Social networking is a broad term that refers to the building of online communities based on common interests, hobbies and activities. What started out as a way to use the ‘Net to make friends ‘ has moved into the corporate world, with some companies actively promoting employee involvement to raise awareness of their products or services. It also helps them keep in touch with each other and existing or potential customers.  But we try to embrace the new technology without feeling the need to be aware of the security implication that it brings with it.

Today’s social networking services are generally web-based and having an account on MySpace, Facebook or LinkedIn has become almost as expected as having an email address. It’s no longer just about teenagers learning what their friends are up to. Many businesses and professionals too use these social networking sites to interact with colleagues and potential clients.

During the past year, many of the top social networking sites have demonstrated rapid growth in their global user bases. Facebook.com, which took over the global lead among social networking sites in April 2008, has made a concerted effort to become more culturally relevant in markets outside the U.S. Facebook’s recent ascension to become the top global social networking site has been spurred by its substantial growth across worldwide regions.

Where some companies view social networking sites as time-wasters and block them altogether, more and more companies are recognizing their value as marketing and collaboration tool. Some companies, such as Intel are actively encouraging their employees to get involved in social media activities on company’s behalf.

All this socializing may be good for business but is it good for your network? There have been security breaches reported in the past and a number of security concerns have been raised regarding popular social networking sites.

Social networking sites part of what was then being hailed as Web 2.0  are extremely attractive to hackers and the same technologies that invite user participation also make them easier to corrupt with malware such as worms that can shut down corporate networks or spyware and keystroke loggers that can steal company data.

The risks associated with social networking fall into a few broad categories:

• The risk of having the social networking account itself hacked.
• The risk that users will pick up malware through the social networking site.
• The risk that a hacker will gain information through the social networking site that will allow him/her to attack your company network (social engineering).
• Risks of a Compromised Social Networking Account

Recently, a hacker gained access to a Twitter employee’s administrative account and was able to use the admin tools to reset passwords on other users’ accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers’ forum. Subsequently posts were made on those accounts by unauthorized persons. It later came out that the Twitter employee whose account was hacked had used an easy-to-guess password and that Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. This allowed the hacker to keep trying until the password was cracked.

The Twitter case illustrates the dangers of using social media with lax security policies. No matter how strong the password that you, the user, set on your account, if someone with administrative privileges is not so diligent, then your account could be compromised.

How could a compromised Twitter account harm your company?  Imagine someone hacking into the account of a Tata executive, for example and posting a message saying Chairman had died. What might that do to Tata group’s stock value?

The same thing applies to other social media such as Facebook, MySpace, LinkedIn and so forth. If your employees have public profiles whereby they represent your company, a compromise of their accounts especially by a competitor could bring a deluge of bad PR down on your company’s head.

Social networking sites, like any other web sites, can be conduits for the distribution of malicious software. Your employees might know not to click a link in an email message from an unknown source, but if that link appears in a message from a social networking “friend” or in a tweet from someone the employee is following, it might be a different story. And that could result in malware being downloaded to a computer on your company network.

A problem with many of the social networking sites is that the default settings make users vulnerable and those who aren’t technically savvy may not know that they need to change the settings to protect themselves. For example, by default sites may allow HTML in comments. That makes it easier for social networkers to share links, insert pictures, etc but it also makes it easier for an attacker to slip malicious code in or link to off-site content that contains malware.

Social Engineering Risks

It is easier to trick someone into giving you a password or other information you can use to break into a system than to spend time trying to hack into it. That is, it’s easier to exploit the human vulnerabilities than the software vulnerabilities. Social networks present another, very ripe venue for social engineering that preys on people’s trust in those who present themselves as friends or colleagues. Many of us get fake emails from hotmail, ICICI etc which appear genuine but demand confidential information from us.

Unfortunately, most social networking sites do not verify the identities or credentials of those who sign up. You can create a Facebook or Twitter account using any name you want or you can claim to work for a company when you don’t. Although the Terms of Service (ToS) generally prohibit giving false information, it’s unlikely that the consequences of getting caught will extend beyond losing access to the site.

Thus it is easy for someone to create a profile, claiming to be an employee of a large company such as Tata or Birla or Kirloskars and then seek out “fellow” employees (using the site’s keyword search) to befriend. That gives the social engineer access to those people’s sites, where he can obtain all sorts of information that may be useful for hacking into the company’s network. This would not work in a small business where everyone knows everyone else, but any large company with multiple sites is vulnerable.

Once the fake employee has made “friends” within the company, he can start chatting with them and collect inside information about the company. He could set up a fake company website (a phishing site) and direct the real employees to it, where he collects their passwords to the company network.

Even without hackers overtly trying to obtain information, employees who use social networking may inadvertently leak confidential data in the form of text postings, photos, videos or audio recordings.

The add-on applications that enhance social networking sites can pose additional risks of their own. When you download these mini-applications, you have to check a checkbox that allows the application’s developers access to your profile information (with the exception of contact information). That information can then be used for targeted advertising or other purposes.

What Corporate companies should do to prevent security lapse?

Companies can benefit from the judicious use of social networking as a business tool without incurring undue risk by developing policies and guidelines to help employees participate in the safest manner possible. Policies should be written in a straightforward way that defines what is and is not acceptable behavior.

Companies must provide training for employees in the use of social media and come up with the Rules of Engagement that companies expect employees to follow when blogging, twittering, facebooking, linking in or otherwise participating in social networking on behalf of the company.

Ten Commandments for Secured Social Networking on Facebook, Twitter, Orkut, myspace.linkedin etc

1. Date and place of birth- This places you at massive risk of identity theft. They are the most commonly used security questions on password resetting sites.
2. Mother’s maiden name-A lot of sites use your mother’s maiden name to authenticate who you are. They also commonly use the school you went to as a security question.
3. Address- It again puts you at risk from identity fraud, but also from burglars and stalkers.
4. Holidays-If you post a status update on Facebook saying: “Can’t wait till next Wednesday – two weeks in Goa!” you are basically saying: “Come and rob me.”
5. Inappropriate photos- Don’t post racy, illicit, offensive or incriminating photos. Bosses and prospective employers are increasingly looking at Facebook pages.
6. Confessionals-These can also get you fired or haunt you for the rest of your life. Posting your skiving work, who you are sleeping with or doing something shameful is just dumb.
7. Phone numbers-Unless you want to be bombarded with unsolicited phone calls from people trying to sell you something – don’t.
8. Children’s names-These can be used by identity fraudsters or more sinisterly, by paedophiles. It is much easier to steal a child’s identity. An adult will eventually discover something is wrong, for example, their credit rating being affected. Children won’t.
9. Don’t post a full public profile-It won’t just exist on Facebook, it will go on any internet search such as Google. Only give the bare bones such as a name. Keep everything else private.
10. Be aware of strangers -Never chat with strangers or accept friend requests from unknown people (eventhough they may have common friends).

About the author: Dr Deepak Shikarpur is an IT Technopreneur, Strategic Advisor to many Boardrooms, writer and a globally acclaimed orator.  He has written 15 books on IT and several articles for IT literacy. He is chairman of IT Committee of Mahratta Chamber of Commerce and member of Maharashtra State Board of Technical Education