Image

Social Media Conundrum
Users these days are technology-aware and are looking to use or are already using new systems and services within the network that will simplify their lives and benefit their employer. IT security is either unaware or can't keep up with such deliberate actions. It should be noted that users don’t have malicious intentions but rather lack education. However, the implications that arise from such employees' deliberate use of social media constitutes a rather multifaceted problem. I have listed some of my findings below ranging from technical to behavioural components.The Beauty of Accessible Technology
Image

1. Account Management
- Many social media platforms begin as start-up companies that focus on creating a cheap, fast, agile SaaS or application. Implementing security frameworks is not affordable upfront and is therefore neglected. Their architectural implementation is scattered across third-party suppliers, raising further compliance headaches with IP stored outside your borders.
- Popular platforms like Facebook and Twitter were designed with consumers in mind, and even today don't address account management within organisations. A great example is Facebook requiring a personal Facebook account to be able to create a Business page.
- Another platform that is gaining ground fast is Instagram. To sign up for Instagram, you have to use your personal Facebook account or sign up with another email account that could be your corporate email address. Even when signing up with a company email address, in the case of a marketing department, there is no centralised user management and account credentials sharing is inevitable. To avoid having additional accounts to manage, the use of the existing Facebook account becomes preferable. That leaves the organisation exposed and dependent on that personal email address that initially signed up for Facebook.
- Although there are hundreds of social media services available today, I'm only talking about Facebook and Twitter mostly because of their "Domino effect." These not only are the highest used but also provide single sign-on services to the rest of the web.
2. Identity Theft – Phishing
A corporation ignoring social media will cause more harm than good in the not so distant future. If you are not expanding your real estate online with information that reflects your brand, someone else can take advantage of that. An example would be an attacker registering social media accounts under your brand and guiding your customers into SPAM and C&C servers. It is a bit different than phishing as the attackers can use the actual name in the account.3. Social Media & Account Management Policy
Social media policies within organisations tend to either disallow the use of such services altogether or allow partial access for business use. The caveat is not specifying any controls within the account management policy regarding external accounts.4. User Awareness
Staff sharing information on their personal social media accounts about their organisation can have an adverse impact on their employer's reputation. Since these platforms are outside their jurisdiction, takedown requests will involve legal proceedings and will take time. Raising awareness about social media use within your company is essential.Conclusion
As it happens with most products, social media services come in a neat packaging and require minimal interaction from the user to start transmitting information over the network. Anything from your location to your IP addresses to your footprinting data is out there. It is very enticing for users to sign up and agree to the T&C. As security professionals, we know that it is our job to inform and educate our users about the pros and cons and offer solutions. It is crucial for IT security to act as an enabler. Also, having a proactive stance on new services either by testing or reading whitepapers can equip us better to respond to threats. It will also safeguard our organisation from impact to the CIA (Confidentially, Integrity, Availability) of our key services.Image
