Security Enabled Network

Social networks today, such as Facebook, MySpace, and LinkedIn, have been growing at a tremendous rate. It has recently become the target of IT professionals as a security threats on company networks. Not only is it seen as a contributor to productivity loss, but it is also a security threat for data loss and data compromise. It is a great tool for hackers to use to gain entry to corporate networks where these social networks are used. These networks have built up trust with their users and these users take them into the corporate networks with that same level of trust. So those applications that can pose a security risk at home will pose an even greater threat in the office.

So IT professionals are taking a much deeper look into social network security and their corporate networks. They are finding that not only does the issue come from the 20-somethings in their network, but a growing population of older individuals are venturing into social networking. The problem is that many of the older individuals may not be as savvy as the younger generation when it comes to network security common sense.

An ethical hacking firm, Netragard, claims that they can gain access to any data at any corporate network very quickly. They claim to be able to do this through social networking sites. They offer their services for a fee to prove this claim and offer ways to help improve social network security and how to curb its threat on your corporate environment. Regardless at legitimate their claim may be, it is still an alarming statement that should be taken seriously.

Social network sites are great for helping people with similiar backgrounds meet and stay in touch. The problem for corporate users is that inside large enterprises where no one person knows everyone in the company, it is easy for someone with a fake ID to establish trust with individuals in a company due to the basic fact that they claim to be a colleague. From there it is a simple matter of setting up a phishing scheme. The problem with this form of attack is that there is no evidence of a breach and not log of what data was even stolen.

With these new methods of data breach that social network security brings to the table, it is imperative to take a new approach to network security than was taken in the past. IT professionals can no longer look at networks in a segregated way. There is no longer a boundary between the corporate network and the internet. They must be treated as one and have a policy that encompasses them both. Also, when introducing new technology into a network environment, you must look at where that technology stands from a security stand point and in what ways it increases your security risks. Create a security policy that includes social network sites. Prevent the access to these sites from inside the corporate network and also have a company policy about what employees are allowed to say about the company whether they are currently on duty or not. Finally, be sure to run penetration tests from both inside and outside the network and be sure that the tests included some form of social engineering. Hackers don’t have any boundaries, so chances are that if a tool that follows rules is able to break into your network, it will be even easier for a hacker to do so.

Social engineering is the term used for manipulating company employees to gain access to unauthorized areas. Whether those areas are physical locations in the building or they are network file storage locations or network access, it does not matter. A social engineer attack is every bit as dangerous and can even be much more crippling than a computer virus or network hack. Some of the most dangerous attacks thefts have used have been based around social engineering. One of the reasons why social engineering works so well is because IT experts spend most of their time patching systems and securing their network rather than taking time to train the employee base on the basics of information security. The idea behind information security covers much more than just network and computer security, but also covers employee training and physical security as well.

Below are common flaws found in many corporate environments today and things that can be done to fix those vulnerabilities.

1) Website Information: When it comes to gathering information about a company, the first place that just about anyone will start at is the company’s website. Many companies post valuable information on their website not realizing that it is in fact a security risk. Things like phone numbers, employee names, and email addresses can all be found on these websites. These things should all be limited to outsider access. Phone numbers that are listed should always be to just main number call center numbers and not individual direct dial numbers. One common major mistake is to have active links to employee email addresses. For most companies, the user name in an email address is the same as their network logon. The theif already has half of what they need for network access.

2) Outside Contractors: Workers from outside companies visiting the premises to do temporary work should always be accompanied by a security liaison. Security liaisons should be told what the contractor is there to do and be familiar with what it takes to complete the task. This is so that they know when the contractor is completed with their work and that they don’t enter areas that don’t need to be entered to get the job done. The security liaison should also be aware if the contractor is removing items from the premises.

3) Telephone Scams: Phone scams are common as it is an easy way to make contact with company employees without being in face to face contact. Employees need to be trained to be helpful to callers, but at the same time cautious. A common phone scam is when the caller poses as a computer salesperson. They inquire about what type of systems the company uses, if there is a wireless network, and what type of operating systems are used. All this information is used to plan out a network attack. Employees need to be trained to always forward any type of network related questions or calls to the IT staff.

4) Dumpster Diving: A common way of getting any information about anyone or company is to go through the trash. Companies should always have private information shredded. Service companies that handle the shredding of documents and computer data should be hired. The trash dumpsters should never be left in an open unsecure area and surveillance cameras should be kept on the dumpsters on a 24 hour basis.

5) Password: It is imperative that there is a company policy regarding passwords. An IT tech should never call another employee and ask them for their username and password and all employees should know that. Passwords should also never be placed on sticky notes or anywhere else visible and written down. A password rotation should also be in effect so that old passwords get phased out.

6) Logging Off: A thief can use social engineering to gain access to buildings and there they can usually find workstations that are still logged in with a user account. Many times these user accounts will have access to a lot of confidential information. It should be a company policy that whenever someone leaves their desk, they must lock or log off their computers. IT should also enforce the issue with network security policies that automatically lock a computer after a short period of inactivity.

7) Employee Training: Finally, when all is said and done, it all comes down to training. It is important to hold annual or bi-annual training sessions regarding the network security policy of the company. Everything from the physical building security to how each workstation is configured to email policy should be covered.

The more layers you add to your security policy and the more your employees are trained on all their aspects, the harder it will be for a social engineering thief to steal information.