The Dark Side of the Web

Related Articles

• LinkedIn Surpassing Facebook for Enterprise
• St. Lawrence College and Trend Micro--Real World Solutions
• Medis Fuel Cell Device Charger Review

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

One could argue that the Internet is among the greatest inventions. Think about the fact that an estimated quarter of the Earth’s population uses the services of the Internet, and that adoption has influenced or reshaped the telephone, television, newspapers, and offered us new ways to communicate and share ideas with social media sites, instant messaging, and blogging. Also remarkable is the fact that this international network has no centralized policy over its use or access. Unfortunately, along with the gift that is Web 2.0 and all that it enables, has come nefarious activities from clever cybercriminals; for much that has attracted the world towards the Internet has also attracted them.

According to Tom Gillis, vice president and general manager for Cisco Security, the Web is composed of a trillion pages at best estimate, and growing at exponential speed. He offers these statistics: it’s estimated that 1 billion new Web pages are created daily and about 32 million domain names are added to the Web every year with this number expected to rise dramatically in 2010, as internationalized domain names (using letters from local languages, such as Arabic and Chinese) are introduced. He also notes that more than 30 percent of domain names change (or churn) on an annual basis. The popularity of social media and blogging explain some of this growth, as blogs and social networking sites dynamically serve up many of these billions of new Web pages. In addition, there are many password-protected sites that cannot be easily identified.

“The problem with these transient and dynamic Web pages is that they resist categorization, which renders URL filtering largely ineffective,” explains Gillis. “According to Cisco Security Intelligence Operations (SIO), only 20 percent of Web site addresses can now be properly categorized. The other 80 percent of Web site pages are now referred to as the “Dark Web”—that is, Web pages that are uncategorized, highly dynamic or otherwise unreachable.”

Workers Introduce Risk to Enterprise

The Dark Web poses a threat to everyone, even enterprises, employees can expose the company when viewing uncategorized content such as social media. Social media usage is up dramatically, not just in terms of the number of users, but also in terms of the type and regularity of usage, reveals FaceTime Communications’ recent survey on company Internet usage. According to the report, 61 percent of users access social media sites at least once a day from work, up from 51 percent last year.

“Social networking is now used by 95 percent of respondents, with 15 percent using social media “constantly” throughout their work day,” states Sarah Carter, director of marketing for FaceTime Communications. “However, only 24 percent of IT professionals are concerned about this in terms of productivity. Inbound malware is still perceived as the biggest risk from Web 2.0 thought 61 percent of respondents.”

Reports seem to conflict with one another about whether workers honor company policies regarding social networking. A 2008 survey by Cisco and U.S.-based market research firm Insight Express found more than half of the workers that changed the security settings on their company-issued laptop to view restricted Web sites did so because they wanted to visit them, regardless of company policy. On the other hand, the FaceTime survey revealed that 84 percent of users say that they would comply with company policies on usage. Further, 74 percent of users understand that the use of social networks is a risk to the business.

One thing is certain: access of social media sites during work hours is increasing. “Social media is everywhere, and people reveal way too much,” believes Raimund Genes, CTO for Trend Micro “By using Facebook and others you make yourself a potential social engineering victim. In real life you never would walk around with a cardboard in front of you stating: ‘My name is X, I’m 42 years old, my friends are X, I’m married, my sexual preferences are…’ In social networks this happens all the time. As an employer, I’m very concerned about company specific information being shared. I’m concerned that due to social engineering (email from a friend) my company could be infiltrated.” Genes goes on to say that it is unrealistic to block workers from accessing social network sites because it makes the company unattractive as an employer. “You lose a competitive edge,” he says, “but social medias are good for fast information sharing. The key is proper user education: what to share, what not to share, and how to be careful.”

What Is IT’s perspective?

While IT staff appear to be aware of threats, their perception of what’s on the network compared to what actually is, varies significantly. “Using empirical data from our installed base of Unified Security Gateways (155 deployed globally), we compared this with IT professional’s opinions,” says Carter. Here is what the opinion vs. data showed:

• 62 percent of IT professionals estimate social networking is present on their networks; the actual number is 100 percent.
• 32 percent of IT professionals say file-sharing tools are present; the actual number is 74 percent.
• 31 percent of IT professionals believe Web chat is in use; whereas our appliances found that Web chat is used in 95 percent of locations.

For Keith R. Crosley, director of market development for Proofpoint, Inc., the three biggest social media risks include: the use of (or spoofing of) social media platforms as vectors for blended threats, risks of data leakage via social media channels, and policy issues.

