The co-mingling (personal and business) of social networking sites, sometimes referred to as "friend-of-a-friend" sites, build upon the concept of traditional social networks where people are connected to others through people already known. Features of social networking sites differ, they all allow you to provide information about yourself and offer some type of communication mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users.  Many sites include employment information and posts regarding current projects and work-related chatter that adversaries may use to prepare for an attack.

What are the security implications?

When deciding how much information to reveal, people may not exercise the same amount of caution as they would when meeting someone in person.  While the majority of people using these sites do not pose a threat, malicious people may be drawn to them because of the accessibility and amount of personal information that's available. The more information malicious people have about your employees, the easier it is for them to take advantage of you.  Adversaries may form relationships online and then convince unsuspecting individuals to meet them in person. That could lead to a dangerous situation in the workplace. The personal information gathered can also be used to conduct a social engineering attack (seeAvoiding Social Engineering and Phishing Attacks for more information).

So What Can You Do?

By teaching employees about internet safety, encouraging safe online habits, and guiding them towards pro-active countermeasures; employers can reduce the chance of their employees compromising sensitive data about themselves and the business. Encourage your employees to follow best practices online.  Encourage these best practices at work and at home, as an adversary does not segregate the two while considering the angle of attack.

Encourage Employees to limit the amount of personal information they post about work and themselves- Encourage employees to not post information that would make the business vulnerable, such as scheduled or sensitive business practices. If your employees post information about your business, make sure the combined information is not more than you would be comfortable with the public knowing. Ask them to be considerate when posting company information, including photos, and information about the business.  Encourage them to be careful about what they post about themselves.  Let them know they are an asset and that their personal safety is just as important as the safety of the business.  Safety and security is a task best performed by strength in numbers.

Remind employees that the internet is a public resource - Encourage employees to only post information they are comfortable with anybody seeing.  Provide guidelines of what information they can post online regarding business information. This includes information and photos in their profile and in blogs and other forums. once information is posted online, it can't be retracted. (Even if you remove the information from a site, saved or cached versions may still exist on other people's machines). (see Guidelines for Information online for more information).

Be wary of strangers - The internet makes it easy for people to misrepresent their identities and motives (see Using Instant Messaging and Chat Rooms Safely for more information). Encourage employees to limit the people who are allowed to contact them on social media sites. When they do interact with people they do not know.  Provide company best practices and encourage them to be cautious about the amount of information they reveal about themselves or the business.

Be skeptical and use common sense- encourage employees to not believe everything they read online. Adversaries may post false or misleading information about various topics, including their own identities. This is something that usually has a malicious intent; or an exaggeration to cause political turmoil within the company. Encourage employees to to take pro-active steps by reporting false information and encourage them to verify the authenticity of any information on the internet before taking any action.

Evaluate privacy settings - The default settings for some sites may allow an open profile.  Encourage best practices to employees.  Provide information on how they can customize their settings.  Encourage them to restrict their access to only certain people. There is still a risk that private and company information could be exposed despite these restrictions, so encourage employees to not post anything that you wouldn't want the public to see. Sites may change their options periodically, so encourage employees to review their security and privacy settings regularly to make sure that the choices are still safe.  Provide a company policy on the topic and encourage the same practices at home or on personal devices.

Be wary of third-party applications - Third-party applications may provide entertainment or functionality, but careful attention should be exercised when deciding which applications to enable. Pay special attention to applications that seem suspicious, and modify your settings to limit the amount of information the applications can access.  Provide a section in your business newsletter that provides such information.

Use strong passwords - Promote usage of passwords that cannot easily be guessed (see Choosing and Protecting Passwords for more information) for personal and business accounts. If a password is compromised, someone else may be able to access those accounts and do some real damage.

Check privacy policies - Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam to company and personal e-mail accounts (see Reducing Spam for more information).

Keep software and web browser updated at home and work -  Encourage employees to Install software updates on their personal devices so that adversaries cannot take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, encourage them to enable it.  Consider providing discounted employee purchase programs of software/hardware. Allow discounted purchasing of the same devices provided  through the same vendors that the business uses.  This encourages positive behaviors, best practices, and attitudes and home and work.

Use and maintain anti-virus software - Anti-virus software helps protect your computer against known viruses, so you may be able to detect and remove the virus before it can do any damage (see Understanding Anti-Virus Software for more information). Because attackers are continually writing new viruses, it is important to keep your definitions up to date.  Consider offering the same employee purchasing program discussed above.

www.vorobetz.net  |  p: 406-551-5732  |  info@vorobetz.com  |  www.vorobetz.com

Sources: