Business Software

Social networking security threats taken too lightly

Editor’s Note: The following article is reprinted from Network World.

There's a gap between reports of malware generated from social networking sites and the potential threat businesses perceive, according to results of Sophos' s "Security Threat Report 2011."

The December 2010 survey says that reports of malware from social networking sites are on the rise. Malware from these sites hit 40 percent of users, up from 21.2 percent in April 2009 and 36 percent in December of 2009. Phishing is also on the rise, reaching 43 percent of social networking users in December 2010, up from 21 percent in April 2009 and 30 percent in December 2009, the report says.

Still, more than half the companies surveyed for the report allow unlimited access to Facebook, Twitter and Linked In, and 59 percent of businesses surveyed think that employee behavior on social networks could endanger corporate security.

Addressing Facebook's application system, the report notes that any member can write any application—possibly malicious—and install it on their page where it can spread to other users. The problem could be addressed by walling off Facebook and allowing only approved apps or granting users the ability to ban all but vetted apps from their pages.

Of those surveyed, only 4.49 percent opposed walling off the site from all but approved apps, the report says.

The Sophos report recommends that social networks force privacy decisions onto their users by having them determine who would be able to see data they upload to their pages on the sites. "Such an approach would drastically improve the security of potentially sensitive information," the report says.

Privacy is a worry for social-site users, with 16 percent saying they have quit Facebook over privacy issues and another 30 percent saying they are highly likely to. Sophos says in the report that taking steps now rather than waiting for laws to define them would increase user trust in the networks.

In another area, the report says that perfectly legitimate Web sites are compromised at a rapid clip. With 30,000 new malicious URLs being found every day and 70 percent of malicious URLs belonging to hacked legitimate sites, the problem is growing.

The main threat is that these sites perform driveby downloads that compromise the computers used by visitors to the sites. Popular malware seizes files on victim machines and holds them for ransom until users pay to unlock them with passwords, the report says. The lion's share—39.39 percent—of sites distributing malicious malware are hosted in the U.S., with France (10 percent) and Russia (8.72 percent) coming in second and third.

The report also looked at cyberwarfare. Most of those surveyed by Sophos say that they approve of their own governments spying on other countries using hacking and malware as tools. For 23 percent, that approval was blanket, but another 40 percent said it was OK only during wartime. More than half (54 percent) thought their country wasn't doing enough to protect from Internet attacks, and 40 percent said they just didn't know.

The report also noted that social engineering continues to prove effective for online criminals, and offered up these 10 warnings for avoiding social engineering that can lead to being victimized on the Internet:

 

  • If an offer sounds too good to be true, it probably is.
  • If you can't think of a good reason you were singled out for a windfall, it's probably a scam.
  • If you can't think of a good reason you were singled out for a windfall, it's probably a scam.
  • Don't believe things just because they are stated in e-mail or on Web sites.
  • Don't click on alluring links without thinking through the possible consequences.
  • Never provide personal or company information unless you are certain of the identity and authority of the person requesting it.
  • Never reveal personal and financial information via e-mail or by following links to sites to enter such information.
  • If you doubt the legitimacy of e-mail, contact the sender by a separate channel you look up.
  • Check URLs of sites you visit to be sure they are the URLs you actually want, not a similarly named ones that may be malicious.
  • Don't send sensitive information over the Internet if you aren't confident of the site's security.
  • Be suspicious of unsolicited phone calls and e-mails seeking information about your business and employees.

 

recommended for you

Paling in comparison

Read more »

Subscribe to the Apple @ Work Newsletter

Comments