Nowadays, the applications of online social networking are not only surrounding the personal life but also their professional life of the population. It is also quite obvious that social media is providing more and more function and benefits worldwide, because the number of people from many countries with varied economic development, that are participating in networking sites is keep on increasing (J. Kim, 2012). Applications are crucial in the organizations, since today’s business and organizations allow employers performing important business tasks. Related to the application in utilizing the worldwide networks, in the correlation of the use of the internet, in this era where the access to enterprise networks and internet are granted, applications might enable sharing of information among workgroups internally in an enterprise, and with partners and customers externally (Almeida, 2012). Making it growing even more is the popularity of mobile devices and the applications combined with social networking technologies. That is why, people are becoming used to the way of life of communicate with online social networking tools. As one of the strongest growth social networking services is Facebook. Currently, Facebook has more than 500 million users enjoy it for games or sharing information in web applications (J.Kim, 2012).
Being efficiently utilized, networks can be really useful and helpful for organizations. Since this literature review is specifically discussing about social networking, some previous studies also stated that social media can give business advantages for companies, whether they are private companies or government agencies. As the main visible advantages are promoting the brand awareness in the variety of markets, and networking / interacting with current and potential customers. Which can be concluded that if utilized smartly, social media can reach out to mass audiences efficiently and at very low cost (Chi, 2011).
1.1. Problem Statement
There are no needles that are sharp at both ends, coming to the main topic of this literature review, this study will focus on discussing the other side of the world of social media technology and their tools, which is the security risk. An author in previous research stated that for small businesses with limited time and resources, social media presents attractive options. ‘It is cute at first but it can grow to strangle you’. To make the statement clear enough, the author stated that when it comes deeper to the world of Facebook, Twitter, LinkedIn, Foursquare, and other specialty social networks, it might be hard for a time starved small business to keep peace and know what to do (Ahmad, 2013).
The statements and discussion above are due to people are mostly accessing social network sites from relatively high comfort and privacy of their home or office, that might lead into a false sense of anonymity. Moreover, the fact that lack of physical contact on social network site may also lead individuals into disclosing some ‘random and might be unnecessary’ information, in the sense that in real life, actually they would never think of sharing those information to a person they just met on a street (J. Kim, 2012).
2.0. Literature Review
2.1. Threats to Organizations from Social Media
In 2009, the Secure Enterprise 2.0 Forum issued its annual industry report which focused on social media security threats (Perez, 2009). The Secure Enterprise 2.0 Forum consists of executives at Fortune 500 companies which have adopted social media tools and services in their businesses. The forum promotes awareness, industry standards, best practices, and interoperability issues related to the use of the new tools in the workplace. The report was intended to help companies that were considering adopting social media tools in their businesses by providing a basis for assessing the security risks. The report described the types of threats that social media technologies could pose in a business environment. The eight main threats identified in the report were:
2.1.1. Insufficient Authentication Controls
In many social media applications, sensitive information is spread among many different locations. This makes it more likely that an inexperienced user will introduce a weakness that will adversely affect the entire system. For example, there might be some administrative accounts for which the correct security controls are not in place, such as sufficiently strong passwords. An attacker could use a brute-force attack to determine the password of one account; if other accounts are connected to it through a single-sign-on arrangement, the attacker would then have administrative access to a number of systems.
2.1.2. Cross Site Scripting (XSS)
Cross site scripting is a type of attack in which the victim’s web browser is induced to execute malicious code. Depending on the type of attack, the malicious code may steal the victim’s personal information, enabling the attacker to impersonate the victim, or cause the victim’s computer to launch an attack against a third party without either the victim’s or the third party’s knowledge (Timm and Perez, 2010).
2.1.3. Cross Site Request Forgery (CSRF)
Cross site request forgery is an attack which causes an end user’s web browser to execute actions of the attacker’s choosing without the user’s knowledge. By embedding a malicious link in a web page or sending a link via email or chat, an attacker may cause the users of a web application to perform unwanted actions. More specifically, the attacker causes the user’s browser to make requests to a web site to which it has been authenticated, without the user’s or the web site’s knowledge. These actions may result in compromised end user data and operations, or even an entire server or network.
Although phishing is not unique to social media, there has been a recent spike in phishing attacks associated with social media sites (Fisher, 2011). Many people view social media sites on cell phones or other mobile devices. This makes it harder to distinguish real and fake web sites. Additionally, social media enables attackers to send phishing messages that appear to come from someone that the victim knows. Having obtained login information for a few accounts, scammers will then send out messages to everyone connected to the compromised accounts, often with an enticing subject line that suggests familiarity with the victims (Baker, 2009).
