Social Networking, Blogging, and Web Threats

Subscription Options

The promise of the World Wide Web led to its skyrocketing popularity as a business tool for e-commerce, communications, information gathering and social networking. Unfortunately the Web has also been recognized and capitalized upon by mischief-makers to downright criminals. While email still has the highest count of malware threats, Web related threats are steadily climbing, with blended Web and email threats commonplace. In its security report reviewing the first half of 2008, Sophos noted, “One of the reasons the Web is so popular with attackers is that innocent sites can be compromised and used to infect large numbers of victims. However, it is not just the unsuspecting visitor who is the victim—the owner of the Web site also suffers.”

Yuval Ben-Itzhak, chief technology officer for Finjan believes the days of a one-scheme fits all approach are long gone, and that the sophistication of today’s attacks will only continue. “Profit-driven Cybercrime has evolved into a booming cybercrime business, operating in a major shadow economy that closely mimics the real business world,” he says. “Money keeps driving the growth of targeted attacks against financial institutions, enterprises and governmental agencies. Cybercriminals operate their profitable businesses utilizing easy-to-use sophisticated attacks while focusing on the management side of stolen data handling.” Ben-Itzhak notes that this makes detection difficult and puts all organizations using the Web at risk. “The damage that successful Crimeware attacks inflict is widespread and long-lasting. It can result in loss of valuable data, loss of IP, loss of productivity, impact on profits or stock price, brand damage, law suits, class actions and repercussions for not complying with various rules and regulations, such as SOX, HIPAA, PCI DSS 1.1, GLB Act, and FISMA.”

Most all agree that the Web has opened unintended doors. Andrew Graydon, chief technology officer for BorderWare Technologies, acknowledges, “Gone are the days when email alone can be blamed for the propagation of viruses, Trojans, worms and other forms of malicious code. Email is not without blame, as Web pages have to be visited for any attempted exploit to be called, and email is the most common method to drive traffic to these Web sites. This scenario can easily be described as ‘email is the invitation and Web is the infection’. Due to this growing trend, companies have to change the way they view security.” Organizations should look closely at their security practices to be sure they are adequately protected. But there are other threats to be wary of.

Social Networks

Sophos’ security report explains how social networking Web sites, like Facebook, MySpace, Bebo and other Web 2.0 sites, have exploded in popularity in the last few years—a trend that has not gone unnoticed by cybercriminals. The company reports that computer users, used to an onslaught of unsolicited email in their inbox, appear to be less cautious when messages arrive via other routes, such as instant messaging or Facebook. “Spammers are finding themselves increasingly obstructed by corporate anti-spam defenses at the email gateway. In a nutshell—we’re stopping the bad guys getting their marketing message in front of their intended audience,” says Graham Cluley, senior technology consultant for Sophos. “To get around this, we are seeing spammers exploiting networks like Facebook to plant spam messages on other peoples’ profiles—these don’t just get read by the owner of the profile, but anyone else visiting his or her page.”

In May, the LinkedIn business networking system was used by scammers seeking to swindle money from unwary corporate executives. On this occasion, the spammers offered a share of a non-existent U.S. $6.5 million inheritance fund, further highlighting the need for users to be vigilant to unsolicited approaches online. Sophos experts are quick to note that the level of Facebook, Bebo and LinkedIn spam is still dwarfed by email spam, but there is a growing trend for spammers to use other techniques to spread their messages.

Blogging

Social networking is not the only popular way to share ones information with the online world. Along with the Web came the advent of the Weblog, where anyone can become a published writer and analyst. A now commonplace practice, what threats do blogs present? Nicholas Filippi, product manager for Sendmail, responds, “Social networking and blogging sites are becoming real security concerns for some businesses. Employees of some large organizations might participate in literally dozens of blogs and are posting information everyday. Anytime you introduce another medium for the free-flow exchange of information, there is the potential for confidential information to be accidentally leaked.” Filippi goes on to say that in these environments, which promote the exchange of ideas and information for education and problem-solving, there is a difficult balance or line where too much information is shared. “Similar to email, organizations see a clear need for technology to monitor and control information flow, and as importantly, to educate and train individuals on best practices and policies. Increasingly, organizations are investing in technologies that both provide that level of security and control to prevent such information from leaving the network, as well as train end-users for how that information should be handled.” To address this for its customers, Sendmail’s Sentrion MP not only allows organizations to take actions like encrypt, add disclaimers, quarantine and more based on the content and context of a message, but also supports the ability to send notifications to the sender, manager, or security admin to ensure the correct training is understood.

