According to Dictionary.com, trust is partially defined as "reliance on the integrity, strength, ability, surety, etc., of a person or thing; confidence." This definition is a good description of how many younger employees, those who grew up with Web-based social networks, see Facebook, Twitter, and other sites dedicated to meeting friends and sharing experiences across cultural and geographic boundaries. This new approach to socializing becomes a problem when these meetings and this sharing include participation by ‘friends' with social engineering in mind.
About online social networking
While researching social networking behavior, I focused on teen behavior over the past two to three years. I believe this category of user more accurately represents the habits of new employees. Men and women in this category are acclimated to social networking, using non-traditional technology solutions (i.e., cell phones, smart phones, PDAs, computer, etc.) to communicate with friends and co-workers. In many cases, they have yet to achieve a level of awareness of the consequences associated with their actions.
This doesn't mean older employees are not also an information security risk. However, I believe social networking risks are greater within the younger employee population.
According to a 2006 survey conducted by the Pew Internet and American Life Project, "more than half of all online American youths, ages 12-17 use online social networking sites." Figure 1 lists the survey's key findings.
The findings show that over 50 percent of users within this age group regularly use social networking sites. This is no surprise, and the number has probably grown since 2006. The security risk to businesses, however, is the ‘why'. Why do young employees use social networking sites?
According to the survey, about 50 percent of those responding use Web-based social networking to make new friends, as shown in Figure 2. Keeping in touch with old friends at the office is a low risk activity, even if it results in employers getting less output than expected. The problem lies in the tendency for experienced social networkers to continue to initiate new friendships, friendships with people they've never actually met.
The risk of online social networking
We're all familiar with the attacks against sites like Facebook. However, focus on these breaches of privacy tends to move our attention from a more insidious potential use of these sites—social engineering activities.
Most users of social networks don't intentionally provide useful information to cybercriminals. However, to initiate new friendships with people they've never met requires establishing trust outside the normal context of traditional relationship building—one-on-one personal contact.
One-on-one physical contact might provide some insight into a person's veracity and general sincerity. But this insight is neither easily perceived via a Web social exchange or is it the most important element in establishing a close relationship. According to a University of Puget Sound study, conducted by psychologists Carolyn Weisz and Lisa F. Wood,
Overall closeness, contact, and supportiveness predicted whether a good friendship was maintained. But when the researchers controlled for these qualities, only a single factor—social-identity support—predicted whether a friend would ultimately be elevated to the position of "best." Best friends often were part of the same crowd—the same fraternity, say, or tennis team. But Weisz and Wood found that friends offering such support could also be outside the group. Sometimes all a friend needed to do to keep the best friendship going was to affirm the other person's identity as a member of the given group ("You're a real Christian") or even the status of the group itself ("It's so cool that you play sax for the Stanford band!"). Reasons for the finding, say the researchers, may range from greater levels of intimacy and understanding to assistance with pragmatic needs to enhanced self-esteem. Source: Friendship: The Laws of Attraction, Karen Karbo, Psychology Today, Nov/Dec 2008.
So the first element is making a person feel accepted, part of a group of at least two. This isn't difficult for experienced social engineers. Further, the absence of traditional cues, such as facial expressions or simple gut reactions, is missing. All a person seeking friendship has to go by is the message typed into the communication medium used.
To be maintained, incipient relationships require nurturing and further acts of trust, especially sharing. According to University of Winnipeg sociologist Beverly Fehr,
The transition from acquaintanceship to friendship is typically characterized by an increase in both the breadth and depth of self-disclosure… In the early stages of friendship, this tends to be a gradual, reciprocal process. One person takes the risk of disclosing personal information and then 'tests' whether the other reciprocates.
In other words, sharing is critical if a friendship is to survive. "Sharing" can also result in risky behavior.
Sharing of personal, non-sensitive information to develop and maintain a friendship online may be perfectly innocent. However, when an employee crosses the line, sharing PII or information about the company which management would rather not release to the public, or posting/sending information useful in additional social engineering or technical attacks against the organization, business risk starts to rise.
Defending against the inevitable
Trying to adequately control new employee use of public social networking by simply telling them to stop is futile, although use of these sites should be addressed in the company's acceptable use policy. And employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. However, there are still things you can do, in addition to basic security controls, to mitigate risk, including:
- Block use of public social networking sites from the office is my strongest recommendation. This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee's desk or your network, to either a social networking site or a friend met at such a site.
- Implement DLP (data leakage prevention). Know where and how your data is moving. If an online ‘friend' of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it's happening.
How does your organization handle social networking?
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.