What is the values proposition for allowing users access to social networks?
What is the values proposition for allowing employees access to web 2.0 resources such as social networks?
Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN, malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.
Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.
But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?
I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.
As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.
I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?
|
William J McBorrough is a Security Expert with many years of success Managing, Designing, and Implementing medium and large enterprise Physical and Information Technology Security Solutions. His experience spans the spectrum from small e-commerce start-ups to multi-campus state and federal agencies to global financial sector organizations. He is on the faculty of various universities including University of Maryland University College, EC-Council University, George Mason University and Northern Virginia Community College where he conducts research and teach graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He holds a Bachelors of Science in Computing Engineering with a concentration in digital networks and a Masters of Science in Information Security and Assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk Information System Control (CRISC), and Certified Ethical Hacker (CEH).He is well versed in personnel, systems and network security risk management. His core competencies include Developing cost effective solutions to enable mission assurance in the following areas: Enterprise Risk Management, IT Governance, Security Organization Development, Information Security and Assurance
|
Related posts:
- How to limit Twitter risks
Twitter is now used by over 350 million people worldwide. However, Twitter is also gaining a reputation as security risk for individuals and organizations. Every business or organization which uses... - Staff Leak Military Secrets on Facebook and Twitter
Are your employees ( or you ) leaking sensitive data over the social networks? This report from the UK should give you pause. The Ministry of Defence has admitted that... - Gartner predicts the Enterprise is going Social
Gartner believes that social networking will be embraced, but perhaps not in the way we thought they would. The report bodes both well and ill. I’ve read at least ten... - Paper details Attack to De-Anonymize Social Network Users
Interesting paper: “A Practical Attack to De-Anonymize Social Network Users.” Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions...