Social Networking and Cyber-Security:

Strength, Weakness, Opportunity, or Threat?

Aus-Cert, May 2010

About Palo Alto Networks

• World-class team with strong security and networking experience

• Founded in 2005 by security visionary Nir Zuk

• Top-tier investors

• Builds next-generation firewalls that identify / control 950+ applications

• Restores the firewall as the core of the enterprise network security infrastructure

• Innovations: App-ID™, User-ID™, Content-ID™

• Global footprint: 1,100+ customers in 60+ countries, 24/7 support

Social Networking is No Longer a Fad

• Hundreds of millions of people use social applications daily

• Facebook has over 400 million users

• LinkedIn has over 60 million users

• Social bookmarking applications have roughly 10 million users each

• Youtube is the 3rd most popular website on the Internet

• Sales, marketing, public relations, human resources, product teams, and business development all see opportunity

Social Networking is A Hotbed of Risk

• Brand Damage

• Mis-treat your customers at your own peril

• Compliance

• Using unapproved applications, (FINRA)

• Business Continuity

• Malware or application vulnerability induced downtime

• Operations Costs

• Excessive bandwidth consumption, desktop cleanup

• Data Loss/Leakage

• Unauthorized employee file transfer, data sharing

• Productivity

• Uncontrolled, excessive use for non-work related purposes

Applications Are The Threat Vector

• US$3.8M stolen from small school district in New York State

• Zeus banking trojan stole credentials, enabled transfers

• All but US$500K recovered

• Increasingly, new and old threats using social networks

• Social network-specific (e.g., Koobface, FBAction)

• New life for old threats (e.g., Zeus/Zbot)

• Huge user populations, high degree of trust, liberal use of SSL

• But wait – we have those applications under control…

Existing Control Mechanisms?

• Applications have changed

• Any port, random ports, encryption - all in use

• Users feel entitled to use any application

• New employees = always on, always connected

3%

3%

9%

13%

15%

14%

15%

27%

30%

30%

42%

53%

62%

76%

80%

00% 20% 40% 60% 80%

RDP

SSH

telnet

LogMeIn

TeamViewer

CGIProxy

PHProxy

CoralCDN

FreeGate

Glype Proxy

Tor

Hamachi

UltraSurf

Gbridge

Gpass

• Remote Access• 27 variants found 95% of

the time

• External Proxies• 22 variants found 76% of

the time

• Encrypted Tunnels• Non-VPN related – found

30% of the time

Employees Will Find A Way…

Frequency That the Application Was Detected

Applications Are Not What They Seem

• 67% of the applications use port 80, port 443, or hop ports

• 190 of them are client/server

• 177 can tunnel other applications, a feature no longer reserved for SSL or SSH

83%78% 77% 73%

60% 60%55% 54% 51%

42%

0%

20%

40%

60%

80%

100%

Sharepoint iTunes MS RPC Skype BitTorrent MSN Voice Ooyla Mediafire eMule Teamviewer

Most Frequently Detected "Dynamic" Applications

10 4 1

6 7 4

8 12 13

18 25 12

36 18 17 2

0 25 50 75

Networking (73)

Collaboration (46)

Media (24)

General-Internet (17)

Business-Systems (15)

Applications That are Capable of Tunneling

Client-server (78) Browser-based (66)

Network-protocol (19) Peer-to-peer (12)

Enterprise 2.0 Use is Consistent; Intensity Up

• Google Docs and Calendar resource consumption* is up 55%

• Google Talk Gadget shot up by 56% while Google Talk dropped 76%

• Bandwidth consumed by SharePoint and LinkedIn is up 14% and 48% respectively

• Bandwidth consumed by Facebook, per organization, is a staggering 4.9 GB

* Resource consumption = bandwidth and session usage

Social Networking: Strengths

Top line revenueReaching new markets/customer groups

Increasing sales in existing markets/customer groups

Bottom line profitReduction in cost of sales (disintermediation)

Reduction in cost of support

Reduction in cost of marketing

Social Networking: Weaknesses

Fraught with unmanaged riskFew policies

Existing policies aren’t enforceableSavvy users

Content controls/logging/auditing outdated

Security models too restrictiveCoarse allow/deny

Social Networking: Opportunities

Business opportunityEvolve security policies

Evolve controlsMake risk management/security relevant

Threats - Social Networking Top 10

10 - Social networking worms

9 - Phishing bait

8 - Trojan vector

7 - Data leaks

6 - Shortened/obfuscated links

5 - Botnet command and control

4 - It’s a data source for attackers

3 - Cross-Site Request Forgery (CSRF)

2 - Impersonation

1 - Trust

Recommendations

• Policy• Gather

• Listen

• Redefine

• Model – re-think or refine• Blindly blocking is somewhat draconian; blindly allowing is a CLM

• Safe enablement is your new mantra

• Controls• Visibility and control of applications, users, and content is key

• “Allow, but…” controls are critical

www.paloaltonetworks.com/aur