but also in their personal life.
>
> Policy: all of these areas (and others) should be addressed in an
> information security policy but I am not going to go into the details of
> this.
>
> So, I am curious what your thoughts are on my points and what other
> improvements may be made to reduce the risks associated with SN.
>
> -Dan
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> Gain a laser like insight into what is covered on the exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------