Security risks of Web 2.0 tools should not be overlooked by enterprises, individuals

Like it or not, the use of Web 2.0 technology use in enterprises is here to stay. Even longstanding enterprise software providers, such as Salesforce.com, have created tools for integrating social networks into the customer support and lead generation process. And you'd be hard-pressed to find a Fortune 500 company that doesn't, at the very least, have a corporate blog.

Over the last few weeks, two organizations issued study results focusing on the use of social networking within the enterprise. RSA Conference, in its "What Security Issues Are You Currently Facing?" report, surveyed nearly 150 C-level executives and professionals charged with directing, managing and engineering security infrastructures within their respective organizations.

Social networking and security was a consideration, however it appears that organizations thus far claim to have been minimally impacted by social network threats. According to the survey, 84 percent of respondents allow Twitter and Facebook in the enterprise, however only 3 percent were seriously affected by the recent Facebook and Twitter phishing attacks.

"The fact that only 3 percent of people surveyed said that their companies had been impacted shows how big the problem really is," said Mike Murray, chief information security officer for Foreground Security. "The problem is that the security technology they have in place doesn't allow them visibility into the threats. Current technologies are not looking for threats that take advantage of human weakness. It's like having your hands over your eyes. It's such a bad problem they can't even see it."

In another study, Frost & Sullivan issued its "Web 2.0 Tools: Consumer Technologies Entering the Enterprise World" report. The firm surveyed more than 1,400 Web 2.0 tools users who work fulltime within a U.S. organization. According to the report, there are many perceived risks of Web 2.0 tools in the enterprise, including fear over confidential information inadvertently being published, allowance of malware onto corporate networks, network bandwidth issues and loss of employee productivity. Respondents ranked social networks as the tool with the largest perceived risk, above blogs, wikis and team spaces. While to the users social networks presented the greatest risk, that risk is still perceived as only "moderate."

The fact that both studies indicate a lukewarm concern toward Web 2.0 tools in the enterprise is alarming, and to Murray's point shows that those surveyed may not understand the larger problem at hand. Earlier this year Kaspersky Labs issued a report stating that attacks through social networks are 10 times as effective as distributing malware through email. That Web 2.0 tools, including social networks, pose a larger security risk to individuals is a misconception. Any of these types of attacks could present serious ramifications for businesses.

Next: Methods to address the madness -->

"There are so many different threats. [Cyber criminals] can steal network passwords, install Trojans, and so on. Social engineering is a crime of imagination," said Murray. "If I happen to know something about the company and I know what your crown jewels are, I can convince someone to give me the crown jewels through a Facebook message. The number of different methods is limited only by the imagination of the attacker."

Brand control and protection is another legitimate and pressing concern for businesses. If the company Twitter feed gets compromised, there are reputation issues at hand, not to mention potential litigation if the corporate-branded feed unwittingly feeds links to malicious content.

Corporate network and brand compromise, as well as data leakage through Web 2.0 tools are issues that should be taken seriously, in both policy and technology, according to Greg Young, research vice president in Gartner's security and privacy group.

"I believe there are three elements: malware, data exposure, and brand protection. Most companies need to do both technology and policy work. And not just from a "do we allow" but "can we inspect it for malware and other threats notwithstanding that policy?" Young said. "And recognize that no matter what you do at the top of your corporate network, employees can and will be using mobile devices to get around policy. My Twitter search pane on ‘firewall' is about 75 percent of people seeking advice on how to get around their company's."

The issue of policy is a much talked about one, so much that SHIFT Communications, one of the more forward-thinking and -acting public relations agencies, created a template for companies who need direction in developing their social media policies. The baseline policies as SHIFT created them are great and address many of the behavioral issues that might be exploited with social engineering or other social hacks. Instituting the policies is important, but it's doubly important that companies hold their employees accountable for upholding the policies.

"Even if you don't have social media as a formal part of your company today - you do have it as an informal part through the activities of your employees," said Young. "Social networking is an application that your employees use, and the security that comes with it so far has been inadequate. The security model for social network is a significant change that people are tripping up on: social networking generally has a negative security model which is to make it visible to all unless you specify otherwise... I believe that there is some good technology help emerging from intrusion prevention systems (IPS), data leakage prevention (DLP), and application inspection within SSL encrypted connections for the malware vector."

Want to learn more about social networking and its impact on business security? Mike Murray and Jennifer Leggio will co-present on this topic at Learn About Web in Denver on Sept. 14-15, 2009.