Social Media Vulnerabilities Cited With Need for Some User Rules

So dominant is the consolidation of professional and personal social media now that little consideration is sometimes given to how few tools are available for monitoring users' exposure. One of the primary risks is that overexposure in the sharing of personal information can lead to vulnerabilities....The internet is collapsing into hyper giants Twitter and Facebook for developing relationships online. As speakers told a Washington, D.C. conference on cybersecurity, at issue is whether these commercial companies are working in the best interests of the product users or of advertisers.Social media use in the workplaceDissolution of traditional barriers between professional and personal lives has taken place as people work continuously through mobile devices, noted Aaron Barr, director of cyber security at Sayres and Associates. The converging of technology capabilities in a much more seamless manner with a single mobile device carried with us has become an entry point to information and services.But the attractiveness of these functionalities is increasing the difficulty of keeping personal information secure, Barr said. "Now that the commercial internet is becoming essential for commerce and for critical infrastructure, the use of the internet as an asymmetric threat to achieve some larger objectives is becoming more and more prevalent."Employers can't stop employees from using social media in the workplace as long as there are mobile devices, added David Etue, vice president of corporate development strategy at SafeNet.Compromise of information is going beyond gaining access to a system and now being able to infiltrate banking institutions and obtain customer data. In trying to detect misuse, issues of privacy and civil liberties on the cyber side materialize if surveillance of internet activity occurs."It's very difficult to look at a Facebook page and determine whether or not that person that's behind that Facebook page is a foreign threat," Barr said. The internet additionally has become a very politicized battleground space with WikiLeaks, as one example, publishing private and classified material from anonymous sources.Of greater concern to him, Barr said, is the aggregating of location information by a social networking site such as Foursquare, designed for mobile devices like smartphones. A correlation of this information occurs across platforms which is difficult to manage for users but easy to manipulate for other purposes.Caution urged with LinkedIn account informationMany people with LinkedIn accounts may list their place of work, position, or whether they hold a security clearance, even specifying at times what they do if they are an iPhone field test engineer. "That information can be cross correlated to services like Foursquare and all of a sudden it becomes identifiable" about who and where a particular individual is, Barr said.He maintains it is better to have only generic company information on LinkedIn, in case someone is trying to do targeting analysis of the company where you're working, despite the site's frequent use as an online resume.With social media commonly used at work a differentiation is made between people communicating for themselves as opposed to on behalf of their organization, Etue said. Federal agencies don't want someone communicating on Facebook about an entitlement program. But in other areas companies can use social media such as Twitter for individual discussion on customer objections to elements of their service, he pointed out.Consequently, a set of rules is advisable regarding code of conduct or acceptable use if no specific social media policy exists. It is also how users can report suspicious activity or suspected instances of phishing.Attorney David Wilson, the owner of Titan Info Security Group, who has provided legal advice on computer network operations, noted the need for social media policies is especially evident in cases of blatant abuse. He cited three young congressional staffers in the office of Democratic U.S. Rep. Rick Larsen of Washington State who were fired after an online political blog printed a series of private Twitter messages traced to Larsen's office that the employees had exchanged about putting Jack Daniel's in their coffee at the office, watching YouTube videos on the job, their lack of interest in work, and contempt for their boss.Wilson expanded upon Etue's point that social media policies should not be devised in a void. "Consider who you're connected to and who you're doing business with and how that impacts you because your employees are obviously working with other companies and organizations and agencies" and need professional communication with them to function.Challenges in implementing social media policesEmployers can face challenges in formulating use policies that don't violate the rights of their employees and prevent lawsuits while enabling disciplinary action as necessary to enforce rules and regulations.In the recent history of social media and Facebook legal cases, Wilson said the National Labor Relations Board has sought to protect employees. The issues raised are whether employees are using social media to attack companies or if are they seeking support for a cause or engaging in collective bargaining with other workers on pay issues.The NLRB interrupts rules under Section 7 of the National Labor Relations Act defining protected activity (as related here to social media) that employees have the right to self-organize, to assist labor unions in collective bargaining, or engage in work-related activities with other employees about working conditions. But workers can't disparage their company or other employees.The NLRB has concluded these employers' social media policies stifle employees and prevent their exercise of Section 7 rights, Wilson told conference attendees.The D.C. Circuit Court of Appeals has ruled such policies were legitimate and didn't stifle employee rights under Section 7. It has held that employers must be able to write policies that state what employees can and cannot do. For that reason employers should try to limit ambiguity and be specific regarding employee actions, Wilson said.Steps to limit social media vulnerabilitiesAside from what happens in the workplace, users of Facebook can take concrete steps to curtail their potential vulnerabilities, Barr added. Contrary to what Facebook itself wants, users should hide their friends, he said.Facebook makes it difficult to maintain user privacy because of continually changing security perimeters and keeping the friends list separate from the other privacy settings. This is deliberate because Facebook wants the friends lists to be accessible to enable discovering new friends, Barr said. He recommends hiding friends and all publicly available information (who you work for, who you're married to, and all hobbies).From the friends list, others can do a profile of where someone went to school or lived from other friends who attended the same school or grew up in the same hometown. Barr considers "promiscuous" having in excess of 300 friends on Facebook because that suggests someone will loosely friend anyone.This is what those using Facebook for targeting of profiles look for in searching for users with common friends, which is a frequent rationale for people on Facebook to accept new friends. In business it can be easy to tell who competitors are meeting with if people start friending those from a certain company.Barr urges everyone to watch what they click on such as URL shorteners. That includes being careful about security settings on location-based services. It's easy to profile someone, where they are going, what their routine is, and their schedule. In addition, don't discuss certain topics on social media such as hot button political subjects, he said.He advocates the use of web sites that will allow testing of URLs for legitimacy. In essence, users should define what they want to use these platforms for. Don't tweet you're stuck in traffic on Interstate-95 or drinking in a bar somewhere as though you were e-mailing that privately to a friend.Social media has value for planning purposes and other forms of communication. But those on it must ask what information they want out there and it can take a risk analysis of what they're doing to reach that determination.Source:Cybersecurity Conference and Exposition, Walter E. Washington Convention Center, Washington, D.C., December 9, 2011