Sponsored by Palo Alto Networks Enabling Social Networking ... · SANS Analyst Program 4 Enabling Social Networking Applications for Enterprise Usage The other threat to organizations

Sponsored by Palo Alto Networks

Enabling Social Networking Applications for Enterprise Usage

A SANS Whitepaper – December 2010 Written by Eric Cole, PhD

Social Risks

Common Attack Pathway

Technical Risks

Enabling Humans

Enabling Technology

SANS Analyst Program 1 Enabling Social Networking Applications for Enterprise Usage

Theabilitytostayintouchwithfriendsandfamilymembersfromanywhereintheworldhas

millionsofpeoplecaughtupintheexcitementofsocialnetworking.Becausesocialnetworks

arewherethecustomersare,manyenterprisesarealsoturningtosocialnetworksasafreeand

powerfulmeansofcommunication.Walmart,Cisco,Ford,andmanyotherbrandnamesutilize

Facebookpagesforsales,marketing,research,andcustomerservice.Inaddition,manyairlines

aredrivingfollowersinTwitterbypostingspecialsgoodonlyforthefirstonehundredcustom-

ers(whichencouragesfollowerstotrackairfarescloselyandimprovesthechancesofabuy).

Clearlytherearebenefitstobegainedfromsocialnetworking.Thequestionis:Howcanyou

reapthosebenefitssecurely?EvenifFacebookusershavealloftheirsecuritysettingssetto

“friendsonly,”dopeoplereallyknowwhoelseislookingattheirinformation?Socialnetwork-

inghasnoauthentication,soanyonecanclaimtobeBritneySpearsorwhoevertheywantto

bewhenTwitteringorFriending.InthewordsofBradPaisley“...there’s a whole ‘nother me that

you need to see, go check out Myspace... I’m so much cooler online.”

Socialnetworkingsiteshavealsobecomehotbedsforthedistributionofmalware.Areport

publishedinFebruary,2010,bySophosshoweda70percentincreaseinreportsofusersreceiv-

ingmalwareandspamthroughsocialnetworksitesoverthepreviousyear.Worms,phishing

andTrojanstakeadvantageoffriendrequestsandothermechanismsoftrusttogetpeople’s

accessinformationtospreadandinfect.

Whiletherearemanyrisksassociatedwithsocialnetworks,therearetoomanybenefitstobe

gainedtosimplybansocialnetworksalltogether.Thekeyisforbusinessestodefineasecure

socialnetworkingpolicyandtoeducateemployeesabouttheindividualandorganizational

risksassociatedwithusingsocialnetworkingsites.Organizationsmustalsosetupprotective

policies and technologies that prohibit unauthorized social networking applications, while

monitoringapprovedapplicationsforsignsofabuse.

Introduction


Social Risks

Socialnetworkingsitesareonlineplatformsthathelpindividualsfindandbuildsocialrelation-

shipswithotherindividualsonthatsamenetwork.Someofthemostpopularsocialnetwork-

ingsitestodayincludeFacebook,MySpace,Twitter,FriendsterandLinkedIn.Socialnetworking

sitesareusedformanyreasons,includingbusinessnetworking,discoveringindividualswho

sharecommoninterests,rediscoveringindividualsfromone’spast,andevenforfindingalife

partner.

Butwithsocialnetworkscomenewriskstousersandtheirplacesofemployment.Whenusing

thesocialnetworkathome,peoplecanjoinnewnetworksthatphishfortheiraccountand

accessinformationorclick“checkthisout”videolinksthatinfecttheiraccountsandexpose

alltheircontactsonthatsocialnetwork.Theycanevengetinfectionsontheircomputersover

socialnetworks.Ifusersaretakingtheirlunchbreakstodoallthisfromtheirworkcomputers,

theirworkcomputersandnetworksareequallyvulnerable.

