Last Updated: 2007-10-30 13:28:17 UTC
by Johannes Ullrich (Version: 1)
Yesterday we talked about the "insider threat". Blogging and Social Networking can be seen as a variation of this issue. But unlike the clandestine (and intentional) activities performed by a malicious insider, the threatening actions from blogging and social networking are usually unintentional and frequently well intended.
So how do you (or your organization) deal with this threat? Do you review your employees blogs for proprietary information? This may be an area where user education will actually work. However, it is also a area where the lines between a person's professional and personal life blur. What about the reputation of a company? Would it be affected by a well known employee of the company voicing radical political views in his personal blog?
The threat from social networking is similar. By mixing personal and professional contacts in your social network, you allow for "data leaks". Another issue is that with social networking, terminated employees retain access to customer and collaborator contact information.
As always: contact us with your tips on how to mitigate this threat.
Johannes B. Ullrich, Ph.D. SANS Institute.
Interested in web application security? We still got seats in my next class: SEC519 Web Application Security, Virginia Beach, November 14-15th.