Social networking for the antisocial enterprise
Summary
Topics
Commentary--Just when we thought we had email figured out, along comes social networking. Within only the past few years, sites such as MySpace and YouTube have skyrocketed in popularity and list visitor numbers in the millions. And those millions of visitors aren't just kids. There's a reason IT horror stories exist. Despite the security policies set in place, the continual warnings and repeated emails, users will still click on links in suspicious emails, accidentally visit malware-infested sites, become victims of phishing attacks, and so on. Just in the past year alone, MySpace visitors have been the repeated target of attacks, from a cross-site scripting attack last fall to continual phishing attacks.
As we know of any new social technology, these attacks are only the beginning, and potentially represent a drop in the bucket compared to the havoc a sophisticated attack could bring. And all it would take is a click on the wrong link or image from a seemingly harmless poster to introduce a form of malware or open up internal network access to malicious parties.
IT's knee-jerk reaction to social networking sites might be to block employee access from the corporate network. This reactive and traditional solution is simply a band-aid to a much larger problem, and as we have seen, resourceful users always find a way to access what they want to. As well, most enterprises are still wrapping their arms around how to effectively use these new sites for their gain. For example, company and employee blogs or brand pages on MySpace are quickly becoming another layer in corporate communications. Rather, enterprises should first have visibility into the activities of their users on their network, the corporate assets and resources they interact with, and what they actually do with those resources.
In order to cost-effectively and efficiently monitor actions and behavior on the network like accessing and downloading potentially harmful content from social networking sites, enterprises must shift their thinking from a reactive or negative model, to a positive model of security.
So what's the true difference between a negative and positive model of security? A negative model only tries to define any possible negative influence on the intended business process, where a positive model looks specifically at what the business process is and how it was implemented.
For example, in a negative model of security, an enterprise would rely solely on its antivirus or personal firewall software to detect when an attack is launched through a user's browser. In the case of the cross-site scripting attacks on MySpace users, this model would be ineffective because an attacker could take control of a user's browser and monitor all of their activities, collecting log-in names and passwords to the internal network.
Once these credentials are collected, the malicious party has access to an enterprises' internal network and sensitive IP. While firewalls and antivirus software will detect when a malicious site attempts to install malware, such as backdoors and zombie programs, on a user's computer, they cannot detect covert hijacking, as a browser is a permitted application in the enterprise.
Rather than spend time, money and costly resources on continually adding layers of security to hopefully protect your business processes or resources against disruption or misuse, a positive, risk-centric model of security can be applied to an enterprise, allowing for the better use of existing security applications and products, as well as gaining a deeper understanding of your internal network behavior.
To make this possible it is necessary to monitor all communications and data traversing the network in a business context that visually supports the business goals and policies in place. Through this positive model, security measures protect the integrity of assets by watching the processes themselves, instead of trying to predict and detect any number of negative influences against it. This drastically simplifies the configuration and is much more future proof around potential negative impacts. And it will go a long way in protecting your enterprise from becoming a casualty in the next inevitable threat to propagate on MySpace or other emerging social networking sites.
biography
Jonathan Bingham is the chief strategist and co-founder of network security company Intrusic.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
