You have to hand it to Sophos, they were on top of this emerging social networking-security thing a good couple of years ago. And boy, doesn't it seem like a relevant topic today.
At the time, just as MySpace and Facebook were taking flight, researchers at the company created a phony account built around the persona of a small plastic frog and successfully convinced a bunch of people, mostly college kids, who were using the nascent networking sites to fork over all sorts of personal information to a virtual stranger, forgive the pun.
Since then, obviously, social networking sites have matured far beyond a new way for students to figure out who all the cute girls in their classes are, and on top of Facebook and MySpace we have properties like LinkedIn that are wholly dedicated to allowing people to list their professional status and associations. (Full disclosure, I've been on there for years)
And, at the same time, hackers have begun using the services to attempt to play on people's trust in fellow users and fall for malware schemes.
But to me, and many others, the use of social networking sites to distribute attacks is really just the tip of the spear. For, if anyone ever wanted to create a believable spear phishing attack to get their hooks into a particular organization, clearly the sites provide the perfect avenue for collecting detailed personal data about strategic individuals, the information is all there.
It'd be pretty easy the thinking goes, to figure out who people talk to on a regular basis and create a targeted attack that mimics their actual workflow. Heck, someone could have already done it to me and I'd never know it. How many e-mail do you receive from your bosses and colleagues each day? How many times do you call them or walk over to their desk before opening an e-mail attachment form one of said sources? Me neither.
At the SOURCE Boston 2009 Conference in March, security experts on a panel discussing corporate risk management issues spent much of their allotted time debating the merits of allowing workers to use social networking tools for productivity purposes, versus banning the sites to prevent people from creating powerful social engineering templates for potential attacks.
And, apparently security researchers aren't the only ones concerned about this problem anymore. According to the results of a survey published by Sophos on Tuesday, some 63 percent of the systems administrators it recently interviewed "worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure - and the sensitive data stored on it - at risk."
If you doubt the existing threat of social networking use beyond all things social, the report also contends that 25 percent of those organizations surveyed have already been the victim of spam, phishing or malware attacks delivered via sites including Twitter, Facebook, LinkedIn and MySpace.
Where companies used to worry more that their workers were spending too much time slacking on Facebook, now they're waking up to the even larger security issues, said Sophos Senior Technology Consultant Graham Cluley in a report summary.
"The initial productivity concerns that many organizations harbored when Facebook first shot to popularity are giving way to the realization that there are more deliberate and malicious risks associated with social networking," Cluley writes. "As cybercriminals choose to exploit these sites for nefarious purposes, both innocent users and companies are finding themselves in the firing line. But until users wise up to the dangers and firms begin to take precautionary measures to combat these threats, then the situation will intensify."
When asked about their specific experiences, over 33 percent of the 700 individuals interviewed by Sophos said they've already been spammed via a social networking site, while 21 percent said they'd been phished, with another 21 responding that they've been exposed to malware attacks driven by the Web applications.
At the same time, trends like social media marketing are all the rage, and companies are rushing to find new ways to embrace the tools even further.
Endgame, this social media-security issue will not be solved, or going away, anytime soon.
Sophos advises that organization train their employees to use the sites wisely, and to ensure that their malware filters are all up to date, versus advising a ban on the systems.
I think that has to be the way to go, as blocking access will only lead to people circumventing security controls to use them, likely putting their employers at even bigger risk.
Social networking has opened up a whole new world of applications for communicating and meeting other people in amazing new ways.
That may still be news to some people, but to the smart folks in IT security, that reality and its inherent risks, have already been in play for a while.
Please feel free to Tweet this post. I'll even add you as a friend.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.