Great Social Engineering Presentation

October 7th, 2009

If you are interested in why social engineering works and not just the techniques used, there is a great presentation here. I would like to thank Mike Murray for taking the time to record his presentation in its entirety and making it available to the masses, also tip of the hat to Ira Winkler for the making note of it.

Data Not As Anonymous As It Seems

September 25th, 2009

Social networks make it easy for 3rd parties to identify you –

Survey: Facebook, Twitter Banned By Most Employers

August 24th, 2009

CSO Online has an article, here, examining the results of a survey by ScanSafe that shows an increasing number of enterprises are banning / blocking social networking sites such as Facebook and Twitter.

The results come from an analysis of more than a billion Web requests processed by the company, officials said. ScanSafe saw a 20 percent increase in the number of customers blocking social networking sites in the last six months. According to their data, 76 percent of companies are choosing to block social networking and it is now a more popular category to block than online shopping (52 percent), weapons (75 percent), alcohol (64 percent), sports (51percent) and Webmail (58 percent).

ScanSafe officials state this increase is due to increased concerns over productivity and security. While I agree that there are legitimate security concerns with social networking sites. I feel the issues of lost productivity is a symptom of another problem unrelated to social networking and won’t be solved by blocking these sites. That problem is “slacker employees”.

There are two reasons for this. The first is, if employees are so addicted to their social networking that it is causing productivity problems, they are just as likely to circumvent the company’s blocking and access the sites through their iPhone or Blackberry. The second reason goes to the issue that an employee that wastes time on social networking is just as likely to waste time with personal phone calls or in the bathroom reading the paper.

The security issue, while important, won’t be completely addressed by prohibition of the sites either. As stated above, users will likely circumvent company policy when there is a total prohibition. While this prohibition will provide protection to the enterprises systems and networks, it will do nothing to stop potential data leaks from employees using non-company owned devices.

To address the security issues of social networking the enterprise still needs to perform a few tasks:

  1. Perform a risk assessment and advise management so that they may make a business decision on whether to allow or block social networking sites.
  2. Establish a policy that states management’s decision. It should also address what type of information can and cannot be shared over social networks. Remember employees will be using social networks at home even if they’re banned at work which could lead to data leakage.
  3. Educate their users to the dangers of social network sites and how they can protect themselves.
  4. Assign an individual to monitor Twitter, Facebook, Google, etc.. for references to the Company’s name, names of key individuals, and product / brand names.

Will doing these things protect a company from every ill that may arise from social networking, no! There is nothing that can do that, but it will allow your employees to use it in a responsible manner.

Next Page »