Social media has its place, just not everywhere

There is a place for social networking and interactive Web 2.0 tools in the enterprise, but they also pose new risks and need to be accompanied with appropriate policies and technology, Foreground Security founder David Amsler says.

David Amsler holds bachelor’s degrees in business administration and political science, but his passion is IT security. “I’ve been into computers since I was growing up,” he said. “After college, I jumped back into the IT world. Security was always my biggest interest.” He founded Foreground Security in 2000 and is now the company's president and CIO. He has worked with a number of agencies, including the Internal Revenue Service, Defense Department, FBI, National Security Agency and NASA and has helped agencies develop policies for the secure use of new interactive online Web 2.0 tools such as social networking sites.

GCN: Do social networking tools have a legitimate place in the enterprise?

AMSLER: In some cases, yes, absolutely; they have morphed into useful tools. In some cases, absolutely not. Most of these tools were never intended or developed for enterprises. Facebook was a networking tool for kids in college until they opened it up. Twitter was just a “Hey, this sounds like a good idea” kind of a tool. Most blogs were just ways for people to get out their ideas. I don’t know of many that were developed for enterprises, but some of them have become useful. Take the [Centers for Disease Control and Prevention’s] Facebook and Twitter sites. They are a quick way to let everyone have the latest updates on any issues. Some have been specifically designed as social networking sites for government personnel. But others are not,  and they are probably the largest threat to any enterprise today.


Related stories:

Social media becomes a diplomatic battleground

CDC goes viral through social media


What are the risks from these tools?

All of them have risks, which I would categorize in a couple of main areas. One is information disclosure or leakage. A lot of users share everything on these sites without realizing the risks or potential damage they are introducing to their environment. Some information that people disclose can be easily used against an organization, whether in a directed spear phishing attack or some kind of directed malware attack.

Another thing is, according to the latest statistics, about 70 percent of the attacks today are Web-based, and the most popular threat vector for attacking users is through social networking sites. Most people don’t realize that you can actually host an application on a separate website, and because I’m referencing it from my Facebook site, the site fully trusts that application. All I have to do is get you to go to my Facebook page and view a picture or click on a tiny URL you see in Twitter, and it takes you to some malware site in China. I can put malware in PDF documents, and even most government agencies do not have the security controls in place to identify that malware and protect against it, especially when it’s coming through the Web browser.

Everyone assumes that everything on these social networking sites is completely secure. Everyone assumes that Facebook has made sure it is secure. That is completely false. When you put an application up there, Facebook doesn’t even look at it. They don’t do any verification; they’re just simply hosting it. Their policy states that.

Are there agencies or missions from which such tools should be banned?

Absolutely, especially in the government arena. If you are talking about sensitive or top-secret arenas, it’s just not worth the risk, whether due to the potential for disclosure or to the openness to malware. I just don’t see the value. What is there on a social networking site that you are going to be using it for, other than doing some reconnaissance yourself, like the CIA and the FBI does? That can be done separately on a separate network.

The Defense Department is in a special situation: It has a lot of classified and sensitive information in its systems, but it also has to accommodate a lot of people who want to use social networking in their personal lives. How should it deal with that dichotomy?

That’s a tough world because there is a balance between security and the morale of all of your components. It requires a security program. In the DOD, you’ve got your classified networks, and those environments are segmented. On those, it should never be allowed.

On the standard users’ network, are there use cases for it? Absolutely. You have to decide how you are going to allow it. The DOD has struggled with this, but it is a program that has multiple components to it. It’s got to have policies behind it as to: Here is what is allowed, here is what is not; here is what you’re allowed to disclose, what you aren’t. There is an education piece to that to help them understand the risks. And then there’s a technology piece to it. What are the controls that are going to be put in place to block certain components but allow others?

I tell most of my customers you can do this, and there is no magic bullet that is going to allow you to do it perfectly. But you can allow somebody to go to a site such as Facebook and do basic functions and block the more dangerous areas, such as the applications and the fact that they connect to other websites and other domains. And there are network-based controls and host-based controls that should be used to put defense in depth measures in place.

