I am not advocating disallowance of these tools and services, rather I recommend management take the time and care to diligently understand the risks and decide what will be allowable within their environment. Employees, shareholders, governments, and customers rightfully hold management to making those decisions and ultimately hold them responsible for adverse effects.

Visit the Intel Communities thread for more of this discussion. http://communities.intel.com/openport/blogs/it/2007/09/26/social-applications-friend-or-foe-on-the-corporate-network#cf

Believe me, there’s usually too many fires to put out to worry about how any individual is spending his or her time, let alone tens of thousands of employees.

However, if these users run this software and is causes a security compromise, regardless of who was still getting their project timelines in on time - there’s something afoot and the secops team or whatever needs to address that.

As far as that goes, I’d say Facebook (similar to Plaxo) offers some concerns, the default signup process encourages people to enter in credentials for various -other- sites so they can pull from you address books, buddy lists, etc. and for lack of a better term, spam them with invites. I had several friends who were outright offended when they got these. It’s basically the internet equivalent of “get a low low discount if you give us the # of five of your friends!” It’s pretty scuzzy, absolutely has privacy and security concerns, and that’s just the initial signup process.

Getting all up in arms about a risk assessment is acting like chicken little really - an assessment should be just that and isn’t an immediate denial, nor is it carte blanche - after an assessment and review is made, then decisions happen, so stop putting the cart ahead of the horse.

Lastly, I’d say as a devil’s advocate - who cares if work blocks everything anyway, even cell phones have good browsers, ssh clients, and fast network connections (evdo, hdspa and such) - use that, and don’t worry about the corporate policy! In turn, they won’t worry about whether your cell phone/personal laptop gets compromised.

There’s something to be said about keeping work and personal life separate. I demand that work provides me a good laptop and highspeed network access so that I can VPN in from anywhere and do my job 24×7. But if I want to have fun, I do it from a personal machine.

These days, Virtual Machines can make such separations even easier to do _potentially_ but again, as an information security professional, separate physical access will always trump separate VM’s.

The new security paradigms are based on complexity science including crossover metaphors from epidemiology research.

I think the answer to some of these questions lies in this new science paradigm.

So to continue this, I’m curious what people think about dealing with the security issues that something like facebook raises. Assume the risks are information leakage (ie, contacts, etc) and client side attacks (ie, some app on facebook owns your brower and then your system which leads to slurping your data or making your system do something bad; send spam, DOS Estonia). So what do you all think the solution should be? How do we make this a safe technology for people to use?

I’m curious about this from a few different perspectives. What do you do to protect yourself (your kids, your friends, etc) at home? What do you do as an employee of a company with assets and business to protect (is your behavior different from that at home)? If you’re the company what do you do to protect your business?

So to provide some starts: I’m inclined to focus more on user awareness and education along with aggressive patching of user systems. I’d Follow this with aggressive monitoring of the corporate network, ie, look for bad things. This only works when a machine is severely compromised;(IE becomes virus swamped, turns into a zombie and starts spamming, or shows evidence of being controlled remotely by bad guys. We could try to detect when the entire internal corporate address book (or a confidential strategic doc on a CIO admin workstation) is slurped up by a facebook application. I know this is all doom and gloom stuff and I don’t want to focus on the details of those specific issues. Perhaps you can think of different or even more malicious scenarios. I’m more interested in what should we be considering when want to address the general risks within a corporate environment.

Inherent to the process of understanding new technology is the fact that we, as security professionals, are in forced to understand the constant state of change and evolution. We need to keep up with evolving technology, its uses and users. Social network based systems and the automation surrounding it is the current wave of technology that a lot of us are still trying to wrap our heads around. I’m finding that we do need to move fast to comprehend the risks and explain them to not just the users of the tools and tech but also management.

Ultimately, our job is not to ban but to capture and document the danger to the corporation and allow the managers to either accept that risk or allow us to figure out what to do about it (if anything). Doing something about of course can include things like educate how people should follow policy in using these new tools and not just wholesale bans.