Web 2.0: Federal CIO Council Releases Guidelines for Secure Use of Social Media
By Christy Crimmins - Published, November 17, 2009
The use of social media has become a popular topic within the Department of the Navy, Defense Department and across the federal government. As agencies begin to venture into this media, whether it is creating an agency Facebook page or updating constituents via Twitter, precautions must be taken and risks should be assessed. While these tools open up many avenues for broader communication and collaboration, they also come with threats to network security.
On Sept. 17, 2009, the Federal Chief Information Officers Council released a paper titled, "Guidelines for Secure Use of Social Media by Federal Departments and Agencies." This paper, issued by the Federal CIO Council's Information Security and Identity Management Committee, provides guidance for federal agencies that use social media to collaborate, communicate and share information both internally and externally.
While the threats to social media users are numerous and ever-changing, the Federal CIO Council's paper narrows focus to the top three potential threats to federal employees, infrastructure and information. They are: spear phishing, social engineering and web application attacks.
Spear phishing, a targeted approach to traditional phishing scams, uses information unique to the users to trick them into divulging valuable information. This is accomplished by masking communications as internal documents or using personal information to make the communication appear as though it is coming from a legitimate source. These attacks rely on the perpetrator obtaining specific information about the target. When users post personal information to their social networking sites, they are providing attackers with the tools they need to carry out these scams.
Like spear phishing, social engineering relies on the attacker's ability to gather personal information about a target. The paper's primary author, Earl Crane, outlined the threat. "The first step in any social engineering attack is to collect information about the attacker's target. Social networking web sites can reveal a large amount of personal information, including resumes, home addresses, phone numbers, employment information, work locations, family members, education, photos and private information. Social media web sites may share more personal information than users expect or need to keep in touch."
As more government employees join social networking sites, they are likely to identify themselves as government employees. When aggregated, this information can provide an Internet footprint valuable to our enemies. According to Crane, an attacker may learn personal information about an individual and build a trust relationship by expressing interest in similar topics.
Attackers use social media to build relationships with a single user, gaining trust and exploiting the relationship by collecting personal information and using their association to extend their reach throughout the user's network of friends and colleagues.
The third threat outlined in the paper is web application attacks. Web applications are dynamic web pages that use scripting to provide additional functionality. However, additional functionalities come with additional opportunities to exploit the web application. Social media web sites are advanced web applications; their use requires a high level of interaction and capabilities. This opens up social media web sites to a wide range of vulnerabilities exploitable by attackers.
For example, web applications written by third parties are routinely deployed on social networking sites and often require users to grant them access to their profiles as a condition for accessing or running the application. Granting full access to these third party applications can result in the compromise of user accounts and/or the installation of malware on the users' computer.
Mitigating the Threat
In addition to outlining the threats, the Federal CIO Council's paper provides suggestions for mitigating threats. These include a detailed outline of five recommendations: Policy Controls, Acquisition Controls, Training, Network Controls and Host Controls. Users are generally the weakest link when attempting to secure social media networks. While network, host and acquisition controls can go a long way toward monitoring and preventing intrusions, the onus is on users to keep their personal information private.
To this end, federal agencies are advised to update current information sharing and security policies to include emerging Web 2.0 and social media technologies. Additionally, agencies should include awareness of Web 2.0 policy, guidance and best practices as part of employee annual security training.
Agencies across the federal government are using social media tools to both engage with the public and perform their day-to-day operations. While they provide an opportunity for the government to achieve its mission collaboratively and efficiently, they also present significant risks to network security. Agencies must be aware of the threats and mitigating factors to successfully and effectively use Web 2.0 tools.
Christy Crimmins provides communications support to the Department of the Navy Chief Information Officer.