Social media has its place, just not everywhere
Agencies can employ interactive tools, but they need policies for appropriate use
David Amsler holds bachelor’s degrees in business administration and political science, but his passion is IT security. “I’ve been into computers since I was growing up,” he said. “After college, I jumped back into the IT world. Security was always my biggest interest.” He founded Foreground Security in 2000 and is now the company's president and CIO. He has worked with a number of agencies, including the Internal Revenue Service, Defense Department, FBI, National Security Agency and NASA and has helped agencies develop policies for the secure use of new interactive online Web 2.0 tools such as social networking sites.
GCN: Do social networking tools have a legitimate place in the enterprise?
AMSLER: In some cases, yes, absolutely; they have morphed into useful tools. In some cases, absolutely not. Most of these tools were never intended or developed for enterprises. Facebook was a networking tool for kids in college until they opened it up. Twitter was just a “Hey, this sounds like a good idea” kind of a tool. Most blogs were just ways for people to get out their ideas. I don’t know of many that were developed for enterprises, but some of them have become useful. Take the [Centers for Disease Control and Prevention’s] Facebook and Twitter sites. They are a quick way to let everyone have the latest updates on any issues. Some have been specifically designed as social networking sites for government personnel. But others are not, and they are probably the largest threat to any enterprise today.
Social media becomes a diplomatic battleground
CDC goes viral through social media
What are the risks from these tools?
All of them have risks, which I would categorize in a couple of main areas. One is information disclosure or leakage. A lot of users share everything on these sites without realizing the risks or potential damage they are introducing to their environment. Some information that people disclose can be easily used against an organization, whether in a directed spear phishing attack or some kind of directed malware attack.
Another thing is, according to the latest statistics, about 70 percent of the attacks today are Web-based, and the most popular threat vector for attacking users is through social networking sites. Most people don’t realize that you can actually host an application on a separate website, and because I’m referencing it from my Facebook site, the site fully trusts that application. All I have to do is get you to go to my Facebook page and view a picture or click on a tiny URL you see in Twitter, and it takes you to some malware site in China. I can put malware in PDF documents, and even most government agencies do not have the security controls in place to identify that malware and protect against it, especially when it’s coming through the Web browser.
Everyone assumes that everything on these social networking sites is completely secure. Everyone assumes that Facebook has made sure it is secure. That is completely false. When you put an application up there, Facebook doesn’t even look at it. They don’t do any verification; they’re just simply hosting it. Their policy states that.
Are there agencies or missions from which such tools should be banned?
Absolutely, especially in the government arena. If you are talking about sensitive or top-secret arenas, it’s just not worth the risk, whether due to the potential for disclosure or to the openness to malware. I just don’t see the value. What is there on a social networking site that you are going to be using it for, other than doing some reconnaissance yourself, like the CIA and the FBI does? That can be done separately on a separate network.
The Defense Department is in a special situation: It has a lot of classified and sensitive information in its systems, but it also has to accommodate a lot of people who want to use social networking in their personal lives. How should it deal with that dichotomy?
That’s a tough world because there is a balance between security and the morale of all of your components. It requires a security program. In the DOD, you’ve got your classified networks, and those environments are segmented. On those, it should never be allowed.
On the standard users’ network, are there use cases for it? Absolutely. You have to decide how you are going to allow it. The DOD has struggled with this, but it is a program that has multiple components to it. It’s got to have policies behind it as to: Here is what is allowed, here is what is not; here is what you’re allowed to disclose, what you aren’t. There is an education piece to that to help them understand the risks. And then there’s a technology piece to it. What are the controls that are going to be put in place to block certain components but allow others?
I tell most of my customers you can do this, and there is no magic bullet that is going to allow you to do it perfectly. But you can allow somebody to go to a site such as Facebook and do basic functions and block the more dangerous areas, such as the applications and the fact that they connect to other websites and other domains. And there are network-based controls and host-based controls that should be used to put defense in depth measures in place.
