How to take back control of social: A cyber security masterclassContributor: David Oates
Posted: 01/14/2013 12:00:00 AM EST
The communications landscape has changed beyond recognition in the last decade. It’s not just the applications that have changed dramatically, but the devices we use to access them have evolved too. The end result for many organisations is a complex environment where control appears to be in the hands of users; a risky situation for any business, but potentially lethal for the defence sector.
So what happened to the ordered life of ten years ago when email ruled and controlling the flow of information was a relatively easy task? The answer: A communications revolution. The telephone might have caused a bit of a storm back in the late 19th century, but it took Facebook just 5 years to reach the 150 million user mark compared to the telephone’s 89 years. Even mobile phone adoption took 14 years to reach the same level of saturation, although it is now instrumental in how we share information.
While enterprise communications and collaboration tools, such as Microsoft Lync, IBM Sametime, and Cisco Webex have made their mark, it’s dwarfed by the hyper growth of publicly available social apps and tools. The danger for organisations though is where as enterprise applications have undergone a secure centralised deployment after a formal risk assessment, their Web 2.0 counterparts have been flown in direct to the user under the network radar.
These applications have been specially developed to bypass pesky traditional security. They port hop, tunnel and use encryption techniques to ensure availability on a wide range of devices. What’s more, without the right technology in place they are difficult to see and control making them a security risk from both inbound and outbound threats.
The hazards of social media and web 2.0 applications can be broadly categorised into four main areas: data leakage, inbound threats such as malware, compliance and user behaviour. To mitigate the risk to the organisation there are several areas where control must be reintroduced.
Key is identity management. Typically organisations already have email addresses, network logins etc mapped back to a central directory where access rights are controlled. This needs to be expanded so that all authorised logins from Facebook to Gmail accounts can be traced back to the corporate identity. Once this is achieved it’s possible to control the activity that users can access. Whether that’s read-only or not will be determined by the organisation’s policy, but there is little point in having a policy and not putting in the measures to enforce it.
It can’t have escaped anyone’s notice that malware is rife on social networks. Hijacked accounts, malicious links, Trojan attacks that run rough shod over instant messaging networks are just a few of the problems users are likely to encounter. In addition, the trust users put into their “friends” makes acquiring information as easy as taking candy from a baby for criminals and terrorists that use social engineering techniques. With an increase on targeted attacks, it pays to have excellent anti-malware capable of dealing with such threats and to educating users to be more circumspect.
Whilst malware can also lead to data leakage, it’s far more likely to occur as a result of the actions from someone within the organisation itself, either intentionally or accidentally. In the same way organisations have been monitoring content of corporate email for keywords, phrases and files for the last fifteen years, so the same must be implemented for social and web 2.0 applications. Where policy dictates, it’s easy to introduce a moderating system that won’t slow down the immediacy of a social conversation.
To comply with most legislation it’s imperative to log and archive all content posted to social networks and to export the data to an email archive or WORM storage. There is no guarantee that information on a social network will be there tomorrow, let alone in three years time when it might be required for legal purposes. It’s important to consider how the context of conversations, particularly if they traverse over different channels, might be displayed. Wading through mountains of inane conversations trying to follow threads can be tedious and expensive.
While the use of social media and web 2.0 apps are rife in even the most secure environments, it needn’t be without control. Whether your perspective is to enable and improve communications or to protect a network from abuse, the practical measures for mitigating the risks are the same:
- Understand the landscape, get visibility
- Engage stakeholders in policy setting. Set the policy.
- Consider and address the risks, in a granular fashion.
- Understand the dynamic legal and regulatory situation.
- Provide education for your users on acceptable and appropriate use.
- Consider federation and external connections for maximum benefit and minimized risk.
- Understand and manage the fallibility of human beings.
- Record (appropriate) communications.
- Retain (appropriate) communications.
- Review and refine policies (regularly)
It is important to recognise the reasoning behind point 10. Trends in social are constantly changing – just ask Instagram’s competitors. The moment word got out about the implied changes to how it used user content, people were quick to sign up to alternatives. New applications are emerging all the time such as Draw Something, which had over 1.2 million downloads in the first 10 days – today more than 1 billion pictures are drawn every week.
In addition, established services make changes to their applications all the time that might affect your policies. Between January and October last year Facebook, LinkedIn, Twitter made 1,271 changes. While a comprehensive policy should future proof an organisation, it can only do so up to a certain point. Regular review of policies is essential to ensure that potential risks don’t slip by unnoticed.
Social is all about engaging and reaching out to the wider community. Its success as a communications tool relies on its immediacy, integrity and individuality, but that shouldn’t mean losing control.
About Cyber Defence Resource Centre
Defence IQ produces a wide variety of cyber defence resources throughout the year in conjunction with Cyber Defence & Network Security, Cyber Defence Forum and Defence IT. The cyber defence resource centre has been created to put all of the resources that you will need all in one place.
If you would like to find out more about upcoming cyber defence conferences, please visit http://www.defenceiq.com/events.
MBDA wins £14 million Brimstone missile contract after success in Libya
USAF to address newly released draft of T-X programme KPPs
Interview: Colonel Fabian Ochsner on integrated air and missile defence
Losing the anti-submarine warfare race
Colonel David Torres-Laboy: Filling the ISR gaps
Chuck is the man for the job! Defence IQ readers back Hagel for Defense Secretary
How to take back control of social: A cyber security masterclass
Turkey delays F-35 purchase
India and China officials meet today to discuss bilateral military ties after nuclear missile concerns dog 2012
The 5 Minute Debrief: Patriot Games...
comments powered by Disqus
Contributor: Richard de Silva
Contributor: Khatuna Mshvidobadze
Contributor: Andrew Elwell
Belgian Defence Minister Pieter De Crem's speech at the Cyber Defence and Network Security ConferenceContributor: Pieter De Crem
Contributor: Defence IQ Press
Contributor: David Oates
Contributor: Andrew Elwell