Making Sense of the Marines' Social Net Ban
Defense and intelligence agencies must remain vigilant about the targeting of personnel who use social networking services. Social nets simply make it easier to identify and target people with access to information that adversaries want. Many users of these services may inadvertently disclose their affiliations to sensitive government programs or activities, and without realizing it, make themselves attractive targets for exploitation.
For example, if I wanted to develop information on military troop movements, I could identify and develop contacts with social net users who openly affiliate themselves with the U.S. military. If I can identify military personnel who are deployed, I could further craft an exploit that allows me to use the social net to gain a foothold on a military network that is being used by personnel overseas. The potential for disrupting, monitoring and interfering with military communications - even those that are unclassified - understandably presented too great a risk for the Marine Corps.
Social nets themselves don't present a level of risk that we haven't seen before.
The other issue referenced in the Marine Corps ban was the potential to use social nets to distribute malware. Exploits that use social networks are not entirely new concepts. Just like the first network-aware viruses that used email contact lists to propagate through the Internet, the social net viruses are able to exploit the inherent transitive trust between members of online social groups to infect new computers. Transitive trust describes the shared confidence, quality and security of communications among groups of users on sites like MySpace, Twitter and Facebook. When communicating with peers on social networking sites, there is a level of assurance that communications from within a social circle are authentic, secure messages. Many exploits are able to use this trust to socially engineer attacks against users who know better than to click on links sent from unknown persons.
For non-defense networks, the takeaway here is that social nets themselves don't present a level of risk that we haven't seen before. Sure, social nets can host and transmit malicious code, but so can a website or e-mail system. If your organization is not concerned about the targeting of personnel who deal with sensitive military or intelligence data, there's little reason to follow the Marine Corps' example and implement a ban on social network sites. Social net risks can be managed using the same processes and techniques used to secure web access and email communications.
Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.