Are there examples of agencies that are using social networking effectively for their missions?
Yes. Military.com is a great example. That has the largest user base out there. It’s a closed social networking site for military personnel. GovLoop is another great one. It’s independently created, but you have to be approved to get on the social networking sites. It’s adding in some layers of security, and it’s just for government personnel. It is specifically targeted at government personnel and contractors to discuss government-related initiatives.
A lot of congressmen now are effectively using social networking sites to communicate with their constituents, and reversing that so that constituents have better access to the politicians. And CDC, they have a great Facebook and Twitter page with updates on pandemics and health care initiatives. It’s an effective way to communicate.
How do you ensure security while using these tools?
Most of the government clients that I see are not doing everything they should. Some customers decide they are going to allow it and buy a magic-bullet technology that will fix all their problems. That is a terrible philosophy. And a lot of people have said it is just too insecure, and we’re not going to allow it. That’s not going to work either because there are legitimate uses for it. The president has made open government an initiative.
The answer is a proper program with different pieces. It has a policy and controls that are going to be in place. Another piece is user education. That is the one that most customers completely forget. You have to educate the user on what are the risks, how you properly use it, and what are you allowed to disclose and not allowed to disclose. And the last piece is you have to have some security technology and controls in place. There have to be some network-based controls, there have to be some host-based controls.
Is the technology out there to effectively do this?
It is never 100 percent, but if you [establish] a good defense in depth, I think the technology is there to do a very effective job. There are some vendors who say, "I have this Web 2.0 gateway that is going to solve all of your problems." That’s just not the case. There has got to be a piece on the user’s desktop, so that the user is protected.
The most popular thing for that is sandboxing the Web browser so that if I download malware, it doesn’t get access to my operating system, and when I close my browser, it just wipes it away. And there has to be some network-based controls so that I can allow you to go to Facebook so that you can upload and see information, but I’m not going to allow you to download applications. No executable code is going to be allowed into my network or out of my network. There are technologies that, combined, can achieve your goal.
But even if I put this whole program together, it’s an evolving world. You have to have continuous monitoring in place where you are identifying new social networking sites, new attack vectors. Do I have to change my policies? Do I have to change my education? Do I need to update or change my security controls? And you’re only as good as the day you put it in place.
What are the elements of an effective policy for using social networking?
There are some specific publications that [the National Institute of Standards and Technology] has put out with recommendations on making policy decisions based on risk level. If you’re a low-risk environment, maybe your policy only needs to have these specific components in it, and if you’re a high-risk environment, then maybe you’re only allowed to go to sites to obtain information but you can’t disclose anything. Are any specific applications or tools allowed to be used or not?
The policy has to outline what your type of controls are going to be, what your user training should be, what the documentation should be. There should be an acceptable-use policy that all users have to accept.
Does a policy need to be built from scratch, or are there good templates that can be used?
You don’t have to start from scratch. We do a lot of work with the Health and Human Services Department, and they are a perfect example. There are so many different operating divisions in the department, and there is a big difference between what the policy of the office of the secretary might be — they are an outreaching group, and they want to be sharing information and getting information from people — versus what the policy of the National Institutes of Health should look like. A lot of the things they are doing are very sensitive. So it’s not going to be a one-size-fits all, but if you are a government agency or contractor, there already are some useful templates to follow that the federal CIO Council’s Web 2.0 Working Group has published. Their latest version of that is on the CIO.gov Web site, and NIST has some specific guidelines that a lot of agencies have contributed to.
What are some of the common mistakes in using these tools when creating use policies?
Most of the pitfalls I’ve seen are static programs or not full programs. I’ve seen a lot of agencies just go out and buy the latest technology that somebody is peddling. But they don’t have any policy, they don’t have any procedures, and most importantly, they don’t have any continuous monitoring. If you don’t have the full program in place and one that can evolve, then you really haven’t accomplished anything other than maybe wasted some money.