2.1.5. Information Leakage
With the advent of ‘always-on’ connectivity, the traditional lines between work and personal life are becoming blurred. Particularly, younger workers use the same technologies in the office as at home. Additionally, social media sites like Facebook and Twitter create the illusion of familiarity and intimacy on the Internet. The result is that people may be inclined to share information on the Internet that their employer would have preferred to keep private. Individuals may not be divulging trade secrets, but the cumulative effect of small, seemingly innocuous details can enable a business’s competitors to gain valuable intelligence about that company’s business situation and future plans.
2.1.6. Injection Flaws
The technologies that social media uses make it vulnerable to injection attacks such as XML injection. Additionally, social media applications often rely on client side code, so they rely heavily on client-side input validation which an attacker can bypass.
2.1.7. Information Integrity
Data integrity is one of the foundations of information security. Malware introduced on a platform or network can modify user information and databases. Users who do not diligently update their antivirus software can make their systems vulnerable. An attacker could deliberately modify data in transit or storage through malware or direct manipulation, but legitimate users also make honest mistakes. Unintentional misinformation is frequently posted on the Internet, which is then taken as fact by many viewers. In social media, data is stored in many places where many different users can access it. Having data accessible to many users increases the chance that a malicious or mistaken user could post inaccurate information, which compromises data integrity.
2.1.8. Insufficient Anti-automation
The interfaces of social media applications are susceptible to automated attacks, such as automated running of queries, automated retrieval of large amounts of information, and the automated opening of accounts. Anti-automation mechanisms like CAPTCHAs can help defeat or at least hinder these types of attacks. In examining the preceding list of social media threats, one sees that the main threats to social media are largely the same as those to traditional web applications. Cross-site scripting, phishing, and inadvertent data modification and information leakage are not new threats, nor are they unique to social media. But the nature of social media technologies can often increase their vulnerability to these threats. In 2009, the U.S. military considered a near-total ban on social media sites throughout the Department of Defense. Military officials cited inherent technical security weaknesses and lack of security safeguards on social media sites (Schachtman, 2009). The threats described previously can be broadly classified into two categories: those related to end user behavior (insufficient authentication controls, phishing, information leakage, and information integrity), and those that are related to security vulnerabilities within the application (XSS, CSRF, injection flaws, and insufficient antiautomation). A combination of proper end-user security along with secure coding practices and verifications should therefore help mitigate both sets of risks. The next section summarizes the relevant components of a recommended enduser security policy. This provides the basis for section five, which shows how a general end-user security policy would address the main threats from social media.
2.2. End-User Security Program Components
2.2.1. Desktop Security
The focus of the desktop security section is to educate users why it is important to use a password-protected screen saver and to lock their computers when the users walk away from them. The computers should also have a screensaver timeout so if the user leaves their computer, the password-protected screensaver comes up after a short time. Again, the idea is to keep out both insiders and outside attackers. If a potential attacker has access to a user’s computer that is left unguarded, they could install malware or steal sensitive data. Users should also be wary of shoulder surfing.
2.2.2. Password Security
The password security section should set forth the minimum password requirements of the organization and emphasize selection of strong passwords. Additionally, password security is a crucial concern. Sharing passwords as well as leaving them out where others could discover them should be strongly discouraged.
Phishing attacks are very common and, unfortunately, often very effective. Security awareness training should provide examples of phishing attacks and emphasize proper precautions (e.g. disregard and delete suspicious electronic messages and avoid clicking on links provided in e-mail and other communications). Brodie suggests having users take a phishing IQ test, and having security administrators report phishing attempts to phishing web sites such as PhishTank and The Anti-Abuse Project.
Brodie recommends that the different malware categories such as viruses, worms, Trojans, spyware, and adware should be defined and then safeguards explained for each. The training in this area should emphasize prevention, identification, containment, and eradication of malware and a malware infection. For example, employees should ensure up-to-date antivirus and antispyware software are installed on all computers they use and understand the importance of performing regular scans not only of their computers, but also of any file they download from a web site, e-mail, or flash drive.
2.2.5. Internet Privacy
A major concern to many organizations is sharing of confidential or sensitive information by officers or employees on the Internet. The SANS Institute’s suggested Acceptable Use Policy for computer end-users states that ‘Employees are prohibited from revealing any <Company> confidential or proprietary information, trade secrets or any other material covered by <Company>’s Confidential Information policy when engaged in blogging.’ (SANS, 2006).
3.0 Security and Privacy Solutions
3.1. Modification of Password Classification Algorithm
This model proposes that passwords should be classified according to their various levels of security using more declarative terms such as ‘very unsafe’, ‘unsafe’, ‘not secure’, ‘a little secure’, ‘secure’ and ‘very secure’. This can be done by ensuring that passwords created by users must consist of combinations of uppercases, lowercases, numbers and at least two special characters. Furthermore, this new security feature will display an instant message to the user using any of the aforementioned declarative terms based on the character combinations selected (Vijaya et al, 2009).
