当CIO将在威斯康星州卫生保健和亲和力系统的员工鼓励员工使用Facebook来传播关于新计划和成功项目的话语,他对结果感到惊讶:很少有这样做。
“我在那里思考,'我们把这些人伸出了宽松;我们将在那里有10,000名营销人员,”威卫生说。但事实证明,该部卫生劳动力训练良好,以保护敏感数据,无明确指导他们所说的,他们的第一反应是分享。
“我们已经强调了数据安全与员工的重要性,特别是在涉及患者隐私时,它使他们从Facebook上分享了关于工作的所有伟大事项,”威德德说。
That's a good problem to have. Many fear that the popularity of social networking -- among individuals as well as organizations -- will precipitate an increase in social engineering attacks that could result in security breaches that expose corporate data or damage a company's reputation.
事实上,Facebook,LinkedIn,Twitter,在线论坛和博客等社交媒体为攻击者创造了一个完美的机会,将网络的匿名性混合在一起,轻松直接访问数亿人,以及前所未有的个人信息。
考虑到在社交网络存在之前,Netragard LLC的首席技术官Adriel Desautels表示,犯罪分子必须做出抵御受害者,这是一家安全服务提供商,为客户执行漏洞评估和渗透测试。通常,收益不值得。但是,通过社交媒体,他说,很容易击中大量目标,并迅速地击中了大量目标。
“而不是欺骗那个特定的人,他们可以与一群人交朋友,”Dersuels说。“他们可以在他们的墙上发布一个URL,其中一个人可能会点击它。”
接近风暴
但是,虽然高管似乎掌握了社交网络的潜在威胁,但只有苗条的大多数组织似乎都觉得有必要做点什么。在2009年9月的电脑世界调查中,50项IT专业人员的53%据全体投票称,他们的组织有一个社交媒体使用政策,而41%表示他们没有,6%的人说他们不知道这样的政策。
在2009年7月poll通过广告机构罗素牧民和律师事务所的商业法,既基于明尼阿波利斯,也有438名受访者的81%表示他们对社会媒体及其对企业安全和声誉管理的影响。然而,三分之一的人说他们已经实施了社交媒体准则,只有10%的人表示他们已经开展了相关的雇员培训。
deloitte llp.调查echoes those results. Only 15% of 500 executives polled said that the risks of social media are being addressed in the boardroom, although 58% said they agree that it's important to do so. But even those that do have policies may not effectively communicate them. Of 2,008 employees that Deloitte surveyed, 26% said their employers had guidelines regarding what they could say online, 24% said they didn't know if their employers had such a policy, and 11% said that there was a policy but they didn't know what it was.
不是一个政策涵盖了每个基础,Ira Winkler是一个Computerworld.com专栏作家以及我们(Wiley,2005)和互联网安全顾问小组总裁的主席,该公司的服务包括间谍模拟的IT安全公司。但肯定不再是一个选择的方法,也没有阻止社交场所的使用工作中。
“太多公司想说,”这是你的私生活,所以我不会打扰你,“他说。“但是人们在家里的不安全行为会使业务的不安全感产生不安全。”
关注不仅仅是员工将彻底泄露敏感数据。这将是他们将透露有关自己或工作场所的足够信息 - 无论是在一个配置文件中还是分布在几个配置文件中 - 使一个冒名者能够评估他们的个性并获得他们的信任,并弄清楚他们的密码重置问题或令人信服的假装。成为一名同事,商业伙伴或客户(见“黑客如何找到你的弱点“)。
“小型信息小幅放大了大局,”Winkler说。有价值的Tidbits包括出生日期;孩子们,宠物和最好的朋友的名字;关于雇主或评论关于工作的雇主或评论的事实;爱好列表;关于休假或改变生命事件的更新;和与朋友联系。通过使用Maltego.com和Pipl.com等站点的侦察工具,这些信息非常易于找到,或者只需在Facebook或LinkedIn上进行搜索。
当NetRagard进行渗透测试时,它会发现在特定公司工作的Facebook上的所有人员,并从他们的墙壁,帖子和简档中提取数据。它将这些信息拉到数据库中,并分析结果,以评估公司文化等事物,无论有人会迅速回应请求或如何严重保安人员采取工作。从一个关于Java Register再次行为不良的简单评论,Desautels说,NetRagard可以创造一个看起来像公司不会注意到或关心的东西的攻击。
Desautels说,坏消息是,不确定保护贵公司免受社会工程威胁的方法。毕竟,脆弱性源于自然的人类倾向,信任别人。但是,您可以采取措施降低黑客将成功的风险。一个良好的开始是社交媒体政策。
这些政策从严格到非常自由。For instance, sports broadcaster ESPN Inc.'s guidelines ban employees from setting up personal Web sites and blogs that contain sports content and requires workers to receive permission before engaging in any form of social networking dealing with sports.
