Social

Media Security
An Introduction
Tapti Datta

Social Media Security

Social Media Security

Enterprises need to take precautions to make sure employees practice safe social media

Social media security concerns

Social media platforms such as Twitter, Facebook and LinkedIn increasingly are being used by enterprises to engage with customers, build their brands and communicate information to the rest of the world. But social media for enterprises isn't all about "liking", "friending", "up-voting" or "digging." For organizations, there are real risks to using social media, ranging from damaging the brand to exposing proprietary information to inviting lawsuits. Mobile apps The rise of social media is inextricably linked with the revolution in mobile computing, which has spawned a huge industry in mobile application development. Naturally, whether using their own or company-issued mobile devices, employees typically download dozens of apps because, well, because they can. But sometimes they download more than they bargained for. In early March, Google removed from its Android Market more than 60 applications carrying malicious software. Some of the malware was designed to reveal the user's private information to a third party, replicate itself on other devices, destroy user data or even impersonate the device owner. Social engineering Social media has taken this threat to a new level for two reasons: 1) People are more willing than ever to share personal information about themselves online via Facebook, Twitter, Foursquare and Myspace, and 2) social media platforms encourage a dangerous level of assumed trust. From there it's a short step to telling your new friend about your company's secret project. Which your
2

Social Media Security

new friend really might be able to help with if you would only give him a password to gain access to a protected file on your corporate network. Just this once! Social networking sites Sometimes hackers go right to the source, injecting malicious code into a social networking site, including inside advertisements and via third-party apps. On Twitter, shortened URLs (popular due to the 140-character tweet limit) can be used to trick users into visiting malicious sites that can extract personal (and corporate) information if accessed through a work computer. Twitter is especially vulnerable to this method because it's easy to retweet a post so that it eventually could be seen by hundreds of thousands of people. Employees You knew this was coming, but even the most responsible employees have lapses in judgment, make mistakes or behave emotionally. Nobody's perfect all of the time. Organizations need to consider employee behavior when developing their approach to social media policies and practices. Lack of a social media policy Without a social media policy for your enterprise, you are inviting disaster. You can't just turn employees loose on social networking platforms and urge them to "represent." You need to spell out the goals and parameters of your enterprise's social media initiative. Otherwise you'll get exactly what you're inviting - chaos and problems. Two more imperatives related to social media policy: 1) Organizations must conduct proper training for employees, if only to clear up issues regarding official social media policies, and 2) A social media initiative needs a coordinator and champion. And that means a social media manager.

Social Media Security

Social media security in the News

Recently, there has been an increase in web malware and spam activities because social networks can be used to support these attacks. Social networking web sites are acting as powerful magnets, that attract fraudsters. Social networking worms such as Koobface and the Twitter worm have already shown their devastating nature. Primarily, the social networking worms exploit a Cross-site Scripting (XSS) vulnerability to include malicious scripts from third-party domains. XSS worms are self-replicative in nature and spread rapidly on social networking web sites because of the interconnection among various profiles. This type of malware infection is termed a chain infection because one malicious node infects another. In general, the default design of social networking web sites is exploited to conduct attacks and spread malware. One of the most common techniques used by attackers is generating fake profiles. These profiles can be of celebrities, models, advertisements, etc. Fake profiles can be used for many purposes including monitoring users, revenge and business. Drive-by-Download Attacks - This attack is used heavily to fingerprint the victim browser and serve malicious executables. Drive-by-Download is defined as an attack in which a users browser is exploited and malware is downloaded into the victims machine without the consent or knowledge of the user. Exploitation of Custom Code and Social Networking APIs - The release of open application programming interfaces (APIs) by social networking web sites has completely transformed the realm of malware infections. In general, these APIs are used for customizing and designing applications that use social networking web sites to execute their content, meaning that a user can design a custom code to derive an interface with social networking web sites. The deployed custom applications can be accessed by a number of identities present in the social networking web site. Attackers design malicious applications using APIs to conduct attacks in a sophisticated manner by exploiting the

Social Media Security

generic design of an application development model, which makes the malicious applications look authentic. Exploitation of URL Shorteners and Hidden Links - Although URL shortening services, are used for URL optimizations in which a URL is compressed; this same tactic has been adopted by attackers to fool users because it is difficult to determine the actual URL of a compressed URL.

Recommendations and Usability

Users should educate themselves to identify fake profiles and phishing e-mails. Users should not click suspicious hyperlinks. Users should configure their profiles by applying the appropriate restrictions provided by standard social networking web sites to protect privacy.

Conclusion
Social networks have given birth to new types of elemental relations among various entities in the online world. The social networking world is virtualized in nature, but it has real-time impacts on the lives of individuals. Since these networks are part of the online world, they are not untouched by the threats and flaws present on the World Wide Web. Security and privacy are considered basic elements for effective social networking; however, the aim of web malware is to infect users and steal information by exploiting various vulnerabilities through attacks in social networks. User ignorance is a big factor in the spread of malware and is quite hard to patch. It is hard to expect robustness from a users perspective; rather, it has to be an inbuilt nature of social networking web sites. References: ISACA.org, networkworld.com