There needs to be better Data Loss Prevention applied to Social Media than there exists today. How such security will be applied to the plethora of devices is a hefty concern. The abuse of social media growing trend. I see on twitter from those I know many things that should not appear: from the discussion of internal only intellectual property to locations sent to Four Square. Add into this, the myriad forms of ‘U There’ requests. It is so easy to tell people anything on twitter, that it also becomes a problem with telling people too much even in 146 characters. Yet, I also see the same when using text messages, chat, and other technologies. So what is the solution?Finely tuned Data Loss Prevention tools that are geared to the social media tools but also geared to their language. As I found out last night, even Santa Clause has his own language such as “bg4gs, hhh”? Anyone? I was at a loss until I remembered a few Christmas carols. From a security perspective there are several tools that stick out immediately that need better DLP technology:
- SMS or Text Messages
- Four Square
This sounds like nearly everything and it should. There are several issues with each of these technologies that could be fixed by simple DLP filters.
SMS or Text Messages. We think these are secure because they are device to device? They are not, as they go through the providers network. Worse yet, a person with a big enough antenna and the correct hacking software, your Text Messages and pretty much anything else on your phone is vulnerable. Would something like Horizon Mobile fix this? Yes and no. Yes it does encryption of data at rest (residing within the phone), but not data in flight (on the providers network).
Four Square. Tells everyone your location, and people use it regularly and often when they are in a pretty cool location. However, if that location is a company site, this could lead to physical security issues. Perhaps the site was not well known, or no one knew you worked there. Or was 100s of miles away from your home or existing office? In essence, this broadcasts to the physical and electronic thieves that you are not at home or not in the office.
Facebook. With its new Timeline, there is now a way to track your every post, photo, etc. through the time you spent on facebook and given the ‘cookie’ tracking done, perhaps even where you have been off facebook. This information could be used by bad actors and industrial espionage experts to social engineer their way into your life such as committing identity theft, or be used to get into that secure location.
Twitter. Even in 146 characters a lot of information can pass! I see many posts on jobs, which is a good business use of facebook but I also see tie ins to four square, facebook, and interesting tidbits of life. These are archived and ready for use by others!
Chat. The oldest member of this line up and what is personal communication ends up not being so as most chat tools have no encryption. So everyone can see your messages if they can hack the proper systems (which is not that hard).
Into this breach in 2011 has come several Security as a Service products such as Zscaler which contains a DLP, Cloud Passage which pushes our firewall rules to virtual machines in the cloud, and other tools such as CypherCloud that encrypt data as it is pushed to various tools then can be decrypted on the other side. Which ever tool you use, there is a growing need to apply DLP or encryption rules to social media to protect not only corporations but the individual from themselves.
I have fallen pray to this as well, as it is so very easy to use twitter and other tools as a way to communicate to a free flowing group of colleagues at conferences, and other such events. I agree, they have their uses and security would often get in the way. Such solutions need to be in the cloud acting as silent partners until there is an issue as there are a large number of end user computing devices in use today. I know some people with 3-4 devices while others have only 1. The number keeps growing, so tools that work regardless of device operating system, form, chipset, etc. are big wins in the battle to contain data leaking over social engineering networks.
Regardless of such tools, we all need to better protect our corporate and personal information from reaching the outside as not only are corporations watching the twitter stream, but so are the bad guys, bad actors, and hackers.
For those who want to know: “bg4gs, hhh” => “be good for goodness sake! ho, ho, ho!”