Sponsored by Palo Alto Networks Enabling Social Networking ... · SANS Analyst Program 4 Enabling...
Transcript of Sponsored by Palo Alto Networks Enabling Social Networking ... · SANS Analyst Program 4 Enabling...
-
Sponsored by Palo Alto Networks
Enabling Social Networking Applications for Enterprise Usage
A SANS Whitepaper – December 2010 Written by Eric Cole, PhD
Social Risks
Common Attack Pathway
Technical Risks
Enabling Humans
Enabling Technology
-
SANS Analyst Program 1 Enabling Social Networking Applications for Enterprise Usage
Theabilitytostayintouchwithfriendsandfamilymembersfromanywhereintheworldhas
millionsofpeoplecaughtupintheexcitementofsocialnetworking.Becausesocialnetworks
arewherethecustomersare,manyenterprisesarealsoturningtosocialnetworksasafreeand
powerfulmeansofcommunication.Walmart,Cisco,Ford,andmanyotherbrandnamesutilize
Facebookpagesforsales,marketing,research,andcustomerservice.Inaddition,manyairlines
aredrivingfollowersinTwitterbypostingspecialsgoodonlyforthefirstonehundredcustom-
ers(whichencouragesfollowerstotrackairfarescloselyandimprovesthechancesofabuy).
Clearlytherearebenefitstobegainedfromsocialnetworking.Thequestionis:Howcanyou
reapthosebenefitssecurely?EvenifFacebookusershavealloftheirsecuritysettingssetto
“friendsonly,”dopeoplereallyknowwhoelseislookingattheirinformation?Socialnetwork-
inghasnoauthentication,soanyonecanclaimtobeBritneySpearsorwhoevertheywantto
bewhenTwitteringorFriending.InthewordsofBradPaisley“...there’s a whole ‘nother me that
you need to see, go check out Myspace... I’m so much cooler online.”
Socialnetworkingsiteshavealsobecomehotbedsforthedistributionofmalware.Areport
publishedinFebruary,2010,bySophosshoweda70percentincreaseinreportsofusersreceiv-
ingmalwareandspamthroughsocialnetworksitesoverthepreviousyear.Worms,phishing
andTrojanstakeadvantageoffriendrequestsandothermechanismsoftrusttogetpeople’s
accessinformationtospreadandinfect.
Whiletherearemanyrisksassociatedwithsocialnetworks,therearetoomanybenefitstobe
gainedtosimplybansocialnetworksalltogether.Thekeyisforbusinessestodefineasecure
socialnetworkingpolicyandtoeducateemployeesabouttheindividualandorganizational
risksassociatedwithusingsocialnetworkingsites.Organizationsmustalsosetupprotective
policies and technologies that prohibit unauthorized social networking applications, while
monitoringapprovedapplicationsforsignsofabuse.
Introduction
-
SANS Analyst Program 2 Enabling Social Networking Applications for Enterprise Usage
Social Risks
Socialnetworkingsitesareonlineplatformsthathelpindividualsfindandbuildsocialrelation-
shipswithotherindividualsonthatsamenetwork.Someofthemostpopularsocialnetwork-
ingsitestodayincludeFacebook,MySpace,Twitter,FriendsterandLinkedIn.Socialnetworking
sitesareusedformanyreasons,includingbusinessnetworking,discoveringindividualswho
sharecommoninterests,rediscoveringindividualsfromone’spast,andevenforfindingalife
partner.
Butwithsocialnetworkscomenewriskstousersandtheirplacesofemployment.Whenusing
thesocialnetworkathome,peoplecanjoinnewnetworksthatphishfortheiraccountand
accessinformationorclick“checkthisout”videolinksthatinfecttheiraccountsandexpose
alltheircontactsonthatsocialnetwork.Theycanevengetinfectionsontheircomputersover
socialnetworks.Ifusersaretakingtheirlunchbreakstodoallthisfromtheirworkcomputers,
theirworkcomputersandnetworksareequallyvulnerable.