Risks to Users

Manyofthesesocialnetworksitesoperatebyallowinguserstocreateprofiles.Auser’sprofile

isarepresentationoftheindividualuser,whichcanincludeasmuchpersonaldetailasthey

desire.Auser’sprofilecanconsistofmanythingsincluding:theirname,address,birthday,hob-

bies,pictures,etc.Thisprofileinformationissharedamongtheuser’scommunityautomatically

(seeFigure1).

“Use the settings to the right to control which of your

information is available to applications, games and

websites when your friends use them. The more info you share,

the more social the experience.”

Figure 1: Facebook Profile Information in Shared Applications Communities


Inadditiontousersexposingtoomuchoftheirinformation,socialnetworkshavealsobecome

atopvectorforphishingattacks.Therehavebeenmanyexperimentsshowingthatpeoplewill

clickonfriendrequestsofpeopletheydon’tactuallyknow—maybeclaimingtobeafriendofa

friendormaybenoteventryingthathard.Onceacceptedasafriend,thereisusuallysometype

ofphishingpagethatrequiresvictimstojoinbyfillingouttheirinformationandpasswords.

Withthephishedcredentials,thecriminalstakeoverthesocialnetworkingaccount,itsfriend

list,andsoon.Theythencanusethatdatatophishthevictim’scontacts.

OneofthemostrecentphishingattacksonFacebookwastheFBActionmessagescirculating

FacebookinlateApril,2010.1Theemailscontainedalinktoamessagesentfroma“friend.”If

theuserwantedtoseethemessage,theyhadtoclickalink,whichtookthemtothemalicious

loginpage.Oncetheuserloggedintotheiraccountthroughthemaliciouspage,theircreden-

tialswerecapturedandtheiraccountwascompromised.

Inaddition,malwarespreadthroughsocialnetworksisacommonattackvectorincludedin

today’sadvancedpersistentthreats(APTs).Thisspreadofmalwarecanbeevenmoreofaprob-

lemforemployersbecauseAPTsthatinfiltratenetworkendpointswillattempttospreadfur-

therintheemployernetwork.

Risks to Business

Usersofsocialnetworksdon’tusuallyunderstandthepotentialconsequencesofmakingtheir

companyinformationandtitlespublicthroughtheirprofiles.Bysodoing,they’repostingdata

that’sperfectforaspearphishertouseincraftingattacksthatareconvincingenoughtoget

importantpersonneltoclickandfollowmaliciouslinks.

Today’sadvancedthreatsusesocialnetworkstogather informationabouttheirtargets.The

datacanbecorrelatedtohelpanattackercrackapasswordorformulatesomeotherformof

exploitationagainsttheindividualorhisorherplaceofbusiness.Individualinformationmay

notseemdamagingbyitself,butwhatif it iscombinedwithrelatedinformationfromeight

co-workersalsopostingtotheirsocialnetworks?

1http://isc.sans.edu/diary.html?storyid=6292


Theotherthreattoorganizationsistheuseofsocialnetworksasavenuesfordataleakage.The

pointofsocialnetworksisforuserstoshare,butsometimesuserssharetoomuchinformation.

Anemployeemaybepostingsensitiveinformationaboutcertainprojectsheorshemaybe

workingonoranewpre-launchproductthatemployeeisexcitedabout.Theymaybevoic-

ingconcernsaboutthecompany’sfinancialstatus,talkingaboutabigpaybonusorachange

thatinvolvesthemandtheorganization’sstructure,orevenascandal/investigationthataffects

theorganization.Or,howaboutinthecaseofLinkedIn,wheretheemployee’sbusinessinfor-

mationandbusinessrelationshipsandcontactsarevisible?Thistypeofinformationcangive

competitors(andspearphishers)agreatadvantage.

Deliberateinsiderabuseisalsoaproblemwhenacompanyallowssocialnetworks.Malware

uses social networking traffic to set up command and control channels and also to export

sensitive informationbyhiding it inordinarytraffic.This isalsoacommonmethodusedby

insiders. In February, CATechnologies released its State of Internet Security report warning

abouthowsocialnetworkingsitesarebeingusedtorecruit‘moles’forcyberespionageand

terrorism.2Ifthepropermeasuresarenotputinplace,arogueemployeecaneasilycopyany

sensitiveinformationandmessageittoafriendorpostitonsomeone’swall.

