Contents

News and Features
Message From the CEO
Social Media Sabotage
Enterprise Awards Gala
Coulter Foundation
  Grant for Drexel
Secrets of Success

Events
PACT Founders Luncheon
IMPACT 2011 Mid-Atlantic
    Venture Summit
Cloud Computing Conference

Departments
Corporate Counsel
Investor Insight

Members
New Members
Member Reports

---

Advertisements

Vol. II, No. 2   June 2011

News and Features

A social situation:
Social media opens the doors to friends, colleagues — and criminals

By Pamela George

It’s a common scenario. You receive an email from someone you can’t recall, requesting your friendship on Facebook. Or perhaps the sender wants you to become part of a LinkedIn network. She may reference the school you attended, a mutual friend or the fact you’ve done business together. You shrug and click the embedded link to accept.

The link takes you to what you think is Facebook, although you’re probably not looking at the URL. A popup message indicates that the browser needs an update. Routine stuff. You click on that, too.

You just put your company’s data and your personal data at risk. “As soon as you click on it, they own you,” says Jeff Lipson, a shareholder and board member for SaberSource, a Blue Bell-based provider of IT infrastructure maintenance and support services. “You’ve just downloaded malware onto your computer that allows them to do any nefarious thing they want.”

What do they want? Most often, credit card and bank information for both you and your company. But some sophisticated hackers are interested in proprietary information. “A foreign company may say: ’Why invent a new drug when I can steal one from a U.S. company?’” says Lipson, who was recently recalled to active duty as a Lieutenant Colonel in the U.S. Marine Corps, where he’s working with Marine Forces Cyber Command.

To do business in the 21st century, many experts maintain, you must have a presence on social media sites like Facebook, LinkedIn, Foursquare and Myspace. But the sites give hackers yet another way to gather information about your company or you. Employees are inadvertent conduits, particularly if they access personal accounts using company technology. To protect company data, you must educate yourself and your employees and have the proper policies, security measures and software in place.

The scope of the problem

Judging by the headlines, hacking and viruses attacks on businesses are on the rise.

On April 19, Sony discovered a security breach that exposed information about more than 100 million Sony customers and resulted in a 23-day closure of the PlayStation Network.

In December, an Internet activist group called Operation Payback claimed it had shut down the website of Swiss bank PostFinance, which had frozen a legal defense fund account for WikiLeaks founder Julian Assange.

The hacker group Anonymous, also a WikiLeaks sympathizer, released what the group said were damning documents involving Bank of America.

These groups are comprised of savvy technophiles who are proud of their abilities. “They publish the tools online to show how they exploited security weaknesses,” Lipson says. “They try to get other hackers to join their activism. Then real criminals use those tools to steal money from people.”

And from the places they work.

At work or at home, many people have already experienced what’s known as “phishing,” an attempt to acquire sensitive data, such as user names, passwords and credit card details. In a “phishing” scam, an emailer pretends to represent a trustworthy entity, such as a bank or online payment processor. “Phishers” may also impersonate well-known social networking sites, such as Facebook, or an auction site, such as eBay.

Consider the request from PayPal to update your credit card information. Only it’s not really PayPal.

Then there’s the anti-virus software that mysteriously starts running when you click on a Web link. After announcing that you have umpteen viruses, the popup tells you to “click here” to fix them.

The phisher may even pretend to be an approved IT vendor who is requesting an HR or IT employee’s server password to work on the system.

Social media has given criminals yet another way to find out information about you and to use it against you.

They not only can use information collected this way to put people personally at risk, but they can discreetly collect useful business details.

It may seem obvious that someone who tweets that he’s on vacation for a week is telegraphing on Twitter that his house is empty.

But does a person who hints on Facebook that they’re visiting a big potential client in Arkansas stop to think that a savvy watcher will know Walmart is located there?