“Viruses and other malware that make use of social media sites (for example, the Facebook Koobface worm) have obviously been a significant problem in the past year, and I expect that will continue in 2010,” predicts Crosley. “Additionally, the popularity of social media sites have made them a prime spoofing target for spammers and scammers. We’ve seen many examples of malicious emails (e.g., phishing attempts or malware distribution scams) masquerading as convincing-looking social media notifications such as friend requests, new message notifications or policy change notifications.”

Crosley points with concern to the fact that users are overly comfortable clicking on links in social media notification emails. “As social media platforms constantly evolve the way they use notifications, I think we’ll see new risks. For example, Facebook recently enabled commenting by replying to notification emails. On the one hand, this is a good thing because it might reduce the number of users who click on links in Facebook notification emails to access their accounts (which is something I’m always advising people not to do). But on the other hand, I think it’s only a matter of time before we see spoofed Facebook notification phish/spam that takes advantage of this sort of feature to harvest email addresses. That is, the recipient replies to a fraudulent Facebook notice thinking it’ll publish a comment, but all it does is confirm that there’s a valid email recipient at that address.”

With the rise of social media site use at work comes the threat of data leakage. Crosley notes that Proofpoint’s 2009 research on policies and data loss risks found that 17 percent of U.S. companies investigated the exposure of confidential, sensitive or private information via a posting to a social networking site (e.g., Facebook, LinkedIn) in the past 12 months. Forty-five percent of the companies surveyed by Proofpoint are highly concerned about the risk of information leakage via posts to social networking sites and almost as many are highly concerned about the risk of information leakage via Web-based short messaging (e.g., Twitter). “Data loss risks related to social media are already significant and will have to be addressed,” says Crosley. “I do think this will be a significant driver of more interest in data loss prevention technologies over the next several years.“

Managing User Behavior

As Carter points out, the benefits of Web 2.0 applications outweighs the risks. Since blocking won’t work in most organizations, an alternative tactic is influencing user behavior. “Implementing coaching for users, when they perhaps try to access inappropriate content on YouTube and reminding them of their responsibilities helps,” states Carter. “Providing this type of positive reinforcement, alongside regular education and training really does influence behavior, and increases awareness of risks.”

Organizations need to establish (and enforce) policies for employees to follow. Gillis notes that improper Web use costs businesses billions of dollars in lost productivity and resource misuse each year, and introduces the risk of compliance violations and legal liability. “Changing attitudes on the part of employees toward at-work Internet use are also adding to the urgency of organizations to tighten and strengthen Internet usage policies,” says Gillis. “More workers, particularly younger ones, do not draw a firm line between personal Web browsing, and work-related Web browsing. They expect to check Web mail and social networking sites during the workday, order products online, and read blogs—just as they may access their organization’s networks and email during the evenings and on weekends. In effect, these workers are bringing the Dark Web into the workplace.”

Many organizations that have messaging policies in place may not have included social media. “Enterprises need to formalize their acceptable use policies for social networking sites and help users inside of their organizations understand what is and isn’t acceptable. At the same time, social media is opening up some entirely new policy areas that most organizations are just now coming to grips with,” says Crosley. He offers the example of a growing concern in legal and HR circles around the issue of bosses “friending” their employees (and vice versa) on social networking sites. “Some legal experts have warned that bosses who friend their subordinates on social networking sites may be putting themselves at substantial legal risk. Online relationships between bosses and employees can trigger or exacerbate a host of legal claims, including harassment, discrimination or wrongful termination in addition to potential accusations of favoritism. Some employment lawyers even suggest simply banning such online manager-worker friendships.” Crosley says that not everyone takes this hard a line, but it does point to the fact that this is just one more area of risk exposure that managers now need to navigate on a day to day basis.” I expect that forward-thinking organizations will add some training around the potential liability dangers associated with use of social media in the workplace to their existing liability and discrimination training.”

For Carter, the biggest emerging risk to IT managers with regard to the increased usage of Web 2.0 applications is compliance and eDiscovery. “The users really have gone out there and enabled themselves on Web 2.0,” she says. “Perhaps it’s the economy, perhaps its that social networks level the playing field for big and small companies, perhaps the reality is that Web 2.0 is finally here, but we’ve also seen a rise in the number of regulations and compliance requirements for real time communications, like with FINRA and their 10-06 notice. eDiscovery has become a much bigger concern for IT managers, and while our survey shows that a small percentage (38 percent), up from 31 percent last year, store chat and IM messages for compliance, 27 percent have been provided with guidance by legal counsel on requirements for archiving content posted to social networking sites, with a further 42 percent anticipating this will happen. With the high price tags associated with non-compliance in the event of an audit—as much as $2.1 million USD for failure to comply for a Sarbanes-Oxley audit—eDiscovery is going to be one of the biggest social media security concerns for IT managers moving forward.”