New mindset for changing security landscape

The evolution of technology and communication has enabled people to communicate faster and more conveniently, but it has also invited individuals, and now syndicates, to exploit these channels with malicious intent. Standard protection such as anti-virus, intrusion and spam detection and prevention on their own is not enough anymore.

"The term spam is well known, and has been around since the days of 'snail mail' where individuals would receive letters asking them to send money and stamps to receive something that would never be delivered. When fax machines gained popularity it was common for people and organisations to receive junk mail over this medium as well," says Martin Tassev, MD of LOOPHOLD Security Distribution.

"However spam really took off with the growth of e-mail, as it offered a cheap way of targeting many people effectively and quickly. Unfortunately, many Internet users are not aware of the dangers of spam e-mail and its threats."

While spam e-mail is still sent out in droves, a new threat has emerged, once again due to evolving technology - the use of social networking sites as a tool for malware. More and more viruses are using social media to propagate, and because of  the nature of this medium that encourages sharing, many individuals and companies are exposing their assets -- PCs and networks -- to this new threat.

"It is not social media itself that is the problem, it is the lack of delineation between people's personal and professional lives that is causing this type of malware to be a threat to organisations," says John Yeo, Director of Trustwave's SpiderLabs EMEA.

"We now have multiple devices such as tablet PCs, laptops and smartphones that allow us to access these social networks. It is even impacting companies that do not allow access to these devices in the office. They are falling victim to the malware spread because employees use their personal devices to access social media sites which then spreads the viruses to corporate networks."

Lack of security awareness

One issue that is making social networking a threat to corporates is the lack of security awareness by employees, which increases the potential exposure of malware to companies whose employees use social media. Many social networking users feel that they are in a private space and, as a result, feel secure in divulging information that they would not dream of providing via e-mail or telephone.

"The reality is that any social networking site is very much in the public domain, and the information that users so readily divulge can actually be used against them and their companies. Spear phishing, as it has become known, uses personal information such as names, e-mail addresses and other facts that are available on the Internet to target companies with the intent of gaining access to sensitive information, which can then be used to compromise security and banking accounts, steal money or data that can then be sold," says Tassev.

Another problem with social media is that because it links friends and associates, people tend to trust it too highly. This trust is exploited by cyber criminals in a new threat, termed clickjacking, which links into highly popular news search terms and events and encourages users to click on links in social networking sites that promise to give new information on these topics.

"These links often lead to infected sites that will attach to the user's contact list and automatically send out the same link to each of them, installing tracking cookies along the way and potentially turning each of these machines into part of a botnet. Being part of a botnet enables hackers to compromise your machine, use your bandwidth and access your e-mail for the purposes of sending out spam, all of which have potentially dire consequences for business users," Yeo adds.
The communications landscape has changed dramatically from a technology

perspective, but the mindset towards security is lagging behind. Smartphones are a threat to the corporate network because although they are regarded as a work resource, users can still access social sites and run applications on these devices that have not been assessed by security, which may lead to a compromise of the corporate network.

"Securing corporate networks against these new threats requires a shift in mindset. Delineation between personal and work resources has to be made, and a formal, all encompassing security strategy must be created that includes multiple devices such as smartphones along with the network, applications, wireless, etc. The old threats have not gone away, the problem has just become broader, and needs to be dealt with from a larger number of angles," says Yeo.

Tassev adds, "Having the right security strategy and software in place can go a long way towards protecting users and corporate networks, however, software alone can only do so much. Education and awareness on the nature of the threat is vital to ensure people understand what they are facing and can arm themselves against it, making sure they are not easy prey for unscrupulous cyber criminals." 

A combined approach of a comprehensive security strategy that extends to social networking, with policy and procedure on what is acceptable and what is not, along with standard protection such as anti-virus, intrusion detection and prevention and anti-spam, as wel las  education on the risks involved, is the best approach when it comes to combating this new threat and any that may emerge in the future.