Risks to Users
Manyofthesesocialnetworksitesoperatebyallowinguserstocreateprofiles.Auser’sprofile
isarepresentationoftheindividualuser,whichcanincludeasmuchpersonaldetailasthey
desire.Auser’sprofilecanconsistofmanythingsincluding:theirname,address,birthday,hob-
bies,pictures,etc.Thisprofileinformationissharedamongtheuser’scommunityautomatically
(seeFigure1).
“Use the settings to the right to control which of your
information is available to applications, games and
websites when your friends use them. The more info you share,
the more social the experience.”
Figure 1: Facebook Profile Information in Shared Applications Communities
-
SANS Analyst Program 3 Enabling Social Networking Applications for Enterprise Usage
Inadditiontousersexposingtoomuchoftheirinformation,socialnetworkshavealsobecome
atopvectorforphishingattacks.Therehavebeenmanyexperimentsshowingthatpeoplewill
clickonfriendrequestsofpeopletheydon’tactuallyknow—maybeclaimingtobeafriendofa
friendormaybenoteventryingthathard.Onceacceptedasafriend,thereisusuallysometype
ofphishingpagethatrequiresvictimstojoinbyfillingouttheirinformationandpasswords.
Withthephishedcredentials,thecriminalstakeoverthesocialnetworkingaccount,itsfriend
list,andsoon.Theythencanusethatdatatophishthevictim’scontacts.
OneofthemostrecentphishingattacksonFacebookwastheFBActionmessagescirculating
FacebookinlateApril,2010.1Theemailscontainedalinktoamessagesentfroma“friend.”If
theuserwantedtoseethemessage,theyhadtoclickalink,whichtookthemtothemalicious
loginpage.Oncetheuserloggedintotheiraccountthroughthemaliciouspage,theircreden-
tialswerecapturedandtheiraccountwascompromised.
Inaddition,malwarespreadthroughsocialnetworksisacommonattackvectorincludedin
today’sadvancedpersistentthreats(APTs).Thisspreadofmalwarecanbeevenmoreofaprob-
lemforemployersbecauseAPTsthatinfiltratenetworkendpointswillattempttospreadfur-
therintheemployernetwork.
Risks to Business
Usersofsocialnetworksdon’tusuallyunderstandthepotentialconsequencesofmakingtheir
companyinformationandtitlespublicthroughtheirprofiles.Bysodoing,they’repostingdata
that’sperfectforaspearphishertouseincraftingattacksthatareconvincingenoughtoget
importantpersonneltoclickandfollowmaliciouslinks.
Today’sadvancedthreatsusesocialnetworkstogather informationabouttheirtargets.The
datacanbecorrelatedtohelpanattackercrackapasswordorformulatesomeotherformof
exploitationagainsttheindividualorhisorherplaceofbusiness.Individualinformationmay
notseemdamagingbyitself,butwhatif it iscombinedwithrelatedinformationfromeight
co-workersalsopostingtotheirsocialnetworks?
1http://isc.sans.edu/diary.html?storyid=6292
-
SANS Analyst Program 4 Enabling Social Networking Applications for Enterprise Usage
Theotherthreattoorganizationsistheuseofsocialnetworksasavenuesfordataleakage.The
pointofsocialnetworksisforuserstoshare,butsometimesuserssharetoomuchinformation.
Anemployeemaybepostingsensitiveinformationaboutcertainprojectsheorshemaybe
workingonoranewpre-launchproductthatemployeeisexcitedabout.Theymaybevoic-
ingconcernsaboutthecompany’sfinancialstatus,talkingaboutabigpaybonusorachange
thatinvolvesthemandtheorganization’sstructure,orevenascandal/investigationthataffects
theorganization.Or,howaboutinthecaseofLinkedIn,wheretheemployee’sbusinessinfor-
mationandbusinessrelationshipsandcontactsarevisible?Thistypeofinformationcangive
competitors(andspearphishers)agreatadvantage.
Deliberateinsiderabuseisalsoaproblemwhenacompanyallowssocialnetworks.Malware
uses social networking traffic to set up command and control channels and also to export
sensitive informationbyhiding it inordinarytraffic.This isalsoacommonmethodusedby
insiders. In February, CATechnologies released its State of Internet Security report warning
abouthowsocialnetworkingsitesarebeingusedtorecruit‘moles’forcyberespionageand
terrorism.2Ifthepropermeasuresarenotputinplace,arogueemployeecaneasilycopyany
sensitiveinformationandmessageittoafriendorpostitonsomeone’swall.
2www.ca.com/files/SecurityAdvisorNews/h12010threatreport_244199.pdf
-
SANS Analyst Program 5 Enabling Social Networking Applications for Enterprise Usage
Common Attack Pathway
It’sbeenestablishedthatsocialnetworksarenowcommonlyusedtopropagatephishing,mal-
ware,spam,APT,botnets,fraud,andmore.Here’showsocialnetworkingattacksusuallywork:
• Lure them in.Attackersutilizephishingattacks,whichlurevictimstoamaliciouslogin
page,suchasFBActioncase.
• Spread through the social network.Onceattackersgainauser’scredentials,theyuse
theexploitedaccounttosocialengineerotherFacebookusersintoclickinglinksandgiv-
ingovertheiraccounts.Theattackersimplyimpersonatestheuserandsendsamalicious
messageorlinktoalloftheuser’s“friends.”
• Takeover other personal and business accounts.Peoplehavethebadsecurityhabit
ofusingthesameusernamesandpasswords formanydifferentaccounts.So,oncean
attackercompromisesthelogininformationtooneaccount,heorshecancompromise
otheraccountsusingthesamecredentials.
Unfortunately, in order to create a profile with Facebook, a user must supply an email
addressandpassword.TheemailaddressthenbecomestheFacebookusernamewhen
logging into theaccount.So ifanattackercompromises aFacebook account with the
username:[email protected]:‘jsmith,’alogicalnextstepforthe
attacker would be to try compromise the Gmail account with that same password or
derivativesthereof.Now,notonlyareallofJohnSmith’sFacebookfriendsatrisk,butalso
allofhisGmailcontacts.
IfJohnSmithuseshisworkaccount,thisisadirectthreattohisplaceofemployment.If
heusedanotheremailaccountbut listedhisworkplace, thecombinationofhisname,
workplaceandpasswordcouldbeenoughtoexploithisplaceofbusiness.
• Spread to other devices.Thiscanoccurinsmallhomenetworks,butisalargerproblem
fortheemployernetwork.
-
SANS Analyst Program 6 Enabling Social Networking Applications for Enterprise Usage
Technical Risks
Cybercriminalsarefocusingtheirattentiononexploitingsocialnetworkingsitesforthelarge
payofftheygetwhenexploitingoneaccounttophishothers.Theyarealsousingsocialnet-
works(includingsmallgamingnetworks)tospreadmalware.Herearesomeexamplesoftech-
nologicalexploitsbeingconductedwithinsocialnetworks:
1. Banking malware.Socialnetworksin2010wereheavilyleveragedtospreadtheZeus
Trojan,apieceofmalwarethatcapturesandexploitsonlinebankinginformationfor
smallbusinessaccountsthatuseautomatedtransferservices.URLZone,anotherTrojan
designedtostealmoneyfromexploitedusers’bankaccounts,utilizessocialnetworking.
TheURLZoneTrojanisanadvancedpieceofmalwarethatactuallyalterstheHTMLcod-
ingofonlinebankstatementsinordertohidefromtheuserthemoneytransferfrom
theexploitedaccount.
2. Botnets. Social networking sites have also contributed to an increase in botnets. A
recentexploitforsocialnetworkingsitesistheKoobfaceworm,whichinfectsWindows,
Mac OS X, and Linux systems.The purpose of the Koobface worm is to collect login
informationandothercredentialsfromasystem.ThewormspreadsthroughFacebook
messagesandwallpoststhaturgeuserstogotoathirdpartywebsiteanddownload
acritical“update”(maliciouscode)forAdobeFlashPlayer.Downloadingandexecuting
thefileinfectstheirsystem.Oncetheworminfectsasystem,thatsystemthenbecomes
azombiesysteminthebotnet.
