Business Daily from THE HINDU group of publications
Monday, May 26, 2008
ePaper | Mobile/PDA Version | Audio
Business Daily from THE HINDU group of publications Monday, May 26, 2008 ePaper | Mobile/PDA Version | Audio |
|
|
|
|
|
|
|
eWorld
-
Security Mind the company you keep 
Vishal Dhupar R. Savitha Social networking sites are gaining popularity. And, in the bargain, draw the attention of hackers too! Amuleek Bijral, Country Manager, RSA, the Security Division of EMC, Shamshad Ahmed, Regional Director, India & SAARC, Lumension Security, Vishal Dhupar, Managing Director, Symantec India, and Wing Fei Chia, Security Response Team Manager, F Secur e, share with eWorld the security threats posed by social networking sites to an enterprise. Over to the experts: What kind of threats do social networking sites pose to the enterprise? Says Chia, “if the secret question to the webmail account is the name of your first pet and if that was ever mentioned in your social networking profile, someone could easily use that information to reset your webmail account password and then gain access to it immediately. Furthermore, when a vulnerability is found on a social networking site, there isn’t any patch that enterprises can apply to fix that because those vulnerabilities usually have to be fixed on the server side and it is the responsibility of the social networking site to do so. There isn’t much enterprises can do if they don’t fix it and employees continue visiting those sites, leaving the organisation vulnerable.” Dhupar of Symantec cautions that people often divulge considerable amounts of personal information on these sites, including details about their employment. Attackers trick victims into downloading malware or into divulging sensitive company information. 
Wing Fei Chia If an attacker is able to compromise the social networking site with malicious code, any visitor to the site would be susceptible to attack. Hackers have also found ways to insert malicious code into advertisements often provided to social networking sites through third party vendors. Ahmed of Lumension highlights some of the threats one needs to look out for in today’s context: vishing — practice of manipulating the user by using new technology /VoIP (Voice over Internet Protocol) for obtaining confidential information for the purpose of financial reward, phishing — pretending to be a reliable entity such as online banks to acquire sensitive information, ransomware — a type of malware used for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment for the decryption key; and Pharming: The Hacker redirects Internet traffic from one Web site to a similar looking site in order to fool the user into divulging his ID and password. Bijral of RSA points out that most networking Web sites allow the users to add their own plug-ins/mashups/applications on the users’ networking page. These applications increase the surface attack area forhackers. Most people would run these applications on their desktops without thinking twice. Recently, a null pointer hack for Adobe Flashplayer was released, which means an attacker could just place a flash game/movie on the victim’s Web site and carry out the attack. How should companies safeguard their turf? Ahmed of Lumension stresses that the first line of defence is to be vigilant about patches and secure configuration management – a set of technologies that enables IT staff to proactively detect vulnerabilities and mis-configurations and remediate them in order to prevent attackers from getting into the open security hole. 
Amuleek Bijral It’s also about creating security policies that educate users on best practices such as online behaviour (visiting malicious Web sites) and opening e-mail attachments. In order to protect against the insider threat, whether intentional or malicious, IT staff within the organisation need to take control away from the end user. Dhupar says companies should train employees and executives to question the validity of URLs they see or receive in e-mails, even if they come from friends and co-workers. Social networking also extends beyond sites and reaches users through chain-letter e-mails and e-cards as well. These can be used to both infect user systems with malware or to harvest e-mail addresses. Each time an e-mail is read, a request can be sent to the server hosting the image divulging the user’s e-mail address. Two of the most important best practices are to be careful of whom you allow to join your network and filter what information you publish on the site. For social networking site administrators, user confirmation scripts such as captchas can be added to verify that postings are from actual users versus automated systems. However, since user education has its limits, “a better approach would be to implement a security strategy that is information-centric and focuses on the risk aspect,” says Bijral. More Stories on : Security | Human Resources
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page
|
Stories in this Section |
 |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | The Hindu ePaper | Business Line | Business Line ePaper | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2008, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|