Dangers Specific to Social Networks
The IT security team has a number of responsibilities in enabling social media security. As you’ll see in Chapters 8 and 10, where we talk about processes and policies for utilizing resources and operations management, IT has to expand its toolset to include new technologies to help manage the risk posed by social media. Many of these tools and processes have to be managed by the IT team in conjunction with other groups in the company (such as Marketing and Legal).
With the rapid growth of social media, the stealing of e-mail contacts, passwords, and other personal information is yesterday’s news. According to a recent paper by a group of Israeli cybersecurity experts, a new threat called “stealing reality” has emerged from the social media world (http://arxiv.org/abs/1010.1028). Stealing reality is a process whereby the perpetrator preys on your entire social network, slowly pilfering information about your behavior and life. This type of attack is extremely disruptive, as the user is not likely to change his or her entire pattern of behavior, which makes defending against future attacks exceedingly difficult. The ability to clone behavioral patterns and discern information about an individual or network through these nonaggressive methods illustrates the serious nature of these types of attacks. The tried and true methods of defense no longer apply. New radical approaches to security need to be devised.
The typical company response to a cyberattack is to identify the source of the attack and systematically update security procedures, shut down access to the compromised point of entry, and monitor for future attacks. The question today is how do you protect your networks from an intruder who looks like and acts like you? How do you even know the intruder is there or has created a fake you? How much data is available, unbeknownst to you, that could effectively compromise your security over time? The social media monitoring tools we discuss in Chapters 13 and 15 can help you find some of these social network intruders. A study, led by researchers at Northwestern University, collected a dataset of around 11 million Facebook profiles by exploiting a now-discontinued default Facebook feature. According to the report, messages tempted users with offers such as ringtones or used a social trap like announcing that someone had a “crush” on them. Of the messages, 70 percent were phishing attacks, but the others were attempts to gain Facebook account details—a strategy that could lead to more spam, or worse.
The H.U.M.O.R. Matrix outlined in this book stresses the importance of monitoring the conversation in an effort to identity threats to security. In Chapter 4, we identified the various threats to the different components of the matrix. At times, however, no amount of monitoring can protect your data from prying eyes. In April 2010, 15 percent of all Internet traffic was hijacked and redirected to Chinese servers. A report by the US-China Economic and Security review commission (http://www.uscc.gov/) stated that Internet traffic was rerouted for 18 minutes, and among the websites involved in this hijacking were the U.S. Senate, Office of the Secretary of Defense, NASA, and the Commerce Department. China, however, has “denied any hijack of Internet traffic.”
This begs the question: Who are you really conversing with? How much information was compromised during those 18 minutes, and what were the potential short- and long-term effects? If the person having the conversation appears to be legitimate, how can you truly authenticate the source? A fake source attack is basically TCP session hijacking. TCP session hijacking has been around for a long time. A hacker takes over a TCP session between two machines, and since the session authentication occurs at the beginning of the session, the attacker can take over the machine and reroute traffic to another site, capturing data and then rerouting traffic back to the legitimate site.
IT Security Restrictions to Protect Your Networks
You are already aware of some of the basic controls IT has in place or can easily put in place. With social media, fake sources and man-in-the-middle attacks are more prevalent. When an employee is at home checking into a social media site or on the road at a conference or hotel checking sites, protecting them from these types of attacks is difficult. With some products that are installed to protect against malware, viruses, and Trojans, you do get some protection from malicious or fake sites, but only to a limited degree. In Chapters 8 and 10, where we discuss tools, you’ll get a more in-depth look at software that can further manage the social networks that can impact your network security. But with networks that are under a company’s control or for web applications the company develops, some technologies are easy to put in place:
An open source solution is Arp handler inspection, or ArpON, which can block man-in-the-middle attacks through ARP poisoning and spoofing. It is agent based, however, so it may pose a problem because you have to manage the agents.
You can use a long random number or string for a session key, which makes it harder to guess session keys.
After a session has started, you can regenerate a session id.
You can encrypt the whole session, and although more costly in overhead, it is probably the easiest method. Whenever your employees log in to any application, whether internal or external, encrypting the login and session will protect against an insider attacker and prevent an external attacker from capturing your data as it crosses networks.
You can change the cookie with each request.
This countermeasure won’t work when your employees are outside of your controlled environment, like when they’re sitting in Starbucks using the free Wi-Fi. Then you have to rely on educating them not to log in to their social networks from unsecured networks. In Chapter 7, we review education in more detail.