The issues around social networking are basically the same as in the past. The general user population wants, even demands that social networking be allowed within and from outside the corporate network. Employees herald the importance of connectivity to their customers, business partners, and other employees as a paramount reason to allow the technology to be adopted. We as security professionals are required as an unwritten job description to slow the train that will leave holes in the security of the company.
The idea of social networking isn't a new concept; there have been several attempts at creating an environment of communication that is easy to use. We can all think of type and here are the ones that come to mind; Netmeeting, Instant Messaging, Chat, and others. Most computer savvy people that use these methods of communication understand the risks that are associated. We all want to have greater communication with all our contacts and look to the Internet for these solutions.
The problems occur when the users adopt a new technology or method of communicating because it is "cool" without thinking of the security ramifications. Security professionals work diligently to understand the inherent problems that these new methods bring to the protection of corporate networks.
Those of us that attend conferences like DefCon in Vegas have heard the "black hats" state that the social networks have all been compromised. We then notify these Internet sites that their security needs to be improved, which will cause some to make improvements while it falls on deaf ears to others. We might ask; "Why do some sites seem to ignore our concerns?" My best guess is the sites that ignore the concerns are too busy bringing other "cool" aspects to their site that they haven't got the resources to make them secure.
Since we know that the social networking sites are somewhere between mostly secured to open, we need to create an environment that will mitigate the security concerns. The security posture becomes that of creating a policy that secures our private network from the open sites therefore reasoning that it will secure the mostly secure sites. We need to look at social networking sites as having a difficult task of securing their customers information. They face a daunting task of securing a constantly moving target of infrastructure, users, and data.
If we take the position as security professionals, that social networking sites are doing the best they can, we can create a policy or procedure that will maintain the security of our private network. Information security in this ubiquitous world of connectivity all the time for all users is becoming more and more difficult. We, as security professionals, have all dealt with finding the balance between security and allowing the "cool", "cutting edge", or "wave of the future" apps to be used for the betterment of our companies.
