This is one in a collection of seven pieces on Burning Security Questions. Read the rest here.
Social networking — whether it be Facebook, MySpace, LinkedIn, YouTube, Twitter or something else — is fast becoming a way of life for millions of people to share information about themselves for personal or business reasons. But it comes with huge risks that range from identity theft to malware infections to the potential for letting reckless remarks damage corporate and personal reputations.
Both IT managers and security experts remain wary of social networking, with many seeing few defenses for its traps besides plain old common sense and some form of antimalware protection. Most say their efforts involve simply educating those about the risks of hanging out on the social networking scene.
"Social networking in itself is a really great thing," says Jamie Gesswein, MIS network engineer at Children's Hospital of the King's Daughters in Norfolk, Va. While impressed with how online is now bringing people together, he still favors blocking general access to social-networking sites unless that access is really needed.
"Be careful of what you post," Gesswein says. "I know users who post anything on everything on these sites. It is at times almost a contest to see who can outdo whom."
He thinks social-networking enthusiasts may be missing the point that this posted information stays around for many years and could come back to haunt them if a job recruiter tries to find out about their digital past.
Gesswein also believes people can end up in "the world for the forces of evil to exploit."
Gaby Dowling, manager for IT manager for international law firm Proskauer Rose, says there's a sound business argument for using social networking sites such as LinkedIn, but she worries about the potential for malware being spread by exploiting trust.
"The Koobface worm spread on Facebook was tricking you because you were receiving that from a trusted party," she points out.
"Social networking sites carry high risks of infecting systems with malware," says SystemExperts analyst Jonathan Gossels, who adds, "At a policy level, employees should not be visiting social-networking sites from production systems."
Social networking is basically a "digital version of a relationship," says Greg Hoglund, CEO of firm HBGary, and the security expert who co-authored "Exploiting Online Games," the book revealing how cheaters can manipulate online games such as World of Warcraft.
Thousands of third-party applications are being developed for social-networking sites and essentially it all exposes "vulnerability surfaces to potentially crafted attack data," Hoglund says. "Furthermore, the potential attack data is piggybacked on a digital version of a human relationship — somebody you know and talk to every day."
That means the "digital version of that person could easily be impersonated or exploited" and Hoglund doesn't see a simple way out of this dilemma. "In a nutshell, don't trust a digital identity like you trust a human relationship."
"People are revealing far more information than they should," says Gary Gordon, executive director of the Washington, D.C.-based Center for Applied Identity Management Research, a non-profit group formed last October by universities, public agencies and industry to research key problems related to identity management. The potential for identity theft and social engineering through exploiting social networking is real, he says. But he doesn't see blocking social networking as an answer.
Eddie Schwartz, CSO at security vendor NetWitness, spoke about the risks of social-networking during the recent Infosec Conference. He mentioned identity theft, espionage and malware as potential threats.
"A typical Facebook or MySpace user session ranges for a few minutes to tens of minutes so you could write an application that farms personally identifiable information," Schwartz said.
In addition, he said he's seen evidence of government employees using social-networking sites suddenly "befriended" by people in other countries asking for information, raising the prospect of espionage attempts.
The openness of many of the social-networking sites makes them "an ideal exploitation platform," he points out.
When it comes to online social networking such as Facebook, "try to educate people who have secrets to be careful," advises Michael Rochford, director of the global initiatives directorate in the Office of Intelligence and Counter-intelligence at the Department of Energy's Oak Ridge National Laboratory. "They're putting themselves on a platform to be exploited."
Many companies, including Lockheed Martin, which is creating its own home-grown social-networking site for use internally, do block public social-networking sites for security reasons. But many firms these days would regard cutting off social-networking sites as bad business.