How Are Security Processes Handled?
The initial reaction of IT security is to block, block, and block some more. Blocking is a very limited capability in social media, especially if some people do and some people do not have access to certain social media websites in the organization. Implementing URL filtering technologies is easy, but that only controls employees in the workplace. What happens when they are on the road with their laptops and using a hotel’s Wi-Fi to connect? What happens when they are at home? What happens when they use their company-provided, web-enabled smart phones?
As we have mentioned, educating the user about what they put into the social media universe is part of securing that data. By combining user education about what data can be appropriately utilized (by not trampling on the rights of the actual data owner) with the right tools, IT departments can monitor and report on data usage and, in some cases, block unauthorized use. By implementing the appropriate tools, IT can execute policies that have been put in place without impeding the business use of social media platforms. For a large company, building a simple application that tracks web usage on all company-owned smartphones and laptops can be a simple solution to monitoring social media and other website usage without blocking. We’ll cover monitoring and reporting in more depth in Part IV.
When tracking data across all platforms, patterns will emerge as companies gain more experience in implementing and using new monitoring technologies. Historically, IT has tracked employee usage and employee access to data with tools such as log management systems and Security Information Management (SIM) systems. Tracking how data is used should still be a priority; not only does it give you a historical perspective and help you to identify patterns, but also it leads to more efficient training and the deployment of more focused tools.
A number of security controls are available for understanding how social media is used, how it can be controlled, and how it can be monitored when employees, and even customers, are accessing different kinds of information. Our major concern here is, of course, intellectual property and copyrighted information.
Collaborating Securely
The first step in utilizing social media resources securely is to determine the best methods of collaborating over social media to conduct business. Traditional forms of communication are familiar to IT departments. When you check corporate e-mail today, you hopefully use encrypted tunnels such as VPN access or you access e-mail via websites over SSL. The channels for accessing corporate data are pretty well known. You can encrypt those channels (even if you choose not to). You can monitor data access with any of the hundreds of log management tools and block access with the many available intrusion detection programs. But social media has not matured yet in terms of having the necessary tools for security. New forms of collaboration include shared online workspaces such as internal wiki pages or shared forums for discussing projects. You have to utilize the tools you have today for IT security and implement the right processes to determine what processes should be modified to better track social media technologies. You can encrypt all communication to internal social media platforms such as wiki access, but you have less control when your company uses third-party social media sites such as Facebook Fanpages to share information or LinkedIn groups to form discussion sessions.
Many companies give their users rights to install software on their computers. But users can install a Trojan or malware using social media applications like Facebook because they don’t realize what’s going on in the background; many users believe technical-looking messages and prompts. For example, in November 2010, McAfee Labs discovered a malicious Java applet taking advantage of Facebook. By browsing to a specific Facebook application page, the user was rerouted to a hacker site that hosted the attacking application, which displayed the message: “Sun_Microsystems_Java_Security_Update_6,” allegedly published by “Sun Java MicroSystems,” as shown in Figure 8-1. As you can see, the message seems legitimate but will actually allow a hacker to access your machine. The Trojan then steals passwords and sends a password log to an e-mail account on Gmail over an encrypted SMTP/TLS connection. Giving users the ability to install whichever social media application they want is potentially fraught with danger. To counter this reality, companies should preinstall all smartphone apps like Facebook, Flickr, Twitter, and LinkedIn so they’re secure and send employees approved links to update social media apps regularly. Many companies already do this on the desktop as a matter of policy; this policy should extend to company smartphones.
Figure 8-1 Facebook malware application being installed
Utilizing Technology
In Chapter 2, we categorized the steps in the Utilization of technology under Inventory, Capability, and Policy Mapping. To implement technologies to support the requirements for best practices, follow the steps in Table 8-1. You can also see how our fictional company JAG Consumer Electronics is implementing some of these tactics to improve its environment.
