A Marketing manager on Linkedin posted a question regarding the risk of letting all associates access Facebook. Specifically, she was interested in the viral implications. Here’s my response:
“Social Networks are ideal for malware distribution. Applications like Twitter and Facebook amplify the speed with which new malware can spread, as well as the reach of the malware campaign itself. Malware authors know they can piggy-back on the chatty and social behavior of those using the social networking applications. But leveraging ubiquitous applications isn’t a new tactic — email offered the same “courier” service in the earlier days of malware. And it still does today.
You’re not suddenly moving from secure to insecure by allowing Facebook access to all associates. You are, however, increasing the number of opportunities users have to carelessly click. If preventing viral infections, or worse, a full-on data breach, is a key security goal then you want to decrease the number of opportunities a user has to click on something dangerous. How frustrating and ironic would it be to suffer a breach from an application that provides entertainment to associates, but little to no value to the business as whole? With that said, something for management to consider is what are the positive outcomes and results that come from allowing Facebook access to associates?
While I see the value in allowing social networking for specific business units like Sales and Marketing, I can’t see how the social benefits afforded to every associate outweighs the potential loss from a data breach.
Image via CrunchBase
You’ll probably be asked to allow FB anyway. Other LinkedIn professional have already posted regarding URL and content filtering, patching, etc. I also agree with these recommendations, as they can certainly filter out the lion’s share of potentially harmful content and reduce the risk of a possible breach. Both Websense and Bluecoat have community based reputation filters that add an extra layer of intelligence to the inspection of URLs. You should also consider blocking “uncategorized” web sites. As an ethical penetration tester, I’ve had great success registering new domains then immediately using them in “mock” phishing campaigns. This tactic is used over and over again by real cyber criminals. In some cases it can take a couple of days for these new domains to be discovered. Until they are found, they’ll have no reputation, and will most likely be allowed by default (depends on how you set it up.) Only blocking sites that are uncategorized (or not yet known to the content filtering service) can prevent users from accessing these new domains. ”
Enjoy! — Simon