3.2. Embedding Unique Usernames on Profile Pages
This security feature is proposed to solve the problem of profile cloning within the site. Many social networking sites only display the first and surnames of users on their profile pages which opens up certain security vulnerabilities when more than one user coincidentally share the same first and surnames. The vulnerabilities involved may allow the malicious user exhort money or commit an online crime under the guise of the victim which could take time to detect. In addition, embedding unique usernames on profile pages within the site will make it very difficult for a malicious user to steal the identity of a genuine user and act on their behalf (Chen et al, 2009).
3.3. Re-authenticating Registered Users During Activation
This method will ensure that social media accounts must be activated before full access is granted. The application of this approach is generating a 25 character code for each user and the system sends the code to their email addresses to confirm the ownership of the email used for registration. When the users attempt to activate the account by clicking the activation link sent to their email address, they are redirected to another page, and are required to provide the 25 character code, the username and password before full activation is complete. This security mechanism will help in preventing web robots from undermining the validation method of the social network. Furthermore, it will increase security consciousness in every user subscribing for the service and protect a user whose email address has been compromised (Fu, 2006).
3.4. Email Based Two Factor Authentication
The technique used to implement two factor authentication in this model, is an email based approach. When a user initiates a login session and passes the first stage of authentication (traditional username/email and password), the system sends a randomly generated one time password token to the user’s email address and redirects the user to another page within the site which requires the onetime password concurrently (Ikhalia & Imafidon, 2013). The user must navigate to the email address containing the randomly generated password token and supply it before access to the system is granted. This security model is now in huge demand by the industry and implementing an email based two factor authentication method is feasible and cost effective when compared with the SMS approach. Retrospectively, this new security enhancement will reduce security vulnerabilities faced by social media victims of spear phishing, session hijacking, identity and data theft (Yee, 2004).
3.5. Make Private Message Notification ‘Private’
The importance of this security functionality is to protect the confidentiality of a user whose email address is being compromised. This model only allows a message notification sent to a user’s email when a private message is sent from the social networking site to the user. In other words, the user must navigate to their private message inbox within the site to read the content of their messages. The necessity of this is to protect users whose emails have been compromised and users who have lost their email accounts (Joshi & Kuo, 2011).
3.6. Restrict Unauthorized Access To User’s Profile Information
One of the keywords used to define social media by (Dabner, 2012) is ‘A web-based service that allows individuals to construct a public or semi-public profile within a bounded system’; therefore, only registered users must have access to the information they share within the site. This new security enhancement proposed will prevent external users from viewing profile information of registered users within the site (Ijeh, Preston & Imafidon,2009).
3.7. Prevent Multiple Login Session
The system prevents users from creating multiple sessions at the same time. The implementation of this security mechanism will ensure that users have control over their accounts. This new enhancement will also make users know when a cyber intruder is accessing their accounts because a message will be shown to the user if a session has been established on the account (Choti et al, 2012).
Despite their advantages to workers and business processes, many organizations are reluctant to adopt social media technologies because of security concerns. Over half of organizations worldwide prohibit the use of social media in the office. But increasingly, workers are demanding to be allowed to use these technologies to conduct business and collaborate with coworkers. When organizational policies prohibit the use of these technologies, workers simply circumvent the policies. Organizations feel powerless to prevent this behavior. Moreover, companies cannot continue to ignore the clear benefits that social media provide in productivity and worker morale, particularly as more of their competitors start adopting social media in their business processes.
Social media’s lack of security is one of the biggest limitations to the full potential and benefits to the service it provides. Many platform providers are pre-occupied with functionality and ignore serious security loopholes that can be exploited by the exponential growth of social engineering, and other attacks. Hence, platform providers often leave the security of the system to users’ discretion, making it vulnerable to the weakest threats. We have shown that social media can increase in both privacy and security if the new security model proposed in this research work is implemented and tested with the right programming logic.
A comprehensive security program should be adopted by companies to deal with the introduction of Web 2.0 technologies in a corporate environment. As a first step, a Web 2.0 policy should be formulated implemented and the compliance with the policy should be monitored. The policy should be easy to understand, implemented and monitored, yet, detailed enough to be enforceable and be used to hold users accountable. Users should be trained on acceptable Web 2.0 practices and security features.
Besides that, the company shall adopt concrete IT policies to allow a safe inclusion of Web 2.0 technologies in the enterprise environment. A security solution that provides complete content protection, including application detection, monitoring and control is needed to discover threats embedded in Internet-based application traffic, and also to protect against data loss resulting from inappropriate use of social media applications. In addition, the content-based security enforcement is essential to mitigate these threats when they are discovered and to provide compete protection and threat elimination. Finally, other IT initiatives can be adopted such as high customized browse settings, installation of anti-malware software, adoption of strong authentication mechanisms and establishment of a data loss protection solution.
Further research should include a non-modular implementation of each component of our proposed model (SMSM). It could also point towards evaluating and testing the (application) of popular programming languages in order to implement these proposed security solutions to reduce social media vulnerabilities.
...(download the rest of the essay above)