Social networking sites are unquestionably the key phenomenon of the Web 2.0. Their social impact is colossal, bridging the gaps between communities, wiping away physical borders to enable people and businesses to socialise, exchange and create.
In 2009, the World Wide Web could be counting more than one billion social networkers, which represents more than half of all the Internet users. Last month, Facebook hit the 300 million users mark. If Facebook was a country, it would be the fourth largest country in the world, pointed out its CEO Mark Zuckerberg. QZone, the Chinese site, claims to have an even higher amount of users, while sites like Twitter and LinkedIn each reaches about 50 million users. And this is to name only a few of them.
This incredibly popular and massive growth, however, is also what makes social sites a lucrative fishing pond for cyber criminals. Since 2007 and the boom of social networking sites, experts have seen a sharp increase of online attacks specifically targeting the Web 2.0 applications. Up to 19% of all online incidents could be touching Web 2.0 sites, according to some recent analysts' research.
What type of factors can motivate such a sudden and alarming rise?
“For hackers, social networking sites represent a powerful vector of attacks,” explains Sean Wainer, country manager at Check Point. “This type of site ensures a large exposure, together with a rapid and prolific spread of information between mutually trusting parties. This makes it easy for cyber thieves to spread malware or malicious links and launch multiple phishing attacks,” he adds.
Indeed within their virtual circle, social networkers have established a fairly high level of trust. They share information, images, files and content of all sorts in good faith among their network counterparts, without requiring identity or any other sort of validation. Because they believe they are in a close, intimate space, users are more likely to trust other senders and click on unknown links, upload new applications or videos or surrender personal information. Once introduced onto a user's circle, one can imagine that a hacker wouldn't have a difficult time propagating spam-like posts to all the user's connections.
“Malware distributed via social networking sites stand a much higher chance to reach their targets compared to the same malware sent by e-mail,” says Wainer. With an average of 130 connections per user on Facebook or 126 followers per Twitter user, no doubt that social networking sites offer cyber criminals a wide pool of potential victims and a fairly decent hit rate.
Even more fun, hackers operating on these sites also benefit from a large diversity of tools to play with, including the wide range of Web 2.0 features and applications, such as, for example, Twitter's user generated content, YouTube videos, MySpace or LinkedIn profiles. All these applications have been exploited and hijacked at some point over the past few months in order to distribute malware and steal information. Just last October, a series of popular Facebook applications, such as “CityFireDepartment”, “Mynameis”, “Pass-it-on” or “Aquariumlife” were hacked and used to compromise users' computers via unpatched Adobe software vulnerabilities. The same month, another large-scale spam attack was taking place on Facebook, attributed to the Bredolab botnet that was using fake Facebook password-reset messages to trick networkers into downloading a dangerous piece of malware.
For organisations, allowing employees' use of social networking sites at work can be even more problematic and damaging. Not only do these sites pose an increased threat to the network, but many more disastrous consequences are to be anticipated, such as sensitive data leakage or misuse of posted corporate information. The potential security risk is high enough to motivate a number of businesses to prohibit their employees to access social networking sites while on the job.
Yet is banning the only solution to mitigate the security risk of the Web 2.0?
“From the technological standpoint, social networking sites do not create many different challenges than those we were dealing with before,” says Wainer. “The issue is more about managing the risk coming from enhanced Web exchange than prohibiting their usage.”
To mitigate the risk, a series of basic measures can actually be implemented that will provide a good first line of defence. In fact, the same common sense and protection measures normally applied on the Internet apply with social networking sites: users should understand first of all that the same vigilance is required within their virtual social circle as on their e-mail or anywhere else on the Internet. They should adopt safe ways to protect their identity, starting by using a diverse range of passwords that are sufficiently strong for their various accounts, and by choosing the right privacy settings. As for business employees, they should avoid overly exposing their personal or company information and adopt a responsible, protective behaviour online, just similar to their behaviour in the non-cyber world.
At corporate level, enterprises can rely on the same tools that they use to protect their networks, starting with a robust security architecture that incorporates a good firewall and powerful IPS to detect blended threats and shield against all sorts of security attacks.
This should be complemented by a comprehensive end-point security solution that provides support against rapidly proliferating worms, Trojans, spyware, and other malicious code that can threaten business continuity, require time-consuming incident remediation, jeopardise user productivity, and introduce numerous risks due to altered or stolen data. This type of protection, coupled with a good compliance policy and regular applications updates and patching, considerably helps prevent phishing exploits such as recently reported on Facebook and other similar sites.
After all, the Web 2.0 brings a wealth of advantages for organisations, just like for individuals. Once ensured that the overlaying IT risk can be controlled, organisations will hopefully start embracing online social networks along with their tremendous benefits.
Share
Check Point Software Technologies
Check Point Software Technologies (www.checkpoint.com), the worldwide leader in securing the Internet, is the only vendor to deliver total security for networks, data and endpoints, unified under a single management framework. Check Point provides customers with uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology. Today, Check Point continues to innovate with the development of the Software Blade architecture. The dynamic Software Blade architecture delivers secure, flexible and simple solutions that can be fully customised to meet the exact security needs of any organisation or environment. Check Point customers include tens of thousands of businesses and organisations of all sizes, including all Fortune 100 companies. Check Point's award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft.
Editorial contacts