2www.ca.com/files/SecurityAdvisorNews/h12010threatreport_244199.pdf


Common Attack Pathway

It’sbeenestablishedthatsocialnetworksarenowcommonlyusedtopropagatephishing,mal-

ware,spam,APT,botnets,fraud,andmore.Here’showsocialnetworkingattacksusuallywork:

• Lure them in.Attackersutilizephishingattacks,whichlurevictimstoamaliciouslogin

page,suchasFBActioncase.

• Spread through the social network.Onceattackersgainauser’scredentials,theyuse

theexploitedaccounttosocialengineerotherFacebookusersintoclickinglinksandgiv-

ingovertheiraccounts.Theattackersimplyimpersonatestheuserandsendsamalicious

messageorlinktoalloftheuser’s“friends.”

• Takeover other personal and business accounts.Peoplehavethebadsecurityhabit

ofusingthesameusernamesandpasswords formanydifferentaccounts.So,oncean

attackercompromisesthelogininformationtooneaccount,heorshecancompromise

otheraccountsusingthesamecredentials.

Unfortunately, in order to create a profile with Facebook, a user must supply an email

addressandpassword.TheemailaddressthenbecomestheFacebookusernamewhen

logging into theaccount.So ifanattackercompromises aFacebook account with the

username:[email protected]:‘jsmith,’alogicalnextstepforthe

attacker would be to try compromise the Gmail account with that same password or

derivativesthereof.Now,notonlyareallofJohnSmith’sFacebookfriendsatrisk,butalso

allofhisGmailcontacts.

IfJohnSmithuseshisworkaccount,thisisadirectthreattohisplaceofemployment.If

heusedanotheremailaccountbut listedhisworkplace, thecombinationofhisname,

workplaceandpasswordcouldbeenoughtoexploithisplaceofbusiness.

• Spread to other devices.Thiscanoccurinsmallhomenetworks,butisalargerproblem

fortheemployernetwork.


Technical Risks

Cybercriminalsarefocusingtheirattentiononexploitingsocialnetworkingsitesforthelarge

payofftheygetwhenexploitingoneaccounttophishothers.Theyarealsousingsocialnet-

works(includingsmallgamingnetworks)tospreadmalware.Herearesomeexamplesoftech-

nologicalexploitsbeingconductedwithinsocialnetworks:

1. Banking malware.Socialnetworksin2010wereheavilyleveragedtospreadtheZeus

Trojan,apieceofmalwarethatcapturesandexploitsonlinebankinginformationfor

smallbusinessaccountsthatuseautomatedtransferservices.URLZone,anotherTrojan

designedtostealmoneyfromexploitedusers’bankaccounts,utilizessocialnetworking.

TheURLZoneTrojanisanadvancedpieceofmalwarethatactuallyalterstheHTMLcod-

ingofonlinebankstatementsinordertohidefromtheuserthemoneytransferfrom

theexploitedaccount.

2. Botnets. Social networking sites have also contributed to an increase in botnets. A

recentexploitforsocialnetworkingsitesistheKoobfaceworm,whichinfectsWindows,

Mac OS X, and Linux systems.The purpose of the Koobface worm is to collect login

informationandothercredentialsfromasystem.ThewormspreadsthroughFacebook

messagesandwallpoststhaturgeuserstogotoathirdpartywebsiteanddownload

acritical“update”(maliciouscode)forAdobeFlashPlayer.Downloadingandexecuting

thefileinfectstheirsystem.Oncetheworminfectsasystem,thatsystemthenbecomes

azombiesysteminthebotnet.