3. Third-party applications. Another social networking attack vector is in third party
socialnetworkingapplications.3Theproblemisthatmostthirdpartyapplicationsdo
notundergoappropriatesecuritytestingorvulnerabilityscans.Manytimestheseappli-
cationscontainvulnerabilitiesorpoorprogrammingtechniques,whichcouldeasilybe
exploitedbyanattacker.Becausemanyusersassumeahighleveloftrust,theyoften
installorclickoninterestingsoundingapplicationsnotknowingthattherecouldbe
hiddenfeaturesorsecurityholes.Someof theseapplications, includingoneofFace-
book’smostpopularapplications,Farmville,alsodistributepersonaluserinformationto
thirdpartywebsites,whereitisdistributedtoadvertisingfirmsandInternet
trackingfirms.
Also, inthecaseofsharedapplicationssuchasgames, thefull
user profile, unless specifically changed through multiple
steps,issharedwitheveryoneelseusingthosesharedappli-
cations.4
3www.facebook.com/apps/directory.php?4www.eff.org/deeplinks/2010/08/how-protect-your-privacy-facebook-places
-
SANS Analyst Program 7 Enabling Social Networking Applications for Enterprise Usage
4. Locations.Facebook:Placesallowsusersto“Check-In”atrestaurants,stores,moviethe-
aters,andsoon.Whenauser“checks-in”toacertainplace,usuallywithamobilephone,
theuser’sfriendsandfriendsoffriends(andthoseusingsharedapplications)cansee
whenandforhowlongtheuserwillbeawayfromhome—importantinformationto
anylocalcriminalinterestedinburglary.Inaddition,whenauserchecksintoaplace,his
orherlocationisviewabletoallotherscheckedintoalocation,eveniftheyarenotthe
user’sfriends.
Ifitisaworkemployeecheckinginandthecompanyisthetarget,compromisingapro-
tectedsystemmaybeaseasyasmeetingupatatechnologyeventandhandingakey
employeeaUSBstick(whichtheemployeeinnocentlyplugsintoacompanycomputer
inside a secure network). Facebook and other services that provide location-based
check-inhaveprivacysettings,buttheyaremanualandinvolvemanysteps.
5. URL posting. Often times, social networking applications, such asTwitter, will allow
users to post URLs to websites for other users to click on.This allows users to share
information,videos,andotheritems,withouttypinginorpostingexcessivelylongURLS
they’reattachedto.So,forexample,withBit.lyandTinyURLservices,ausersimplycop-
iesandpastesthedesiredURLintotheTinyinterfaceandthencreatesanaliasforthe
URL.Thisgivesattackerstheabilitytodirectausertoamaliciouswebsitebynamingthe
link“sneakybadguys.net”to“HILARIOUSYOUTUBEVIDEO.”
Therearemanyotherinstancesofmalwareaffectingsocialnetworkingsites,someofwhich
havenotevenbeenidentifiedyet.Butallofthemwillbeproblematicfororganizationspartici-
patinginsocialnetworking,aswellastheiremployeesthatdoso.
-
SANS Analyst Program 8 Enabling Social Networking Applications for Enterprise Usage
Enabling Humans
Whenitcomestosocialnetworkingandsecurity,itisimportanttoavoidtheextremes.Allow-
ingfullaccesswithnorestrictionstosocialnetworkingsitesisdangerous.Howeverbanning
socialnetworkscanalsobeabadbusinessmove,nottomentionitwillcreatenewriskbecause
userswillfindwaystodoitwithouttheITstaff’sknowledgeorprotection.Otherthanlosing
avaluableenterprisetool,organizationsstillhaveemployeesthatusethesetypesofwebsites
outsideofwork,andwhattheydivulgetherecanstillbedamaging.
Thismeansthatthebestwaytoenablesocialnetworkingwithsecurityisthrougheducation.
Organizations should create social networking security programs that educate employees
aboutappropriate,safeusesandaboutthedangersofsocialnetworkingsites.Itisimportant
thattheprogramemphasizesthe importanceofprotectingpersonal informationaswellas
companyprivateinformation.
