Friday, August 19, 2011

Security Risks in the Age of Social Media

Every one is joining in the social media craze, even the public figures of our times. I was recently watching a program on MTV base, where some youth interview some of the influential people of today, and I remember in two of them where president Kagame of Rwanda and Virgin Group's Richard Branson mentioned using Twitter from time to time.

With hundreds of millions of users, from school going teenagers to presidents, to footballers and musicians, from small and medium companies to large corporations, many people use at least one of the various social media, like Facebook, Twitter, LinkedIn, MySpace, YouTube among others, to either connect with friends, network and make friends, for promotion and public relations and for marketing purposes, among other benefits.

Social Media has changed the way we interact and communicate; we can now stay in touch through Facebook with friends, fans and clients. We can pass on information quickly in a way we have never done before through Twitter. Through social media we can reunite with lost family members and friends. Some might have heard of the famous story, of father-daughter reunion between Tony McNaughton and Frances Simpson of the United Kingdom, who had not seen each other for nearly 48 years. The father had separated with the mother of the daughter, when she was about 1 year old; they reunited via Facebook. I am a user of social media, mostly Facebook, and I would not like to be a killjoy, but as well am aware of the inherent risks it has. So what are these risks that come with social media and how can we guard against them?

For individual users of Social media, the biggest challenge is that People drop their guard and share personal information and secrets on Facebook, including details they would not easily shout out in the streets, share on national TV or Radio. Within their social networks, they feel safe surrounded by people they know, like and trust, like friends and family. This opens possibilities for identity theft and could be used as an avenue for Social engineering - a practice of gathering information on someone for future criminal use. There is also the threat of Cyber stalking, where a user can be electronically harassed or abused, as well as issues of solicitation of minors for sex, or gathering information on an individual in order to harass them later with that information.

There is also a web of trust built between social network users so much that any information posted by "a friend" is taken as gospel truth. Recently a Facebook friend of mine was a victim when his Facebook account was compromised, most probably because he was using a weak password that was easy to guess by the attacker. The perpetrator was able to post some information on his "wall" - claiming how "he" was stranded in a foreign country and how he had lost his luggage and had no money on him. The masquerader even gave details of where and how to send help, needless to say, some people on his Facebook friends list, fell for it and sent some money. This and many other incidents warn us to be a little bit more alert when using social media.

For Enterprises and corporations that have internet access and allow use of social media by employees on the corporate network; the risks could be even bigger. While social networking has become pervasive across organizations, there are very few security restrictions governing its usage. Not only could uncontrolled use of social media lead to misuse of internet resources, but could as well lead to productivity loss, as employees spend more time on social networks, instead of carrying out official work. Social networks could be used to introduce malware like computer viruses, on corporate networks. For example in September 2010, "onMouseOver" the Twitter-based worm pummeled users with pop-ups, spam and pornographic tweets and then re-tweeted them to everyone on their contact list.

Social networks can also be a route for data leakage, where they can be used to leak company trade secrets, and lead to confidential/sensitive data loss or leakage. What's more, there's a disconnect between traditional information security practices and the demands of an increasingly youthful workforce that feels entitled to use personal technology and social networking in the office.
So what can be done to curb the risks of social media usage and enjoy its benefits with fewer worries? To begin with, there is need for social media users, to be vigilant and not share any information they could not easily share with the general public. On top of using stronger password that can't easily be guessed, we should take advantage of the options available within the social media themselves to assist with reducing on the risks. Major social networking sites now support identity management functionality. For example, a security application called mysafeFriend gives Facebook users a way to validate the identity of potential friends.
Parents need to guide their children on safe usage of the internet and appropriate behavior when online. Just like you would not let your children chat with any stranger in the streets, why should you allow them to freely connect with cyber strangers, who could be closer than you think? For Organizations there is need to have an administrative and technical approach to the problem. Companies should come up with internet usage policies at the work place that have a component dedicated to social media usage, for example specifying what time employees can access social network sites, so that employee productivity is not affected. There should be awareness training for staff as well on risks involved. Companies could make use of available technology to assist with web content filtering against malware like viruses and infected links shared through social networks.
As social networks become popular, there is need for individuals and corporations to be aware of the risks, and of the fact that Scammers and cyber-criminals today have their sights trained on users of social networks.

About the Author
Mr. Thomas Bbosa - CISSP, is an Information Systems security Consultant and Managing Partner with BitWork Consult Ltd - ( http://www.bitworktech.com ), an IT security consulting firm based in Kampala, Uganda. He is a certified Information Systems Security Professional (CISSP), with over 10 years Experience in the IT industry. He has been involved in various roles of IT infrastructure management and support, Information systems Security management & solutions deployment.