3. Third-party applications. Another social networking attack vector is in third party

socialnetworkingapplications.3Theproblemisthatmostthirdpartyapplicationsdo

notundergoappropriatesecuritytestingorvulnerabilityscans.Manytimestheseappli-

cationscontainvulnerabilitiesorpoorprogrammingtechniques,whichcouldeasilybe

exploitedbyanattacker.Becausemanyusersassumeahighleveloftrust,theyoften

installorclickoninterestingsoundingapplicationsnotknowingthattherecouldbe

hiddenfeaturesorsecurityholes.Someof theseapplications, includingoneofFace-

book’smostpopularapplications,Farmville,alsodistributepersonaluserinformationto

thirdpartywebsites,whereitisdistributedtoadvertisingfirmsandInternet

trackingfirms.

Also, inthecaseofsharedapplicationssuchasgames, thefull

user profile, unless specifically changed through multiple

steps,issharedwitheveryoneelseusingthosesharedappli-

cations.4

3www.facebook.com/apps/directory.php?4www.eff.org/deeplinks/2010/08/how-protect-your-privacy-facebook-places


4. Locations.Facebook:Placesallowsusersto“Check-In”atrestaurants,stores,moviethe-

aters,andsoon.Whenauser“checks-in”toacertainplace,usuallywithamobilephone,

theuser’sfriendsandfriendsoffriends(andthoseusingsharedapplications)cansee

whenandforhowlongtheuserwillbeawayfromhome—importantinformationto

anylocalcriminalinterestedinburglary.Inaddition,whenauserchecksintoaplace,his

orherlocationisviewabletoallotherscheckedintoalocation,eveniftheyarenotthe

user’sfriends.

Ifitisaworkemployeecheckinginandthecompanyisthetarget,compromisingapro-

tectedsystemmaybeaseasyasmeetingupatatechnologyeventandhandingakey

employeeaUSBstick(whichtheemployeeinnocentlyplugsintoacompanycomputer

inside a secure network). Facebook and other services that provide location-based

check-inhaveprivacysettings,buttheyaremanualandinvolvemanysteps.

5. URL posting. Often times, social networking applications, such asTwitter, will allow

users to post URLs to websites for other users to click on.This allows users to share

information,videos,andotheritems,withouttypinginorpostingexcessivelylongURLS

they’reattachedto.So,forexample,withBit.lyandTinyURLservices,ausersimplycop-

iesandpastesthedesiredURLintotheTinyinterfaceandthencreatesanaliasforthe

URL.Thisgivesattackerstheabilitytodirectausertoamaliciouswebsitebynamingthe

link“sneakybadguys.net”to“HILARIOUSYOUTUBEVIDEO.”

Therearemanyotherinstancesofmalwareaffectingsocialnetworkingsites,someofwhich

havenotevenbeenidentifiedyet.Butallofthemwillbeproblematicfororganizationspartici-

patinginsocialnetworking,aswellastheiremployeesthatdoso.


Enabling Humans

Whenitcomestosocialnetworkingandsecurity,itisimportanttoavoidtheextremes.Allow-

ingfullaccesswithnorestrictionstosocialnetworkingsitesisdangerous.Howeverbanning

socialnetworkscanalsobeabadbusinessmove,nottomentionitwillcreatenewriskbecause

userswillfindwaystodoitwithouttheITstaff’sknowledgeorprotection.Otherthanlosing

avaluableenterprisetool,organizationsstillhaveemployeesthatusethesetypesofwebsites

outsideofwork,andwhattheydivulgetherecanstillbedamaging.

Thismeansthatthebestwaytoenablesocialnetworkingwithsecurityisthrougheducation.

Organizations should create social networking security programs that educate employees

aboutappropriate,safeusesandaboutthedangersofsocialnetworkingsites.Itisimportant

thattheprogramemphasizesthe importanceofprotectingpersonal informationaswellas

companyprivateinformation.

