|
|
 |
|
 |
 |
|
|
Social networking sites are helping companies collaborate, differentiate, and find new ways to connect with their customers — while learning new ways to remain competitive. But it turns out the "new networking" presents a very familiar problem: compromised security.
From increasingly sophisticated cybercriminals to simple employee carelessness, social networks like MySpace, Facebook, and LinkedIn represent an especially dangerous attack vector because of the broad base of users, according to security experts. In other words, there are so many people now visiting these sites that cybercriminals don't have to expend much effort to do a lot of damage.
Giving the bad guys even more incentive to focus on social networking sites is the fact that more and more employees are visiting them while at work. And that puts a variety of corporate resources at risk — from end-user machines and network systems to the sensitive corporate and customer data residing on them.
How fertile a venue have social networking sites become? Consider the distribution of malware. In February 2008, CERT issued a warning about an ActiveX control exploit that could enable hackers to take over Facebook and MySpace user machines, create bots, and launch denial of service (DoS) attacks. In December 2007, 400,000 users of Google's Orkut social networking site were affected by a fast-spreading worm. TechTarget reported that in November 2007, the MySpace profiles of Alicia Keys and other recording artists were discovered to be serving up malicious code. The SANS Institute notes an incident from September 2007, when a virus spread itself across Facebook by masquerading as a message from a trusted friend asking "Do you remember this girl?" Clicking on the photo that was promised as an attachment instead downloaded a host of infected files.
Or consider phishing and spam. In April 2008, researchers reported that cybercriminals had learned how to hijack Facebook user accounts, take over contacts lists, and pose as trusted sources to send messages that in reality were come-ons for pharmaceuticals and other products. And though a November 2007 phishing scam that tricked a Salesforce.com employee into revealing a password didn't originate via a social networking site, it nonetheless showed what can happen when a worker puts too much trust in a request for information: The password gave the phisher access to the private data of more than 30,000 Salesforce.com customers.
Security experts expect the exploits carried out on social networks to grow in frequency, scope, and severity. Compounding the problem is growing evidence of the addictive nature of social networking, as well as the entry into the workforce of young employees who view it as an essential part of their lives.
The good news is that social networking sites are taking steps to protect their users. But are companies doing all that they can? While social networking sites do present opportunities for helping the business, the risks they pose require a redoubling of efforts in education and enforcement of acceptable use policies. Of course, these measures are only as good as the overall security strategy a company deploys, including the technology designed to prevent the escape of sensitive data. In short, a comprehensive approach to security is needed to mitigate the dangers of social networking.
|
|
|
| |
|
|
 |
