How to allow social media without getting 'Koobfaced'
New tools can help CISOs develop a risk-based approach
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Aug 03, 2010
Web 2.0 has quickly become “Enterprise 2.0,” as a growing number of social networking applications already dominate the corporate environment and seek to make their way into the federal space. Today, Web 2.0 sites – those that allow user-generated content – comprise many of the most-visited sites on the Internet.
However, the very aspects of Web 2.0 sites that have made them so revolutionary – the dynamic nature of content, the ability for anyone to easily contribute content and the mutual trust of each other’s online networks – are the same characteristics that radically raise the potential for not only abuse but also the use of Web 2.0 as yet another cyberattack vector.
At their most basic levels, Web 2.0 social networks such as Facebook, MySpace, LinkedIn, Orkut and Twitter, along with wikis and blogs, provide a set of features for end users to set up and customize a personal profile and determine privacy settings that control profile page viewing by others. They also offer the ability to block an unwanted member.
This creates a facade of trust, where users feel comfortable enough within their network to click on every link they receive and post the most intimate details about their private lives. It is inherent to Web 2.0 that users do not exercise the same amount of caution on social networks as they would when communicating in person, setting up scenarios where it becomes very easy to manipulate these trusted networks for malicious purposes.
Air Force writes a book on social media protocol
Teachable moments from NASA’s social media project
At the most insidious level, the manipulation of trust in social engineering attack scenarios becomes even more dangerous when the URL lure is associated with a drive-by malware download. In the Koobface2 malware attack, miscreants manipulated Facebook’s private messaging system to infect computers via a link promising a video file. Unsuspecting users started receiving private messages (again, from trusted friends) with a link to a third-party site and a message that said simply: “You look just awesome in this new movie.”
By clicking the link, the user is directed to a Web site that pops up an alert that the user needs to download a Flash Player update. That Flash Player update was actually a malicious executable programmed to steal sensitive data from an infected machine. Once that executable is installed on a Facebook (or MySpace) user’s machine, the victim then becomes a pawn in the attack. The next time the user of the infected machine logs into Facebook, the lure is then sent to the user’s friends and the infected link is automatically added in comments on friends’ pages. This creates a network worm capable of propagating an infection across the globe.
It is no wonder, in light of the uncertainties surrounding an ever increasing cyber-threat vector targeting these Web 2.0 technologies, that federal chief information security officers often find themselves at a crossroads faced with an essentially “binary” decision – either “allow-all” or “deny-all,” with the latter being the de facto standard. If we can assume that federal CISOs have already resolved the more seminal human resources issues regarding appropriate use of Web 2.0 and have addressed the foundational questions relating to classification and sensitivity of data to be shared, then the complex challenge that remains is how to manage the malware risk. How to yield to the exploding Web 2.0 clamor without unduly exposing critical agency systems and data to the likes of Koobface?
So, as federal CISOs contemplate potential technical approaches, the question becomes, “Is there a way to allow government employees to access Facebook, MySpace, Twitter, wikis, blogs, etc., from their government workstations while minimizing the likelihood of them being infected with Koobface, its many variants or ‘Koobface next-gen’?”
As it turns out, there have been some very recent developments in technology that afford CISOs the ability to exercise a more granular level of control over the various types and behaviors of applications that are flowing across their Internet egress/ingress points.
Specifically with Web 2.0 technologies, based on key technological developments in Internet monitoring technology, as well as the next generation of firewalls – “Firewalls 2.0,” as some of these vendors have labeled their latest generation of application firewalls – CISOs now have greater visibility and control over what their employees can do on social networking sites.
For example, to minimize enterprise risk to malware downloads from Web 2.0 sites, using what are referred to as next-generation, application-aware Internet perimeter security technologies, CISOs are now in a position to make an arguably more user-friendly decision to allow “read” but no “write/post” or no downloads, which essentially allows controlled access to social networks.
For some CISOs, miscreants’ use of Web 2.0 as cyberattack vectors to promulgate malware is considered a major show-stopping factor leading to the de facto “no” on Web 2.0 adoption. Minimizing this activity ranks high. However, whether allowing read-only access to Web 2.0 runs counter to the underlying core appeal and operating premise of user-generated content is up for debate and represents a more philosophical discussion.
In conclusion, federal CISOs now have several new options to consider as they look to address the clamor of rank-and-file federal employees for access to Web 2.0 collaborative media, thanks to recent developments in security technology. But there are many nontechnology based considerations federal CISOs have to factor into their decisions as well. The fact that, “it’s all about securing the data” first and foremost requires information security policy and data retention to be addressed.
Also, beyond the technology aspect, employee behavior must be considered. Even after the “application-aware firewall 2.0” solution has been integrated with the agency’s data leakage protection technologies, these technical controls alone do not guarantee that an employee will not inappropriately share sensitive information using Web 2.0 services. Limitations must be codified in policy, documented in user rules of behavior and must be the subject of continual awareness training.
Finally, CISOs should not yield to peer pressure in deploying Web 2.0 technologies just because everyone else is doing it. They should not allow themselves to be pressured into enabling new services, simply because it’s the latest hype and individual employees are clamoring for it. Rather, a risk-based review of agency business requirements should be conducted to determine what technologies actually fit the agency’s model for information sharing.