Allowing access to social networking... securely?



I am sure many of us are seeing the shift from the standpoint that
social networking (SN) is evil and should be blocked, to one that views
SN as a business tool and full of opportunity. I believe this is true
for many organizations. However, as many of us are aware, SN is full of
malicious code and techniques to trick users into giving away
information or attacking their system. The questions I would like to
pose to the list are as follows:

What, if anything, should be done above and beyond standard security
controls to protect against the potential risks of allowing access to
SN?

Let me define standard controls:

Web Filtering: the solution must be able to filter both unencrypted and
encrypted traffic and also scan the flows with an AV engine. I do not
know of many solutions that can look inside SSL other than Bluecoat.

Strong perimeter firewall rules: This is obvious to most people, but a
strong egress filter is a must. Workstations should have ZERO access to
external networks directly. All web traffic should be directed through
a proxy that terminates their sessions. This is important because
malware will typically try to exit the network via a standard port (80,
21, 53, 443) to make a two-way connection to its evil master. Another
issue is if your proxy simply forwards SSL traffic, you are dead in the
water.

Desktop security: I believe desktops should not be running just AV. It
should be something more intelligent such as HIPS. Cisco Security Agent
(CSA) comes to mind. The desktop must be able to stop attacks without
signatures. Also, lock those desktops down! Take away admin access.

User Education / awareness training: I think this may be the area that
has the greatest potential for improving an org's security. If you must
allow access to sites that are known as highly-malicious, you should
train your users about these dangers and how to avoid them. One thing
that I have found that greatly improves this process is making sure the
employee understands this information will not only benefit them at
work, but also in their personal life.

Policy: all of these areas (and others) should be addressed in an
information security policy but I am not going to go into the details of
this.

So, I am curious what your thoughts are on my points and what other
improvements may be made to reduce the risks associated with SN.

-Dan

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------