“They’re providing their adversary with opportunity,” says Rick Doten, Chief Scientist for Cyber Security at Lockheed Martin. “They may not be giving away intellectual property, but they are tipping their hand.”

“You never know who is a ‘friend of a friend,’ so your post may be visible to your client, prospect or competitor,” says Amy Turner LaDow, Chief Information Officer at SunGard Higher Education, in Malvern, Pa. “Even something as simple as ‘great job. you were fantastic today. they loved you.’ could be telling a prospect you thought you won the deal, which may make them think you’re too arrogant for the job.”

Simple steps that protect

Education is as important as technology to counter social media risks, Doten says. Prevention requires awareness.

Lockheed Martin, for example, has an “I” campaign that educates employees about cyber threats.

Trevose-based Data Systems Analysts (DSA), a technology solutions consultant that partners with the U.S. military, educates employees about phishing and malware threats and has policies as to what programs and information employees can download onto company-owned computers.

Changing passwords and user names are easy ways to help prevent theft. “Don’t use the same password for all your accounts,” Lipson warns. “A lot of people do that until they experience an identity theft.” He regularly changes his password with easy-to-remember numbers and letters that follow a sequence. The U.S. National Security Agency recommends a password that’s at least 10 characters long with upper- and lowercase letters, numbers and special characters.

In addition, make sure the operating system and security software is up-to-date so it addresses current concerns. Lipson says that companies and individuals may consider using an Internet browser other than Internet Explorer, which is often a target because it’s so frequently used (if you’re going to create a program to infiltrate computers, you want one that will affect a large population). That is also true when it comes to Outlook and Windows, which is why Apple products have less risk — for now.

However, because Explorer is so frequently targeted, chances are that it’s updated more regularly, Doten says. And other browsers may not integrate as well with company applications. The key is to install security measures, such as preventing popups and other files from automatically opening, and blocking malware.

“From a business perspective, it is essential to set the appropriate security settings and to apply patches as soon as they are available,” says SunGard Higher Education’s Turner LaDow.

Although it may sound obvious, be careful whom you friend, says Charles Cooks, Vice President of Intelligence for DSA. “Walking down the hall, you wouldn’t consider anybody you passed a friend,” he says. “Be just as selective on a cyber-network. You’re not obligated to be ’linked’ with anybody on LinkedIn.”

Taking it up a notch

In an attempt to protect data, some companies may forbid the use of Internet-driven features, such as instant messaging. But in a competitive, techno-driven arena, that’s not always practical. “We need to attract young people and people who are technically savvy,” Cooks explains. “We have to have those capabilities.”

A solution: Establish in-house services that mimic those commonly found via Google and AOL. DSA employees, for instance, can use an instant messaging-type service. “It helps people feel at home and comfortable — they know they have a network presence,” Cooks says.

DSA is also providing internal social media infrastructures for its clients.

Lockheed Martin has an instant-messaging platform that’s only for employees. “It’s important to the rhythm of business, and it’s secure,” Doten says.

One of the most successful examples of an internal system, Cooks says, is the U.S. Army’s milSuite project, which allows users to share ideas in discussion groups behind firewalls. The project includes a milBook, which lets users create discussion threads in self-created groups. The suite also includes a wiki and a blog to which users can post news, photos and ideas.

Lockheed Martin allows employees to access social media sites, such as Facebook, but every time they do, a warning banner hits the screen. They must sign off on the company policy before entering the site.

Some companies have two setups: one for in-house emails, messaging and data storage, and another that allows them to use the traditional Web. “If I were the CIO of a big pharma, I’d run two networks,” Lipson says.

The risk of not instituting security measures to address social media greatly outweighs the cost. “The threats are here to stay,” Cooks says. “We think the best approach is to figure out how to manage the risk, instead of doing nothing.”

For more information on the NSA’s best practices for a home network — many of which apply to small — and medium-sized businesses — visit the NSA website and click on “Best Practices for Securing a Home Network.”