Collaboration and social media solutions are now engrained in a wide range of business processes. Yet these sophisticated technologies also present new and potentially serious risks to both IT and network resources, as well as to sensitive and confidential organization data.
While virtually all organizations have already taken steps to detect and prevent direct IT and network threats, end user behaviors and actions add a challenging new twist to the task of protecting systems and sensitive organizational information from exposure and attacks.
“By and large, most popular social media and collaboration tools have strong security,” says Asaf Cidon, vice president of content security services/content security engineering for Barracuda Networks.
Yet built-in safeguards alone aren’t enough to prevent users from inadvertently placing systems and data at risk. “With social media tools, a simple mistake can make confidential company information public,” says Mark Nunnikhoven, vice president of cloud research for Trend Micro.
Many organizations react to collaboration and social media dangers in a knee-jerk manner by banning the solutions from both in-house and bring-your-own-device systems. Yet this approach only serves to delay the day of reckoning. “It’s becoming increasingly difficult to prevent the adoption of social media and collaboration tools,” Cidon says. “Rather than try to block these tools, we recommend to adopt them and set up a security, identity management and employee training framework to make sure data remains safe.”
A New Range of Security Vulnerabilities
Collaboration and social media-launched threats are numerous and multiplying. Many are designed to take advantage of distracted or poorly trained end users. “The biggest security threat is employee mistakes,” Cidon says. “It’s important to make sure that employees are fully aware of the possibility of accidental data loss and social engineering attacks.”
Social engineering attacks are, in fact, a major threat to collaboration and social media security. Social engineering is designed to manipulate people into disclosing various types of confidential information. Social engineering tactics are widely used because it is usually easier for an attacker to trick someone into disclosing a password, revealing sensitive information or downloading malware, than it is to discover ways to hack into a well-secured server or network.
Social engineering attacks can be launched through a number of different pathways, including email, instant messages, page comments or even voicemail. Phishing, the practice of sending emails or messages appearing to come from reputable sources with the goal of influencing or gaining personal or business information, is the most common attack vector. Phishing attacks work well because people generally trust messages that seem to come from a trusted entity.
Link-jacking, another significant security threat, utilizes a fake “like” button to direct individuals to a malware infected website rather than a legitimate social media service. Users who click the button don’t like the page, but instead unintentionally download malware.
Unfortunately, a number of social media/collaboration support technologies can unintentionally provide attackers with potential network entry paths. Java and Flash are both well-known attack vectors. These technologies are frequently updated to address newly discovered weaknesses, yet “zero day” attacks can catch both users and organizations by surprise, leading to possible data exposure and other security issues.
Building Security into Collaboration Tools
Protecting an organization against social media/collaboration attacks requires careful planning and long-term oversight. “I would argue that the security risks posed by collaboration/social media tools aren’t dissimilar from the security considerations that go in any enterprise application that you would be rolling out, including CRM, ERP or business intelligence,” says Ben Dickie, an analyst with the Info-Tech Research Group.
Platform choice plays a major role in ensuring strong security, with commercial-grade collaboration platforms generally offering more powerful and flexible safeguards than consumer-class social media services. “You can pick consumer collaboration tools, but the problem with those tools is that they don’t have business-grade access functions built into them,” says Jonathan Rosenberg, vice president and CTO of Cisco Systems’ collaboration unit. Consumer social media tools also don’t typically allow IT departments to use digital leakage prevention technologies, to perform compliance or establish and manage polices. “These types of enterprise features just do not exist in consumer tools,” he says.
Most business-class collaboration platforms also have the ability integrate with existing identity systems, such as Active Directory and, if deployed on-premises, can also use existing data loss prevention gateways and secure proxies, Nunnikhoven says. “For cloud deployments, application program interfaces (APIs) provide access to content in order to scan for data leaks and malware,” he adds.
“Monitoring techniques, such as security intelligence, is a huge area we’ve invested in,” says Inhi Cho Suh, general manager for collaboration solutions at IBM. “Watching behaviors and identifying anomalies in behaviors for individuals and groups enables earlier identification that something is happening.”
“Security is always going to be a consideration to some degree with commercial collaboration platforms, especially since the majority of these tools are security as a solution (SaaS), meaning that the information that goes into those tools ultimately lives with the provider,” notes Dickie. “In some cases, however, we do see organizations with high requirements for data residency, or requirements that certain systems have to be kept on premises, decide not to store their data with the provider,” he says.
Several Layers of Cybersecurity Defenses
Regardless of where the data eventually resides, a defense-in-depth approach is widely viewed as a key to securing systems from attacks initiated via social media/collaboration platforms. “Defense in depth is a core security principle,” Nunnikhoven says. “It simply means don’t rely on only one security control for protection.”
Defense in depth is particularly important for any organization that operates in a highly regulated field, such as healthcare, education, finance or law, or is interacting with customers via social media and collaboration platforms. “In both cases, it is the organization’s responsibility to guarantee the security of customer data on the social media and collaboration platforms and also comply with the relevant regulatory requirements, such as HIPAA, FERPA or PCI,” Cidon says.
SaaS solutions require a multi-level security approach, since cloud layers aren’t focused on classic data center perimeters and internal trust zones. “Identity federation and data segregation represent two of those layers,” says Brian McHenry, an F5 Networks security solutions architect. Another critical layer is encryption, both for data in-flight via SSL and the encryption of data at rest, typically in a file system or database. “In-flight encryption is important because it ensures the integrity and confidentiality of the data during transmission and significantly reduces the risk of compromise,” McHenry says. “In the case of data-at-rest encryption, it reduces the risk that data will be compromised even if other security controls fail to prevent access to the data.”
Rosenberg believes that SaaS-delivered collaboration solutions should be delivered pre-configured to provide the maximum level of security required by the customer. “SaaS is supposed to bring ease of use, and that means the right security has to be on all the time and in the right mode — any configurable knobs are really for special cases,” he explains.
Securing network gateways with intrusion prevention system technology is yet another way that organizations can gain the upper hand on collaboration/social media security. “We’re working in a time when end users not only bring their own devices to the office, they bring their own apps,” says Cho Suh. “So having the ability to do endpoint management and the ability to understand security protocols, monitoring of activities and different patterns is really important.”