Graydon has observed that the question of blogging as a threat is raising itself in many levels of IT administration and with business owners as well. “There is always a threat of disinformation, Intellectual Property disclosure, acceptable use, compliance violations and so forth, but blogging opens a Pandora’s Box,” he states. “When an employee utilizes a blogging site, often they disclose content that is a stream of consciousness without regard to what can be misconstrued, what is illegal, inappropriate, and so forth. With the fact that blogging potentially is exposed to a wider audience than most other forums, it dramatically increases the risk exposure versus other forums for data loss or leakage that violates security and privacy policies of the organization. Graydon notes that until we have some legal guidance on the issues surrounding an employee (or ex-employee) discussing information on a blog, this question is difficult to answer. “The simplistic view would be to say ‘Yes’, blogging is a real threat to information leakage, but so are many other areas with Web messaging, such as social networks, wikis and other Web 2.0 channels.”

Content Control

With so many messaging options today data leakage seems inevitable. “The emergence of different types of communications media on the network has definitely increased the potential of data leaks, but possibly for different reasons,” suggests Graydon. “Monitoring content across the different media is not that difficult, but being consistent in the monitoring, applying consolidated polices, and providing enforceable remediation are the areas that organizations struggle or ignore.” Graydon goes on to note that the evolution of communications has become multifaceted, with email, Web, IM, blogs, VoIP and so on, such that each are interchangeable from an end-user’s perspective, and even from a client’s. “Unfortunately, we haven’t seen the security implementations and solutions keep pace as a whole. Typically, each application has its own security solution, not sharing or correlating threats or data leaks. Protection solutions are primarily signature-based, while users are reading and sharing content dynamically, which is a vulnerability gap. Most commonly, none of the solutions subscribe to any management or policy standards making it impossible to monitor, manage and remediate across the content, which is now the natural view as users utilize Web 2.0 along with the multiple entry points.”

Filippi points out that with every new communication media, the threat of data loss increases. “However,” he contends, “email is still the most critical messaging medium to secure.” Especially true, because today’s email threats have evolved to take full advantage of the Web.

The Sophos report reveals that email is being used in an entirely different way. “Rather than incorporating malware into the email in a form of an attachment, cybercriminals are using unsolicited email, or spam, to provide links to compromised Web sites. Unfortunately, there is still a common belief that spam is not a threat but with virtually all of it unwanted, and a dangerous proportion linking to infected Web sites, organizations should secure their email and Web gateways just as fastidiously as their desktops and laptops.” Although many organizations do not, as Sophos notes, most businesses remain unprotected against Web-based threats.

“A single policy is the only way an organization will be able to deal with the issues surrounding today’s user utilization of both their internal network and Internet,” believes Graydon. “As end-users are becoming more content driven and their access to that content is becoming more varied, we are only beginning to see the potential issues that will emerge from a threat and leakage perspective. He details that a single policy must focus on the content and be independent of the access methodology as more novel methods are discovered by users. “We’ve raised email, Web and IM as main areas here, but what about Intranet, Extranet, Internet, wired, wireless, cellular, PC, PDA, phone, and all the myriad combinations there are and will be as users find the next technology? For IT security to provide the solutions and implementations required to secure their organizations, end-users and customers, the focus of security must shift from the transport and delivery of content to the content itself. By focusing on this goal, a solution that provides one policy will not only solve the multiple protocol issues, but also deal with all the complexities of data, whether at rest, in motion or at an endpoint.”