Baited and duped on Facebook

19 Ott Baited and duped on Facebook

ComputerWorld, By Mary Brandel, October 19, 2009

When CIO Will Weider encouraged employees at Ministry Health Care and Affinity Health System in Wisconsin to use Facebook to spread the word about new programs and successful projects, he was surprised at the result: Few did so.
“I went in there thinking, ‘We’ve turned these people loose; we’ll have 10,000 marketers out there,’ ” Weider says. But the Ministry Health workforce, it turned out, had been well trained to protect sensitive data, and without explicit guidance on what they could say, their first reaction was to share nothing. “We’ve stressed the importance of data security with our employees, particularly when it comes to patient privacy, and it’s kept them from sharing all the great things about work on Facebook,” Weider says. That’s a good problem to have. Many fear that the popularity of social networking — among individuals as well as organizations — will precipitate an increase in social engineering attacks that could result in security breaches that expose corporate data or damage a company’s reputation. Indeed, social media such as Facebook, LinkedIn, Twitter, online forums and blogs create a perfect opportunity for an attacker, mixing the anonymity of the Web, easy and direct access to hundreds of millions of people, and an unprecedented amount of personal information. Consider that before social networking existed, criminals had to make a real effort to engage victims, says Adriel Desautels, chief technology officer at Netragard LLC, a security service provider that performs vulnerability assessments and penetration tests for clients. Often, the payoff wasn’t worth it. But with social media, it’s easy to hit a large number of targets quickly and effectively, he says. “Instead of having to fool that one particular person, they can befriend a whole bunch of people,” Desautels says. “They can post a URL on their wall, and one of those people is likely to click on it.”