Re: Allowing access to social networking... securely?

[krymson () gmail com]

I like your list, so I think my stuff below will just be additive.

Policy: Someone needs to have oversight on what your company is putting out on these social networking sites, 
especially if you're using business-branded accounts. You probably don't want to learn about mistaken posts only a day 
later after 20 people notify your customer support reps.

Web Filtering/Network: If your company wants to leverage social networking for business purposes, but not open it to 
all employees (silly productivity concerns...), be sure you have it limited only to those people who need it. This 
should greatly reduce risk. If you are using shared business-named accounts on these sites, log access to them as much 
as possible so you know who announces/changes what.

Desktop security: Don't run as admin. If possible, get users to run Firefox+NoScript for their social network browsing. 
Don't set your browser to remember passwords for sites forever.

User education: Teach users to always log out of sites as much as possible, especially when they're done looking at 
them for a while.

Keep informed about security issues on these sites. When a worm is running around user profiles on Twitter, for 
instance, your Twitter users need to be a bit more careful, especially with business-branded accounts. It wouldn't look 
good for your CompanyOnTwitter account to suddenly be spamming tweet links to your whole list saying, "Go here to be 
pwned."  If your whole business will be allowed use of these sites, then have someone ready to announce any heightened 
issues.

Inevitably business-related social networking will probably take place offsite at a local hotspot, conference, or from 
home. Teach users to always use or bookmark login pages using https to avoid having your account snarfed.

Rotate your passwords, whether shared accounts or not. Many sites never force you to change, but you should do your 
best to apply normal business password policies to business-related social networking sites. Don't reuse passwords. 
Know who has access to them (this includes the email account of the "forgot password" features).

Strongly evaluate client apps that tie into the social network sites, or other "aggregate" sites that purport to manage 
all your accounts under one front page. Specifically be aware which of those require your account information be stored 
in a place they control. Would you give me all your account info so I manage it for you? I hope not. :) Likewise be 
aware if clients are transmitting via clear text or not.

Lastly, of course, have a policy about acceptable-use of social networking sites, and acceptable-use when representing 
your company. There should be little question about what is or is not appropriate to post or do.




<- snip ->
I am sure many of us are seeing the shift from the standpoint that
social networking (SN) is evil and should be blocked, to one that views
SN as a business tool and full of opportunity. I believe this is true
for many organizations. However, as many of us are aware, SN is full of
malicious code and techniques to trick users into giving away
information or attacking their system. The questions I would like to
pose to the list are as follows:

What, if anything, should be done above and beyond standard security
controls to protect against the potential risks of allowing access to
SN?

Let me define standard controls:

Web Filtering: the solution must be able to filter both unencrypted and
encrypted traffic and also scan the flows with an AV engine. I do not
know of many solutions that can look inside SSL other than Bluecoat.

Strong perimeter firewall rules: This is obvious to most people, but a
strong egress filter is a must. Workstations should have ZERO access to
external networks directly. All web traffic should be directed through
a proxy that terminates their sessions. This is important because
malware will typically try to exit the network via a standard port (80,
21, 53, 443) to make a two-way connection to its evil master. Another
issue is if your proxy simply forwards SSL traffic, you are dead in the
water.

Desktop security: I believe desktops should not be running just AV. It
should be something more intelligent such as HIPS. Cisco Security Agent
(CSA) comes to mind. The desktop must be able to stop attacks without
signatures. Also, lock those desktops down! Take away admin access.

User Education / awareness training: I think this may be the area that
has the greatest potential for improving an org's security. If you must
allow access to sites that are known as highly-malicious, you should
train your users about these dangers and how to avoid them. One thing
that I have found that greatly improves this process is making sure the
employee understands this information will not only benefit them at
work, but also in their personal life.

Policy: all of these areas (and others) should be addressed in an
information security policy but I am not going to go into the details of
this.

So, I am curious what your thoughts are on my points and what other
improvements may be made to reduce the risks associated with SN.

-Dan

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------