Yes you can draw a distinction between personal and professional social networking sites: Facebook is a different beast than LinkedIn, and attracts different types of users for different reasons. Any geek who's been asked by a friend or family member to fix a slow PC understands the average home user doesn't grok the concept of contextual trust: they'll happily click any link, accept any friend invitation, and even install software from just about any Web site.
In contrast, users of LinkedIn and other professional networking sites tend to be more discriminating. One of the differences seems to be what's in it for the user: to the business user, if there's no professional benefit, it goes ignored; whereas, to the home user it's all about entertainment, and any invitation or link offers that promise.
But the problem is most of us aren't good at separating our personal and professional lives. Chances are we use the same password for our Google Buzz account that we use for the corporate Active Directory login and even SalesForce.com.
We also tend to employ the same habits when we use the same applications, whether in a personal or professional context. When corporate security guidance warns us not to open e-mail from people we don't know, it improves our e-mail habits on our home computer. If the sites we visit are primarily for work, we bring a healthy dose of suspicion along; but bring Classmates.com into the workplace and recreational browsing habits cross over into our office browsing.
The bad guys know e-mail protection is mature at this point and it's easier to entice users to click on links in social network sites than it is to evade e-mail content filters. And they can use this for more than just identity theft. Drive-by downloads can infect personal and business computers alike with all types of malware. Viruses, the perennial favorite, are now somewhat passé, and being replaced with custom, targeted malware that is much more dangerous and amounts to what is being called advanced persistent threats.
Aurora, the exploit that compromised hundreds of computers in over 20 big companies, including Google and Adobe, is believed to have been delivered to the target computers via spear phishing and drive-by download. It's possible that the victims were lured with targeted e-mails at their corporate account, but it's just as easy to lure victims through social network sites.
Another danger of social networking isn't one we normally think of in the private sector, but is drilled into every Department of Defense employee with a secret security clearance and above: operations security.
Take the US Marine Corps, which has banned social network site access from military networks, according to a Computerworld story. "You can't have someone posting, 'Hey, we're leaving on this date and at this time,'" says 1st Lt. Craig Thomas, a Pentagon-based spokesman for the Marine Corps. "Believe me, the enemy is checking out what you guys are reporting and what service men and women are saying online."
Troop deployment schedules may not be the concern of your company, but leaking intellectual property is. "Working late—AGAIN. Man, can't wait until we solve the hydrogen matrix reticulation problem so I can see my wife & kids," is the kind of Tweet that can clue your competitor into your new product technology.
Of course, there's nothing stopping employees from posting the same thing at home. Employees have a responsibility to be discreet whether at the office, at home, or on a safari in Kenya, and employers have to set the expectation by providing security awareness training. Companies should also be monitoring employee usage of social media/networking sites – for personal and professional use – in order to comply with internal policy and reduce external fraud.
As with all things, there's a gray area. Some sites, like LinkedIn, are harder to target because they have a low tolerance for unsolicited contacts or mechanisms in place to vet relationships before allowing communications between the parties. In general, it is fine to allow employees to access these sites with appropriate security awareness training and a clear acceptable use policy to give it teeth. Conversely, businesses can use Facebook and Twitter to promote themselves, but this access should be closely controlled, relegated to public relations staff and certain executives.
The Marines in that article summed up the risks of social network sites nicely: "These Internet sites in general are a proven haven for malicious actors and content, and are particularly high risk due to information exposure, user generated content and targeting by adversaries. The very nature of [social networking sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage ..."
That said, the Marine Corps went on to say the key is finding a balance between security and a way to use new technologies. Every business should evaluate the Marines' philosophy in the context of their own environment, potential benefits and risks.
Q1 Labs is a global provider of high-value, cost-effective next-generation network security management products. The company's flagship product, QRadar SIEM, integrates previously disparate functions - including risk management, log management, and network and application activity monitoring - into a total security intelligence solution, making it the most intelligent, integrated and automated Security Intelligence Platform available. QRadar provides users with crucial visibility into what is occurring with their networks, data centers, and applications to better protect IT assets and meet regulatory requirements. Q1 Labs is headquartered in Waltham, Mass., and customers include healthcare providers, energy firms, retail organizations, utility companies, financial institutions, government agencies, and universities, among others. For more information, visit Q1Labs.com, e-mail info@Q1Labs.com, or call 781-250-5800.