The trend is social networking, and conventional wisdom says that the enterprise needs to figure out how to take advantage of it—and quick. The trouble is the hype surrounding social networking focuses only on the upside while ignoring some pretty obvious risks.
Yes, social networking opens up new marketing opportunities; it provides more immediate customer interactions; and it can help employees connect with in-house experts. But it can also undermine security, gobble up bandwidth and generate bad PR.
Take the recent MySpace hack. Cyber-crooks turned a hacked MySpace profile into a roosting site for the TFactory Trojan. It works like this: Attackers send out “friend” requests. People who respond encounter a download window that prompts them to install Microsoft’s Windows Malicious Software Removal Tool—a real tool just released this month.
The update box is actually just part of the larger corrupted image. If a user clicks anywhere on that image, TFactory and its nasty payload of downloaders and backdoor connections starts to download.
McAfee discovered and publicized the exploit, but as of now, no one is sure how the attack originated. The guess is that a MySpace user was phished (the corrupted page displays the profile of a woman named Rita). Another possibility is that hackers discovered a code flaw they were able to exploit.
Why You Should Care
How does all of this relate to corporate IT? After all, most organizations don’t want their employees trolling MySpace during work hours, anyway, and most anti-virus programs block TFactory. The trouble is that social networking is here to stay, whether IT likes it or not, and as attacks evolve beyond year-old Trojans to things like cross-site request forgeries, traditional security will be put to the test.
“Most security pros don’t realize how big of an issue social networking is,” said Michael Montecillo, an analyst with Enterprise Management Associates. “This is especially true with sites that allow users to express (them)selves.”
Sites like MySpace that accommodate external content open the door to malware. They also make it easy for your corporate identity to be linked, however casually, to content that runs counter to your corporate message.
The very connectedness that makes these sites appealing also makes them risky. “With dynamic relationships, security is incredibly hard,” Montecillo said. “Essentially, you’re stuck trying to plan for an infinite number of possibilities.”
Consider the “friends” networks on these sites. How many “friend” requests do you get from random strangers loosely linked to a friend of a friend somewhere online, usually via someone who accepts everyone and anyone who asks to be a friend?
These watered-down relationships offer little or no value, and they aren’t limited to MySpace. LinkedIn suffers from the same sort of casual connectedness. It’s tempting to write this off as nothing more than a nuisance, but in a business context these non-friend “friends” undermine what business-class social networking seeks to establish: Trust.
A real-world analogy is the door-to-door salesman. This past weekend a college student came to my door hawking magazines. Nothing new in that, but she was savvy enough to mention that one of my neighbors suggested that she come talk to me. At first, I didn’t know why she stopped by, but since Larry said she should talk to me, I listened. The first half of her pitch focused on my neighbors, and how they had been helping her out.
Why they were helping and what they were helping with took a while to get to, and had she not name-dropped, I wouldn’t have listened very long at all.
Eventually, she got around to the point: she was selling magazines. She wasn’t representing a charity, and the markup on her subscriptions was extreme. I didn’t end up buying anything from her, but I did waste a heck of a lot of time getting rid of her.
In writing this story, it also became apparent that I ended up trusting my neighbor Larry’s judgment a little bit less than I had before. With my neighbor, we’ll share a beer, chat about the weather or sports, and all will be forgiven. With a business brand, on the other hand, the bad impression won’t be so easy to fix.