Social Network Security

Social networking sites are designed to let people reach out to one another. As virtual communities of professions and connections to experts, they can be valuable business resources. But these very interactions that make networking sites valuable are the same ones that can leave corporate networks vulnerable to IT security breaches.

This is becoming an issue as several virtual communities have sprung up that are geared to business executives. These include Ryze, Xing (formerly OpenBc), Ecademy, Hoover’s Connect, Spoke and Vshake.

“They definitely pose a problem,” says Andre Protas, a researcher at eEye Digital Security Inc., an enterprise security software and research firm in Aliso Viejo, Calif. “Most of these websites were not created with security in mind.”

Often, these types of communications paths bypass security measures that have been put in place to protect the enterprise, such as firewalls, IDS/IPS, personal firewalls and gateway anti-virus systems, adds Doug Howard, chief operating officer at BT Counterpane, a security firm in Chantilly, Va. “Through peer-to-peer and other technologies that bypass corporate security, you create additional risk for an enterprise.”

Protas says he’s seen “a proliferation of vulnerabilities” on social networking sites recently. A case in point: the worm that targeted MySpace users, changing the links of their home pages and redirecting them to phishing sites. “That was a pretty serious first punch to MySpace and to social networking sites in general,” he says.

Some Sites are Safer

At LinkedIn, which bills itself as world’s largest business network with 8.5 million users, officials say they are mindful of the potential for security breaches. They claim protections have been built in to allow users the flexibility of deciding what information they want to share, and what they would prefer to keep private.

“Privacy and protected communications are key elements of LinkedIn,” says Allen Blue, vice president of Product Strategy, at LinkedIn in Palo Alto, Calif. “We have created communication and browsing systems, which allow all participants – browsers, message-senders and recipients – to show or hide as much information about themselves as they like, and to protect private information (for instance, email addresses) until they are ready to share that information.”

Vshake founder Sagi Richberg says his site was built with privacy and security protection in mind and the site eliminates spam by acting as a proxy for visitors.

“Even after you pay to contact someone, we act on your behalf as a proxy. You don’t get the person’s email or telephone number; everything is done via our system and we send the email on your behalf,” says Richberg in Ashland, Mass.

As an added security measure, Vshake also has what Richberg calls a “unique verification system.” If a Vshake visitor decides to verify him or herself on the site with a driver’s license or other identification, lending credibility to the communication, Vshake will send that person a letter with a random, system-generated number via snail mail.

The visitor then has to input it onto the website for the verification to be accepted. “That means you are who you are,” Richberg explains. “Anyone can go to any social networking site and say they’re Bill Gates and claim to know people they don’t really know. That’s another layer we have that no one else has.”

Always Employ Basic Security Measures

Protas says the easiest way for IT to prevent network vulnerabilities is simply by using software that lets administrators decide which sites people can access and which sites are blocked. “I would suggest there is no benefit for [corporate] users to be on MySpace so IT should block it. People are spending so much time on it that it’s a huge productivity loss.”

Howard concurs. “The recommendation is usually to not allow employees to use sites that utilize peer-to-peer communications,” he says.

But in lieu of that, since, according to Protas, “there’s really no way to filter out the good MySpace from the bad MySpace,” IT should make sure every computer on the network is covered with basic Internet security software covering zero day, anti-virus, anti-phishing and spyware protection.

Howard also recommends that the enterprise communicate overall best practices to their employee on a regular basis. These include:

  • Never provide personal information to someone in a social network environment since you never really know who is on the other end
  • Never provide company confidential or proprietary information to someone in a social network environment
  • Never perform file sharing across a social network environment

“It’s hard to draw the line to decide what to allow and what not to,” admits Protas. “So if you’re going to try and block users from these sites, make sure you protect the end points.”