What is the values proposition for allowing users access to social networks?
What is the values proposition for allowing employees access to web 2.0 resources such as social networks?
Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN, malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.
Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.
But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?
I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.
As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.
I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?
|
About William: William McBorrough is co-founder and President at Washington, DC based Information Technology and Assurance Services Firm Secure Intervention, where he specializes in Security Assessments, Compliance Readiness, IT and Security Management and Cloud Computing Security for both public and private sector enterprises. He is also an Adjunct College Professor teaching Systems Architecture, Networking, Network Attacks and Defense, and Security Program Development courses. He holds CISSP, CISA, and CEH certifications and is pursuing a Phd in Information Technology with a concentration in Information Security and Assurance. |
Related posts:
- Paper details Attack to De-Anonymize Social Network Users
Interesting paper: “A Practical Attack to De-Anonymize Social Network Users.” Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions... - How to limit Twitter risks
Twitter is now used by over 350 million people worldwide. However, Twitter is also gaining a reputation as security risk for individuals and organizations. Every business or organization which uses... - Gartner predicts the Enterprise is going Social
Gartner believes that social networking will be embraced, but perhaps not in the way we thought they would. The report bodes both well and ill. I’ve read at least ten... - Staff Leak Military Secrets on Facebook and Twitter
Are your employees ( or you ) leaking sensitive data over the social networks? This report from the UK should give you pause. The Ministry of Defence has admitted...