Social security risks

Data hygiene

In the past, much personal information was paper based and was generally held secure. Much more information is now available via the internet and stored in multiple locations. “As much of this information is freely available, it is much easier for anyone to build a robust picture about us without actually needing to know us," says John Eggleton, head of risk products at WorldPay at The Royal Bank of Scotland. 

The fidelity of information that abounds on social networking channels and pipelines is where the problems begin. “Data leakage is primarily a social engineering threat,” says Michael Sutton, vice president of security research at Zscaler, a SaaS security provider.“People have become accustomed to sharing often intimate personal details online, assuming that the information is safely housed in a trusted environment, with trusted individuals. Of course, this is not always the case.”

While social networks may permit users to determine with whom information is shared, it is important to remember that data is shared among accounts, not people, Sutton says. “Accounts can become compromised. Even though a request may come from a ‘trusted source' within the social network, that source may actually be an infected PC, not a known individual.”

As a general rule, when it comes to social networks, if one wouldn't share the information on a public billboard, don't share it on Facebook, says Sutton.

Further, social networks are struggling to keep up with the inspection of online content, he says. “It has become a cat-and-mouse game as attackers continually look to bypass implemented security controls, and network owners attempt to implement new controls to detect the latest scam,” Sutton says. “Users cannot assume that social networks have succeeded in protecting them from attack, and users may take steps to implement their own security measures to inspect all content.”

Management conundrum

Social networking is nothing new. The phenomenon was not created last week, last month or last year. It seems that as one door closes shut for the criminal mindset another swings wide open, and security managers struggle to keep up. 

“Cyber crime will continue to happen whether social networks are there or not,” says Scott Emo, head of software blade product marketing at Check Point Software Technologies, a provider of protection against internet threats. “Security managers are responsible for the safety of their enterprise networks.”

He recommends a multilayered approach to defend against malware. A comprehensive security architecture should include firewall, intrusion prevention system, anti-malware, URL filtering, anti-bot, data leakage prevention and other technologies, depending on the infrastructure of the network, he says.

Kroll's Theisen agrees that security managers will always struggle to entirely eliminate the scheming of this lurking criminal mindset. “This is especially true when the security managers and professionals have no control over what personal and business information end-users post online within social networking websites over which they have no control,” he says.

“Because of this, it is important to provide social engineering awareness training to all employees and clearly articulate what personal/business information should not be posted on social networking websites.”

Exploit by organised gangs

Jim Kardaras, a senior vice president with the FINPRO practice of Marsh, an insurance broker, cites organised crime rings as the primary culprit in new methods to abscond with ill-gotten gains. Bigger and bolder action, and intervention by legislators at the federal level, may be warranted, particularly when resources aren't plentiful to combat the ever-impending threat of criminals exploiting social networking mediums to violate the masses. 

“Many small and midsize companies and government entities lack the rigorous security programs of larger companies,” says Kardaras. And companies cannot rely too heavily on their banks for protection against account fraud, as business accounts are currently not covered by the laws that provide zero-liability protection.

“Until some legislative reform to give company accounts a better backstop in the event of fraud, smaller to midsize businesses, in particular, will continue to be victimised by online crime, and without any straightforward means for recouping losses, outside of insurance.”