Settings
Employers must help employees learn and understand their privacy settings. For example,
unlessprivacysettingsaremanuallyadjusted,allprofileinformation,posts,changes,locations
andfrienddataisautomaticallyviewabletofriendsandfriendsoffriendsintheirFacebook
communities.Itisalsoimportanttonotethatmakingupdatesorsubtlechangestoaprofile
couldcausealltheprofilesettingstochange.Itisnotabadideatocreateaseparateaccount
anduseittologininwithperiodicallytoseewhatpersonalinformationyourprimaryaccount
isgivingaway.
Under“Account,”usershaveprivacysettingswithbuttonstheycanclicktocustomize.Under
customizationoptions,mostpeoplewillclick“friendsonly”forminimumprivacy,and“onlyme”
forstrictestprivacy.Forexample,someoneworriedabouttheirlocationbeingtrackedbythe
wrongpeoplecanuse“checkmeintoplaces,”butsetupasmalllistofpeopleallowedtosee
thatinformation.Forstrictestprivacy,theyshouldnotallowanyonetocheckthemintoplaces
andmaketheirlocationviewableto“onlyme.”FacebookprivacysettingsareshowninFigure2.
-
SANS Analyst Program 9 Enabling Social Networking Applications for Enterprise Usage
Figure 2: Customized Privacy Settings on Facebook
Unfortunately,atleastinthecaseofFacebook,notallthesesettingscarryovertoapplications
sharedwithfriends.Forexample,regardlessofyourprimaryprivacysettings,locationdatais
senttoeveryonesharingthatapplication(andtheir friends),unless locations isdisabled.To
adjustprivatedatasharedwithapplicationsrequiresgoingbacktotheprivacypageand,in
anotherlocation,onthelowerleft,alargerwindowappearswithmultipleoptionsforapplica-
tions,asshowninFigure3.
-
SANS Analyst Program 10 Enabling Social Networking Applications for Enterprise Usage
Figure 3: Facebook Privacy Settings for Shared Applications
Postings and Messages
OthereducationpointsshouldprotectagainstmalwarehiddeninURLposts,maliciousfriend
requests,messagesandotherwaysmalwareandphishingspreads.Becauseofthemanyattack
vectorspresentedinsocialnetworking,educationshouldalsoemphasizetheimportanceof
beingskepticalofalltypesofinteractionsrequestingthattheuserclicklinksorfilledoutforms.
Everythingisnotalwayswhatitappearstobe:even‘CHECKOUTTHISVIDEO’messagesposted
onfriends’sitescouldhavemaliciouspayloads.
Itisalsocriticalforemployeestobecarefulofwhatworkinformationtheypost.Sayingyouhad
astressfuldayisOK,butsayingyouhadastressfuldaybecauseyoulosta$30millioncontract
crossesthe line. Itmightnotseemlikeabigdeal,butthis typeof information isabsolutely
intellectualpropertyandcanbeuseful tocompetitors in takeoversandother
suchsituations.Evenwiththestrictestsecuritysettings,youshouldassume
someoneyouwouldn’twanttoreadwhatyoupostcandoexactlythat.
Solimitinginformationcanalsohelp.Forexample,doyoureallyeven
needtolistyouremployerandlocationinyourprofile?
-
SANS Analyst Program 11 Enabling Social Networking Applications for Enterprise Usage
Enabling Technology
Inordertoprotectagainsttheseadvancedattackmethodsutilizingsocialnetworking,organi-zationsneedtechnologypoliciestominimizetheriskofintrusionanddatatheftthroughtheseapplications.Forbestprotection,policyshouldincludethefollowing:
• Control application usage.Organizationsshouldstartbyallowingonlyapprovedsocialnetworkingapplicationsanddisallowingunnecessaryapplicationtraffictypes.Newiden-tificationtechnologiesalloworganizationstocontrolFacebookfunctionality,users,andcontent,includingwhichFacebookfunctionsareoperatingonthenetwork.Thistechnol-ogycanbeusedtolocateandidentifyrisksassociatedwiththeFacebookoperations.
• Monitor approved applications for signs of abuse.Watchapprovedtraffictoandfromsocial networking applications for signs of data leakage, such as large and encryptedfilesbeingpostedandsentoversocialnetworkingmail.Alsomonitorforcommandandcontrol signals or unusual spikes in outbound social network traffic or traffic hoppingbetweenportsitshouldn’tbehoppingbetween.