Are there examples of agencies that are using social networking effectively for their missions?

Yes. Military.com is a great example. That has the largest user base out there. It’s a closed social networking site for military personnel. GovLoop is another great one. It’s independently created, but you have to be approved to get on the social networking sites. It’s adding in some layers of security, and it’s just for government personnel. It is specifically targeted at government personnel and contractors to discuss government-related initiatives.

A lot of congressmen now are effectively using social networking sites to communicate with their constituents, and reversing that so that constituents have better access to the politicians. And CDC, they have a great Facebook and Twitter page with updates on pandemics and health care initiatives. It’s an effective way to communicate.

How do you ensure security while using these tools?

Most of the government clients that I see are not doing everything they should. Some customers decide they are going to allow it and buy a magic-bullet technology that will fix all their problems. That is a terrible philosophy. And a lot of people have said it is just too insecure, and we’re not going to allow it. That’s not going to work either because there are legitimate uses for it. The president has made open government an initiative.

The answer is a proper program with different pieces. It has a policy and controls that are going to be in place. Another piece is user education. That is the one that most customers completely forget. You have to educate the user on what are the risks, how you properly use it, and what are you allowed to disclose and not allowed to disclose. And the last piece is you have to have some security technology and controls in place. There have to be some network-based controls, there have to be some host-based controls.

Is the technology out there to effectively do this?

It is never 100 percent, but if you [establish] a good defense in depth, I think the technology is there to do a very effective job. There are some vendors who say, "I have this Web 2.0 gateway that is going to solve all of your problems." That’s just not the case. There has got to be a piece on the user’s desktop, so that the user is protected.

The most popular thing for that is sandboxing the Web browser so that if I download malware, it doesn’t get access to my operating system, and when I close my browser, it just wipes it away. And there has to be some network-based controls so that I can allow you to go to Facebook so that you can upload and see information, but I’m not going to allow you to download applications. No executable code is going to be allowed into my network or out of my network. There are technologies that, combined, can achieve your goal.

But even if I put this whole program together, it’s an evolving world. You have to have continuous monitoring in place where you are identifying new social networking sites, new attack vectors. Do I have to change my policies? Do I have to change my education? Do I need to update or change my security controls? And you’re only as good as the day you put it in place.

What are the elements of an effective policy for using social networking?

There are some specific publications that [the National Institute of Standards and Technology] has put out with recommendations on making policy decisions based on risk level. If you’re a low-risk environment, maybe your policy only needs to have these specific components in it, and if you’re a high-risk environment, then maybe you’re only allowed to go to sites to obtain information but you can’t disclose anything. Are any specific applications or tools allowed to be used or not?

The policy has to outline what your type of controls are going to be, what your user training should be, what the documentation should be. There should be an acceptable-use policy that all users have to accept.

Does a policy need to be built from scratch, or are there good templates that can be used?

You don’t have to start from scratch. We do a lot of work with the Health and Human Services Department, and they are a perfect example. There are so many different operating divisions in the department, and there is a big difference between what the policy of the office of the secretary might be — they are an outreaching group, and they want to be sharing information and getting information from people — versus what the policy of the National Institutes of Health should look like. A lot of the things they are doing are very sensitive. So it’s not going to be a one-size-fits all, but if you are a government agency or contractor, there already are some useful templates to follow that the federal CIO Council’s Web 2.0 Working Group has published. Their latest version of that is on the CIO.gov Web site, and NIST has some specific guidelines that a lot of agencies have contributed to.

What are some of the common mistakes in using these tools when creating use policies?

Most of the pitfalls I’ve seen are static programs or not full programs. I’ve seen a lot of agencies just go out and buy the latest technology that somebody is peddling. But they don’t have any policy, they don’t have any procedures, and most importantly, they don’t have any continuous monitoring. If you don’t have the full program in place and one that can evolve, then you really haven’t accomplished anything other than maybe wasted some money.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.