Settings

Employers must help employees learn and understand their privacy settings. For example,

unlessprivacysettingsaremanuallyadjusted,allprofileinformation,posts,changes,locations

andfrienddataisautomaticallyviewabletofriendsandfriendsoffriendsintheirFacebook

communities.Itisalsoimportanttonotethatmakingupdatesorsubtlechangestoaprofile

couldcausealltheprofilesettingstochange.Itisnotabadideatocreateaseparateaccount

anduseittologininwithperiodicallytoseewhatpersonalinformationyourprimaryaccount

isgivingaway.

Under“Account,”usershaveprivacysettingswithbuttonstheycanclicktocustomize.Under

customizationoptions,mostpeoplewillclick“friendsonly”forminimumprivacy,and“onlyme”

forstrictestprivacy.Forexample,someoneworriedabouttheirlocationbeingtrackedbythe

wrongpeoplecanuse“checkmeintoplaces,”butsetupasmalllistofpeopleallowedtosee

thatinformation.Forstrictestprivacy,theyshouldnotallowanyonetocheckthemintoplaces

andmaketheirlocationviewableto“onlyme.”FacebookprivacysettingsareshowninFigure2.


Figure 2: Customized Privacy Settings on Facebook

Unfortunately,atleastinthecaseofFacebook,notallthesesettingscarryovertoapplications

sharedwithfriends.Forexample,regardlessofyourprimaryprivacysettings,locationdatais

senttoeveryonesharingthatapplication(andtheir friends),unless locations isdisabled.To

adjustprivatedatasharedwithapplicationsrequiresgoingbacktotheprivacypageand,in

anotherlocation,onthelowerleft,alargerwindowappearswithmultipleoptionsforapplica-

tions,asshowninFigure3.


Figure 3: Facebook Privacy Settings for Shared Applications

Postings and Messages

OthereducationpointsshouldprotectagainstmalwarehiddeninURLposts,maliciousfriend

requests,messagesandotherwaysmalwareandphishingspreads.Becauseofthemanyattack

vectorspresentedinsocialnetworking,educationshouldalsoemphasizetheimportanceof

beingskepticalofalltypesofinteractionsrequestingthattheuserclicklinksorfilledoutforms.

Everythingisnotalwayswhatitappearstobe:even‘CHECKOUTTHISVIDEO’messagesposted

onfriends’sitescouldhavemaliciouspayloads.

Itisalsocriticalforemployeestobecarefulofwhatworkinformationtheypost.Sayingyouhad

astressfuldayisOK,butsayingyouhadastressfuldaybecauseyoulosta$30millioncontract

crossesthe line. Itmightnotseemlikeabigdeal,butthis typeof information isabsolutely

intellectualpropertyandcanbeuseful tocompetitors in takeoversandother

suchsituations.Evenwiththestrictestsecuritysettings,youshouldassume

someoneyouwouldn’twanttoreadwhatyoupostcandoexactlythat.

Solimitinginformationcanalsohelp.Forexample,doyoureallyeven

needtolistyouremployerandlocationinyourprofile?


Enabling Technology

Inordertoprotectagainsttheseadvancedattackmethodsutilizingsocialnetworking,organi-zationsneedtechnologypoliciestominimizetheriskofintrusionanddatatheftthroughtheseapplications.Forbestprotection,policyshouldincludethefollowing:

• Control application usage.Organizationsshouldstartbyallowingonlyapprovedsocialnetworkingapplicationsanddisallowingunnecessaryapplicationtraffictypes.Newiden-tificationtechnologiesalloworganizationstocontrolFacebookfunctionality,users,andcontent,includingwhichFacebookfunctionsareoperatingonthenetwork.Thistechnol-ogycanbeusedtolocateandidentifyrisksassociatedwiththeFacebookoperations.

• Monitor approved applications for signs of abuse.Watchapprovedtraffictoandfromsocial networking applications for signs of data leakage, such as large and encryptedfilesbeingpostedandsentoversocialnetworkingmail.Alsomonitorforcommandandcontrol signals or unusual spikes in outbound social network traffic or traffic hoppingbetweenportsitshouldn’tbehoppingbetween.

