One Promise of Social Media.
“Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong.” [“Cisco 2009 Annual Security Report.” page 6]
Cisco security is not the first organization to deliver this message. They do, though, present the case well, within a much broader 2009 study.
The authors highlight how criminals take advantage of the way social media users tend to trust a person or a resource because someone they know did so. The problem here is that is has been relatively easy for criminals to:
- Create large numbers of on-line identities,
- Inject themselves into social media sites most appropriate for any given set of identities,
- Succeed at making a critical mass of associations (friends or connections), for each of them, harvest the list of everyone they know, and then
- Based on your relationship(s) with people they know, begin to coax them all to “click” on your invitation to share in something of value…
At that point, a criminal can use established techniques and technologies to deliver a trojan down-loader to the PC of everyone who “clicks.” Remember, the key message is that Cisco research in 2009 suggests that criminals are increasingly successful at exploiting social media user’s belief that there is effective “protection in being part of a community of people they know…”
There is vast potential for crime here. Facebook reported 350 million users at the end of 2009, and Twitter had 23.5 million users in the U.S. alone and more than twice that many worldwide (Quantcast or TechCrunch). When a criminal gets a virtual “foothold” in any given network of “friends” the power of “trust between users” kicks in — and the “success” rate or, in business terms, the return on investment, is vastly higher than in a more random, mass-mailing approach to hooking unsophisticated Internet users.
So, why should you care?
In financial services, many leaders and infrastructure service owners seem to be nearly intoxicated with an urge to exploit the power of “free” social networking for profit. They want corporate staff to work this new territory from within the enterprise, as well as from where ever they are.
Play it forward: This could result in tighter integration of business operations and infrastructure with many types of social networking sites. Staff would be motivated to inject themselves into existing webs of individuals as well as to build new ones in order to deliver targeted information, offers, opportunities, etc.
Based on what we know about criminal activity and techniques in this environment, how long would it be before your infrastructure was polluted with credential-stealing malware, and your new “friends” are feeling digially assualted by their interactions with your brand?
At the same time, corporate staff will become the targets of top tier attempts to heist enterprise-internal credentials, with special attention to those who have access to bulk customer data — think database and server administrators — and those who have access to corporate accounts and wire transfer systems — likely in finance and investment divisions.
Either scenario — customer abuse, or credential theft from corporate insiders — presents serious risk issues in the financial services industry.
Criminals are expert at delivering high-quality malware to PCs for the purposes of extracting value — stealing credentials and other sensitive information is a key capability because in they are a liquid commodity in the global criminal marketplace, or holding control of PCs in order to extract a ransom from owners. Both lines of illicit business seem to deliver attractive profits. Internet-enabled crime has established itself as a potent and nimble force. It continues to demonstrate tremendous sensitivity and creativity, and a capacity to quickly evolve as needed.
So, what can we do?
This is a tough one. The first move appears to be executive education. Senior leaders need to understand that the social media marketplace is at least as rich with risk as it might be with revenue and profit potential. I believe that the risks of moving into the social media arena without careful risk management plans grossly outweigh the potential benefits. That said, I believe that the potential for finding value in technology-assisted social networking is real-enough to warrant our serious attention and some of our best human resources.
Maybe some combination of a vendor-provided scrubbing of all corporate interactions with targeted social networks — think highly customized filtering web proxies that include reputation services — along with authorization to participate provided only on a strictly-managed “need-for-my-role” basis, and clearly communicated and simply documented “rules of engagement” for all staff involved. All the standard anti-malware measures, network monitoring, event correlation, alerting, alarming, reporting, incident management processes, and more need to be in place as well…
Again, this is a tough one. What do you think?
-Update on 01-24-2010-
The BBC published a story today about a football powerhouse attempting to protect their brand by attempting to “pull out” of social media all together.
“Manchester United Warns About Social Networking.”
Manchester United Football Club has posted a message on its website explaining that its players do not belong to online social networks.
It advises users to treat any profiles in the names of its players with “extreme scepticism”.
The club says this is because of the high numbers of people impersonating team members online.
“Cisco 2009 Annual Security Report.” (the report covers a lot more material that I refer to above)