Information Security Professionals Struggle with Rise of Facebook and Other Web 2.0 Tools

Workers' use of social networking Web sites may put IT security at risk.

by / August 23, 2009

The predictable tension between information security officers and early adopters in state and local IT is brewing again. This time it pits proponents of social networking sites against security officials who see fast-growing tools, like Facebook and Twitter, as conduits for malware and data breaches.

Supporters say public agencies must learn how to use social networks effectively to reach younger citizens and support an incoming government work force that considers e-mail obsolete. But security officials - accustomed to being an afterthought in the rush to deploy the latest must-have applications - worry that cool new Web 2.0 tools will expose government networks and sensitive information to dangerous cyber-threats.


Video: California CISO Mark Weatherford discusses social networks and other security challenges.

Social networks are merely the latest technical evolution to give security officials heartburn, said John Pescatore, a vice president of Gartner.

"It wasn't that long ago when government agencies weren't allowing wireless [local area networks] LANs in either. Now they support wireless LANs. It wasn't that long before that when they were doing war dialing to find Internet connections and turn them off too," Pescatore said.

The security community's knee-jerk reaction against many new technologies is understandable, he said. Early adopters tend to deploy first and worry about security and privacy later - creating serious challenges for those charged with protecting government information and computing assets. Still, Pescatore contends that security officials would be more effective if they said "yes" from the beginning, but with a caveat.

"Security people need to say, 'If we're going to do this, here's what we need to put into place to manage the risk,' instead of building a case for saying no," he said.

That's the approach being taken in several states, including California, where state Chief Information Security Officer (CISO) Mark Weatherford is developing an employee policy for using social networking sites.

"I am going to do everything I can do to help this thing be successful and not be the roadblock that stops progress," he said. "We've had concerns every time some new technology pops up over the years. We addressed them, we worked through them and came out better in the long run."

Photo: Mark Weatherford, Chief Information Security Officer, California

Social Networking Sieves

The gravest concern regarding usage of social networking sites by government employees appears to be that it increases opportunities for data leakage. One common complaint is that security offices already have difficulty policing e-mail without adding social networking sites that aren't even part of the government's network. Observers see added potential for both malicious and accidental data breaches.

For example, Pescatore offered the hypothetical scenario of a state park ranger using Facebook for updating the availability of open campsites. Such a project could be useful to citizens who want to avoid a long drive only to find the park full.

Imagine that to save time the ranger simply posted the spreadsheet showing which campsites were taken and which remained open. What if he didn't notice that a second tab of the spreadsheet had the credit card numbers campers used to hold their spots? That's just one of countless potential scenarios.

Lawsuits could result from one innocent mistake. At the same time, Pescatore points out that solutions do exist. Products designed to catch various types of information before they leave a network are on the market. Governments could program data-loss prevention programs to filter for credit card numbers, Social Security numbers and any other data they needed to protect.

California's strategy for using social networking

sites may include data loss prevention software, according to Weatherford. However, he cautioned that it's more difficult to detect specific types of outgoing data amid general Web traffic, as opposed to detecting that data in outgoing e-mails.

"When you start talking about Port 80 traffic, which is Internet traffic, it's hard to see inside some of those packets and view the information that's going out," Weatherford explained.

Most governments interested in social networking sites consider policy to be the primary mechanism for keeping improper information off the Web. That appears to be true of California.

"Most people don't want to do the wrong thing. They simply don't know what the right thing is in many cases. Laying those things out in policy is really the best way you can reach all of your employees," Weatherford said. He plans to borrow heavily from the federal government's recently completed social network site policy.

Delaware recently completed its own social networking policy in response to an attack from the Koobface virus on Facebook. A play on the spelling of Facebook, the Koobface virus tricked Facebook users into downloading software designed to attack their operating systems and debilitate their computers. The state initially tried to block social networking sites altogether and then reversed the ban a few days later after an employee backlash. The state turned to more vigilant usage of anti-virus software to avoid a similar problem in the future.

"We update our anti-virus several times a day," said Elayne Starkey, chief technology officer of Delaware.
The Delaware Government Information Center will be in charge of training agencies in what they may and may not post on social networking sites. Only specifically assigned "content providers" will be authorized to post on most social sites, while all employees can access Twitter. Each employee's manager will train him or her about proper use of Twitter, said Michele Ackles, deputy principal assistant of the Delaware Department of Technology and Information.

Photo: Elayne Starkey, chief technology officer, Delaware/Photo courtesy of Elayne Starkey

"The microblog sites, like Twitter, are not really designed to facilitate the release of a lot of information. They're 140-character, short-term types of communications," Ackles said, adding that Delaware nevertheless wasn't ignoring Twitter's potential data leakage threat.

Welcome to My Nightmare

But once policies are in place, a new set of headaches begin, said Kevin Dickey, CISO of Contra Costa County, Calif. Dickey said administrating Web 2.0 security policy would be a nightmare for him. Once an agency allows usage of social networking sites and stipulates what employees may and may not do on them, security people must then monitor employee compliance, he swaid. Personal life and work life tend to converge on sites like Twitter, Facebook and others. Dickey worries about the difficulty he would face distinguishing the two when monitoring employees.

Photo: Kevin Dickey, chief information security officer, Contra Costa County, Calif./Photo courtesy of Kevin Dickey

"It really gets complicated from a government perspective only because who's really paying for this?" Dickey said. "It creates a fuzzy area. There is a lot of benefit to using collaboration tools. Instant messaging is a perfect example, but then I have to set up a boundary that says you can use IM as long as it is only on a specified subset of users. That's a maintenance nightmare."
In Delaware, managers police the blurred line between work and personal life. However, the state is still concerned about the difficulties of enforcing the rules, according to Starkey.

"It's like putting a number on a speed limit sign.

You're going on record as to what the rules of engagement are, but we all know there are gray areas and you have to come behind it with enforcement," Starkey said.

In the meantime, her staff is exploring the technological options for monitoring outgoing data of citizens.

"We're doing some analysis right now on getting a handle on how big that problem is using simple data-loss prevention tools that are readily available in the marketplace. The product space is still very immature at this point, and they're jockeying for the position of who's going to come out as the leader in terms of the vendor in this state," Starkey said.

Malware Threat

Information security officers also worry about malware that employees can download, sometimes inadvertently, from social networking sites. The term "malware" typically refers to software that pops up disguised as something useful, like a Microsoft Windows update, but is actually malicious software designed to attack the network.

Pescatore recommends agencies deploy a new generation of Web security gateway products that filter dangerous content traveling into agency networks from inbound Internet traffic. He said agencies usually use older, less sophisticated Web security gateways that merely block employee access to URLs known to be dangerous or unrelated to work. Most governments also use desktop anti-malware tools, which aren't very effective because they typically react to dangerous programs after they have accessed the system, Pescatore explained.

California and Delaware are considering buying updated Web security gateways. But Dickey, in Contra Costa County, is not. For now, he's unconvinced that government employees using social networking sites would be worth the extra expense to taxpayers.

"I don't have the ability right now to go out and invest in third-party tools to prevent misuse," Dickey said. "If I don't let you use Twitter, I don't have to buy the tool."


Andy Opsahl

Andy Opsahl is a former writer and features editor for Government Technology magazine.