• Monitor users.MostemployeessignanInternetsecuritycontractexplainingtheirlackof privacy when using organizational resources (i.e. computers/networks).This type ofcontractallowsanorganizationtomonitorallnetworktraffic.
• Manage risk.Securityisallaboutmanagingandcontrollingrisk.Theremightbesomeunsafesocialnetworkingfeaturesthatareneededeveniftheycouldcauseacompro-mise.Inthiscase,youmightallowthefeature,butitshouldbeconfiguredassecurelyaspossibleandscannedcontinuouslyforattemptedexploitation,access,changes,etc.
• Control plugins.Newadvancementsinfirewalltechnologyhavegivenenterprisestheability to control Facebook Social Plugins. By approving and blocking certain plug-insandtheirtrafficatthefirewall,organizationshavetheabilitytocontrolwhatconfidentialinformationissharedwiththirdpartyapplications.
• Control and monitor access.MicrosoftActiveDirectoryandotherdirectoryservicesinuseshouldlinkFacebookfunctionstocertainusersorgroups.Thisallowsanadministra-tortodifferentiatebetweenwhatapplicationsdifferentuserscanandshouldbeusing.
• Monitor social networking application behaviors. Monitor and block unauthorizedusesoforchangestothesocialnetworkingapplication,itspluginsandotherfea-tures.Watchforunusualtrafficdestinationsorsizes,orunauthorizedusers.
• Monitor and control corporate used social networking sites.Alloftheserulesapplyalsotothesocialnetworkingsiteownedandoperatedbytheplaceofbusiness.Thisincludesmonitoringforchangesmadetothesiteoritsapplications,theexistenceofmalwareinstallersonthesite,andusercommunications.
-
SANS Analyst Program 12 Enabling Social Networking Applications for Enterprise Usage
Socialnetworkingisavaluableoutreachresourcefororganizations,butitisaccompaniedby
addedrisk.Justastherisksofsocialnetworkingarebothhuman-basedandtechnology-based,
so,tooarethemeasuresneededtoenablesecuresocialnetworkingwhileinstillingsafeusage
habitsthatcarryoutsidetheorganization.
Social networks provide a vast amount of information, some of which can be used by an
attackertoexploitanindividualathisorherplaceofemployment.Oncethatinformationis
gathered,anattackercanusesocialnetworkingsitestotrickatargetintoinstallingmalware
thatcouldspreadtotheorganization.
Inordertoprotectbothemployeesandtheorganization,itisimportanttoeducateemployees
aboutthedangersofpostingtoomuchpersonal informationonsocialnetworkingsites,as
wellasthedangersofphishingandmalware.Technicalcontrolsarejustascritical,including
advancedfirewallandapplicationcapabilities(whitelisting,fine-grainedcontrols),monitoring,
andothercontrols.
By developing social networking policies, training/educating employees, and instituting
propertechnicalcontrols,organizationscanmakeuseofsocialnetworkingmoresecurefor
theiremployeesandtheirnetworks.
Conclusion
-
SANS Analyst Program 13 Enabling Social Networking Applications for Enterprise Usage
SANS Faculty Fellow, Dr. Eric Cole,isanindustry-recognizedsecurityexpertandfounderof
SecureAnchorConsulting,wherehecurrentlyperformsleading-edgesecurityconsulting,pro-
videsexpertwitnesstestimony,andworksinresearchanddevelopment.Cole’sITfocusareas
includeperimeterdefense,securenetworkdesign,vulnerabilitydiscovery,penetrationtesting,
and intrusiondetectionsystems.Colehasamaster’sdegree incomputersciencefromNew
York Institute ofTechnology and a PhD from Pace University, with a concentration in infor-
mation security. He is the author of several books, including Hackers Beware, Hiding in Plain
Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a
researcher,writer,andspeaker.HeisalsoamemberoftheCommissiononCyberSecurityfor
the44thPresidentandseveralexecutiveadvisoryboards.
About the Author
-
SANS Analyst Program 14 Enabling Social Networking Applications for Enterprise Usage
SANS would like to thank this paper’s sponsor