• Monitor users.MostemployeessignanInternetsecuritycontractexplainingtheirlackof privacy when using organizational resources (i.e. computers/networks).This type ofcontractallowsanorganizationtomonitorallnetworktraffic.

• Manage risk.Securityisallaboutmanagingandcontrollingrisk.Theremightbesomeunsafesocialnetworkingfeaturesthatareneededeveniftheycouldcauseacompro-mise.Inthiscase,youmightallowthefeature,butitshouldbeconfiguredassecurelyaspossibleandscannedcontinuouslyforattemptedexploitation,access,changes,etc.

• Control plugins.Newadvancementsinfirewalltechnologyhavegivenenterprisestheability to control Facebook Social Plugins. By approving and blocking certain plug-insandtheirtrafficatthefirewall,organizationshavetheabilitytocontrolwhatconfidentialinformationissharedwiththirdpartyapplications.

• Control and monitor access.MicrosoftActiveDirectoryandotherdirectoryservicesinuseshouldlinkFacebookfunctionstocertainusersorgroups.Thisallowsanadministra-tortodifferentiatebetweenwhatapplicationsdifferentuserscanandshouldbeusing.

• Monitor social networking application behaviors. Monitor and block unauthorizedusesoforchangestothesocialnetworkingapplication,itspluginsandotherfea-tures.Watchforunusualtrafficdestinationsorsizes,orunauthorizedusers.

• Monitor and control corporate used social networking sites.Alloftheserulesapplyalsotothesocialnetworkingsiteownedandoperatedbytheplaceofbusiness.Thisincludesmonitoringforchangesmadetothesiteoritsapplications,theexistenceofmalwareinstallersonthesite,andusercommunications.


Socialnetworkingisavaluableoutreachresourcefororganizations,butitisaccompaniedby

addedrisk.Justastherisksofsocialnetworkingarebothhuman-basedandtechnology-based,

so,tooarethemeasuresneededtoenablesecuresocialnetworkingwhileinstillingsafeusage

habitsthatcarryoutsidetheorganization.

Social networks provide a vast amount of information, some of which can be used by an

attackertoexploitanindividualathisorherplaceofemployment.Oncethatinformationis

gathered,anattackercanusesocialnetworkingsitestotrickatargetintoinstallingmalware

thatcouldspreadtotheorganization.

Inordertoprotectbothemployeesandtheorganization,itisimportanttoeducateemployees

aboutthedangersofpostingtoomuchpersonal informationonsocialnetworkingsites,as

wellasthedangersofphishingandmalware.Technicalcontrolsarejustascritical,including

advancedfirewallandapplicationcapabilities(whitelisting,fine-grainedcontrols),monitoring,

andothercontrols.

By developing social networking policies, training/educating employees, and instituting

propertechnicalcontrols,organizationscanmakeuseofsocialnetworkingmoresecurefor

theiremployeesandtheirnetworks.

Conclusion


SANS Faculty Fellow, Dr. Eric Cole,isanindustry-recognizedsecurityexpertandfounderof

SecureAnchorConsulting,wherehecurrentlyperformsleading-edgesecurityconsulting,pro-

videsexpertwitnesstestimony,andworksinresearchanddevelopment.Cole’sITfocusareas

includeperimeterdefense,securenetworkdesign,vulnerabilitydiscovery,penetrationtesting,

and intrusiondetectionsystems.Colehasamaster’sdegree incomputersciencefromNew

York Institute ofTechnology and a PhD from Pace University, with a concentration in infor-

mation security. He is the author of several books, including Hackers Beware, Hiding in Plain

Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a

researcher,writer,andspeaker.HeisalsoamemberoftheCommissiononCyberSecurityfor

the44thPresidentandseveralexecutiveadvisoryboards.

About the Author


SANS would like to thank this paper’s sponsor

Documents

Sponsored by Palo Alto Networks Enabling Social Networking ... · SANS Analyst Program 4 Enabling Social Networking Applications for Enterprise Usage The other threat to organizations