SOCIAL NETWORKING BUSINESS

Since the early days of webmail, including examples such as Hotmail and Google Mail, companies have sought to limit or block employee access to web content. All done of course in the firm belief that this action will reduce employee time-wasting; also that it will reduce the significant risks associated with downloading malicious content and, of course, data leakage.

For many organisations the arrival of social networking brings similar challenges and, all too often, the same unconsidered response. In making a considered response, two aspects need to be dealt with. Firstly, the value-add opportunity in promotion and business generation that social networking represents, and secondly, the reciprocal threat of significant unseen risks in information leakage of both personal and business data.

LinkedIn, for example, is useful for business networking, recruitment and group communications, and for reaching a global audience, all free of charge. But arguably, the most widely used social networking tool is Twitter, used variously by businesses to communicate with target audiences, celebrities staking online popularity contests, and the man on the street tweeting breaking news. However information contained on social networking sites is highly valuable to cyber criminals, especially usernames and passwords.

THE SOCIAL NETWORKING RISK

With staff likely to use a mix of social media as well as online marketplaces such as Amazon and eBay, the chances are high that they will use the same password across all or some of these accounts. The risk is heightened if they then use the same credentials to access business applications.

In July, Twitter tweeted in pain when a hacker accessed GoogleApps via a staff member's Yahoo account, for which they had guessed the password; it resulted in the publication of highly confidential documents. Gaining access to an individual's webmail is effectively a gateway to their identity through credit card details, friends and family, and company data.

HACKING MADE EASY

During a recent conference I demonstrated how simple it is to collect information without the user realising what they're giving away; this allowed me to gain access - with permission - to a delegate's bank account based on information that they shared during the day. This risk applies equally to cloud based applications and your network, however this weak link can be very simply fixed by using a One Time Password, generated from a two-factor authentication solution. Indeed, Twitter has since implemented two-factor authentication within in its own business structure.

SOCIAL ENGINEERING

Capturing a password is easy, using basic information such as a favourite place, spouse name, or mother's maiden name, all of which can be found on Friends Reunited, Facebook, or simply in conversation. So whilst technical hackers still rely on traditional tools such as keylogging and phishing, the rise of social networks has now made hacking accessible to everyone, including disgruntled staff, competitors, or just the overly curious.

These changing demographics bring increased threats for password harvesting and online Identity theft. We have now entered the age of the invisible threat, as having a valid username and password bypasses all security controls that have been put in place within a business.

EMBRACE IT, BUT SECURE IT

Social media will continue to grow and morph, and who knows how it will develop within our business and personal lives during the coming years? What we do know is that there are business and personal benefits to be gained from embracing social media, even with the increasing threats. Organisations need to make a decision; either to ignore the threat, or embrace the technology that enables them to benefit from, rather than just tolerate, social media - securely.CS

In the next issue of Network Computing, CRYPTOCard will continue this Masterclass series by considering a new dawn in authentication - Federated identity. Network Computing and CRYPTOCard invite reader comments and questions relating to items discussed in this series. Mail: Ray.Smyth@BTC.co.uk