与此同时,部部卫生鼓励雇员讨论积极的工作活动,甚至提供对雇主的建设性批评。然而,它还具有指导方针,例如,威尔卫生们表示,禁止雇员在在任何情况下在线分享患者信息。
一个基本但有争议的政策问题是,是否允许工人在他们的在线简介或社交网络论坛中将雇主提及他们的雇主。据脱索说,禁止这些做法是抵御社会工程威胁的最佳方式。
如果您真的担心,您可以考虑限制员工提供办公室电子邮件地址,并识别他们的办公室电子邮件地址,并识别他们在IT安全公司Cyveillance的Cyber Intelligence Director表示,识别他们工作的地理区域。即便如此,可以在员工的个人资料上可见的朋友的评论或其他对话可以揭示雇主信息。在这样的情况下,她说,它取决于个人资料所有者监控和删除这些引用。
Similarly, Winkler suggests restricting employees from mentioning business developments on their profiles. What if, for example, a researcher discusses his lack of progress on a project or, perhaps even more revealing, a major breakthrough? Or if a salesperson tweets that she's meeting friends because she just won a big account? Combined with other information, such as names recently added to a salesperson's friend list, such tidbits can reveal quite a bit, Winkler says.
"This stuff used to be under lock and key in a private diary," Gudaitis agrees. "The amount of disclosure on every level -- business dealings, trade secrets, classified information and personal information -- is enormously high." Also alarming, she says, are employees who tweet during meetings about what's happening and even who's in attendance.
当然,禁止提及雇主的政策会将公司带出来营销社交媒体游戏。But Desautels cautions against that type of marketing anyway. "You'd be opening your customers to an entire world of potential hurt via phishing and other types of attacks," he says in his blog.
Weider, on the other hand, says not using social media for marketing is unthinkable. "Why don't we just stop publishing our phone numbers so people can't get into our voice-mail system, or lock our doors so the patients can't get in?" he says.
Weider表示,避免可能曝光的方法是建立明确的数据安全政策,并提供员工正在进行的培训。该培训可以触及在Facebook这样的网站上收紧安全设置的方式。根据网站NextAdvisor.com,它比较在线服务,Facebook用户应该使用网站的“我的隐私”部分来获取其配置文件和帖子的特定方面的微调。
不是'朋友'ly
公司可能还想向员工提供建议,不接受所有的朋友优惠。“在很多情况下,人们对任何弹出弹出的人都说是的,”Gudaitis说。“但随后,他们容易受到这些人可能的人。”她说,最好是保守派,并批准只批准商业熟人或旧的大学伙伴或家庭成员。
To be even more cautious, NextAdvisor says, you should even verify whether a friend request is from the person it appears to be from, by sending him an e-mail or calling him. "It is easy for someone to set up a phony profile under the name of someone you know and trust in order to extract additional information from you," the site says.
员工也应该意识到这只是因为社交网站要求他们出生日期和电话号码等个人信息,并不意味着他们需要提供它。在一个最近进行的Facebook用户的投票中,27%的受访者表示,他们在其简介中列出了他们的全名,出生日期,电话号码和电子邮件地址,另外8%表示他们包括他们的街道地址好。
“你的真正的朋友和员工可能已经知道这个信息,所以在你的个人资料中包括它只会增加身份盗贼受害的风险,”该网站说。
Of course, hackers can collect that information even if you don't provide it all in one place. To guard against that, Gudaitis suggests varying your screen name.
Imagine, she says, if a hacker were able to track a specific systems administrator's or help desk technician's every move online, gathering information from message boards and forums, because the victim used the same screen name everywhere. "If I were an adversary, I could start to link all that information and even chat them up to better understand their network and system architecture," she says. "If we looked up every post someone had . . . we could put the puzzle pieces together."
公司还可以在他们自己的一些实践中介绍,以密切社会工程安全差距。除了建议员工选择密码重置挑战的问题,您也可以遵循谷歌公司的铅并将密码信息发送给员工的手机,而不是他们的电子邮件地址。
招聘实践是一个可以收紧安全性的区域。Winkler建议筛选求职者的社交网络习惯,而不仅仅是针对陈规定型的关注领域,例如Amoral行为,而且还有他们在社交媒体上的活跃以及如何做出个人信息和语音极端政治观点的事情。。
Perhaps most key, says Desautels, is designing your infrastructure and managing your sensitive data with an eye toward minimizing damage in the event of an intrusion. He stresses the importance of using encryption, recording and logging network activity, classifying data and putting your most sensitive data in a zone that can't be reached through the network. With a properly designed infrastructure, "you can keep a successful penetration from being successful in stealing your data," he says. "Just because they break in, they don't have to put you out of business."
In the end, it's really about finding a balanced way to leverage social media while minimizing risk, Weider says. For him, social engineering threats are certainly among his top 10 concerns, but they're nowhere near No. 1. "It's something I take seriously," he says, "but I do think there's a balance between reasonable risk and the likelihood of these various things taking place."
Brandel是一个Computerworld贡献作家。在Marybrandel@verizon.net联系她。
这个故事,“在Facebook上待欺骗”最初是出版的Computerworld 。