Social-network use leads firms to boost security

SAN FRANCISCO -- When Randy Kortering decided to upgrade computer network defenses at Haworth, a $1 billion-a-year office fixtures manufacturer, his chief of security warned him about social-networking use.

"He laid out what was coming through a Facebook connection and how it could very quickly spread a virus that we weren't prepared to block," recalls Kortering, vice president of global information services for the Holland, Mich., company.

Kortering began reviewing new security systems designed to closely monitor or restrict, as needed, employee use of Facebook, Twitter, Google, LinkedIn and other popular online services. Because of a surge of headline-grabbing database breaches, many companies attending the massive RSA security conference here this week are following suit.

"The problem is pervasive," says Jeff Wilson, principal security analyst at Infonetics Research. "Companies of all sizes are definitely re-evaluating what they have installed for IT security."

Verizon's annual Data Breach Investigations Report supplies a benchmark. Its 2011 study examined patterns in 800 corporate intrusions, up from 761 in 2010. By contrast, Verizon's forensic experts were called in to solve 900 database break-ins in the previous six years combined, 2004 through 2009.

This is new terrain. The tech industry's marquee players are intensifying the collection and sharing of personal information in order to sell more advertising. Yet the implications of companies acquiring beefier security systems to restrict employee access to popular services are difficult to discern.

Security analysts and criminologists say this much is clear: "Spear-phishing" attacks, crafted to get unsuspecting employees to inadvertently seed computer viruses and infections at targeted organizations, are jumping. And the surge of attacks on corporations correlates to the rise in unfettered use of social networks, search engines and Web apps on company networks, analysts say.

These popular free online services have turned out to be a boon for spear phishers, who prowl social networks and use search engines to gather intelligence. "Just like online marketers and advertisers, criminals see a tremendous value in knowing more about their targets," says Rob D'Ovidio, a criminology professor at Drexel University.

Spear phishers are adept at inhabiting social networks to troll for victims. And they have proved endlessly inventive at crafting e-mails and social-network postings that appear to arrive from a trusted source, while stealthily delivering a malicious payload to gain them access deep inside company networks. The desired booty: customer lists, design documents, patents, financial statements — anything that can be sold in the cyber underground.

"In most of the high-profile breaches we've seen in the past 12 months, hackers used social engineering to get an initial foothold inside the company," says Hugh Thompson, RSA conference program committee chair. "It isn't a generic stranger trying to deceive your employees; it's someone who knows them through online reconnaissance."

Dark side

Recent studies illustrate this dark side of social networking. Firewall maker Barracuda Networks analyzed Web traffic of 5,500 PC users in 20 nations and found one in 60 Facebook postings, and one in 100 Twitter Tweets, carried malicious code.