Cool versus Control: Being a Cool Parent – Part 3 of 3

In part 2 of our Cool vs. Control blog series we examined the traditional corporate security approach to a very cool, yet out-of-control application – email. In part 3, we’ll look at how to enable cool technology in a managed way, so you can enjoy the benefits of both cool technology AND having control.

To facilitate this examination, let’s use the example of social media, which is now used en masse both for personal and professional reasons. Attackers use social networks to cross-reference information and enumerate internal structure to make spear phishing more effective.  There are simple steps that can make this more difficult by modifying the default settings.

• When it comes to Facebook, it just is not realistic to think that employees are not going to have an account, so the next best thing is to ask them to choose wisely for their default settings.  “Friends only” should be default, and  the contact list should be hidden.  Liking a page or commenting on an item with Global visibility likewise is a public action.  Cleaning up a checkered past on Facebook can done by “limiting visibility for past posts” in the settings.

• With Linkedin, one simple thing that can prevent enumeration of staff is to ask employees to hide their contacts.  The default setting is wide open so that anyone can peruse anyone’s list of connections.  Another is to make sure there are no rogue groups using your company name.  This will attract partners, employees, and customers like bees to honey.

For both of these social networks, fake friends/connections remain a risk, but with LinkedIn at least visibility into the internal structure of your organization can be partially protected by hiding connection lists. Getting users to be aware of the risks introduced by using default settings for social networks requires engagement.  Either stay totally hip and up to date on all the latest technology trends, or find users that are and leverage their knowledge and departmental influence.

When coming to a decision on setting a policy for various online services and other cool technologies, ask yourself the following questions during your analysis:

• What type of data is being handled?  What is the realistic risk introduced if the organization loses control of this data?
• What service is being delivered?  What is really in use?  What type of social aspects are included?
• What is the motivation for users?
• How does this service improve employee performance?
• Are there other similar services that are currently allowed?
• How much risk is there for exfiltration or malicious usage by employees or attackers?
• HTTPS is pretty much a bare minimum, but it does not guarantee anything other than security in transit does it?  Carefully read the Privacy Notice, FAQ, and examine the business model.  I find these points very telling.
• What is the apparent security orientation?  Does a detailed process and connection observation confirm vendor assertions, or are connections going to servers in countries that might not be on your preferred list?

A few steps for you to take:

• Examine default settings for popular services.  If these are not suitable, then provide guidelines to your users for how to lock things down to share less.
• Begin to think in terms of what might happen if end users look for a way around a policy.  Be this an air gap or blocking external email access.  A restrictive policy will probably cause more dangerous behavior than a more balanced and permissive one.
• When looking at leakage potential, information security is not everything.  Corporate risk is also caused by embarrassment.
• Licensing, adware, freeware, or open source.  If users do not pay for something, then users are the product.  Odds are if a service is out there, it has competition with security features that might be preferable.
• If you do not already have one, create an easy possibility for users to report suspicious activity, files, contacts, and applications.  Users that are engaged are very helpful with threat identification – such as suspected spear phishing attacks.
• One of the unknown risks with Web 2.0 services is an acquisition.  Changes introduced are frequently not for the better, but rather an attempt to monetize.  See Facebook’s changed ToS policy with Instagram, followed by the immediate retraction of those changes.  Doesn’t instill confidence…does it?

The key take-away from this series is that perception is everything in end user acceptance, and rejection increases risk.  Inclusion and self-determination goes a long way towards increasing the perception that end users have a say, even if it is just what color the splash page is going to be.  I would like to leave you with one long term goal in mind:  embrace cool.