Monday, 27 April 2009

Should companies block Twitter?

Recently I have heard several security professionals say Twitter is a source for corporate information leakage, and therefore must be blocked by businesses using web filtering.

Should companies block Twitter? In my view the question is wrong, as I don’t think blocking access to Twitter on corporate networks will do much to prevent business information leakage. The question should be, how do businesses better educate their employees in the usage of social networks such as Twitter, educating instead of blocking will surely do a better job of mitigating the risks of information leakage and company reputation damage. The latter being the most likely outcome of unchecked employee social network website usage.

Twitter allows a person to make a 140 character statement to the entire world, so in terms of information leakage it’s not about controlling data files leaving an organisation, the most someone can do is to send an Internet link along with some text, all be it the text element could be company sensitive or damaging information. However blocking Twitter usage with corporate network web filtering will not prevent employee using of Twitter, as staff can simply tweet updates using their mobile phones, or just wait until they get home, or even find a free WiFi connection when on the road. So my conclusion is blocking will do little to mitigate risk. The answer is to educate employees and provide them with rules (a policy). Everyone in the business should be clearly made aware of what is acceptable and not acceptable to say about their company, their job role, work colleagues, managers and customers publicly (on the Internet), whether it is on Twitter, Facebook, company Emails, on web forum postings or even down the pub with in conversations with their friends.

Business Directors and Senior Managers argue Twitter and other social networking websites should be blocked in the name of productivity, which is a fare and valid point, but then the question is not about managing risk at all, but about business productively, which is a business and possibly HR question. Using “Security” to drive and hide the productivity reason to block social networking is wrong and sends out the wrong message to the user base. In my view, Security Managers need to be encouraging company staff to be onside with the security programme, not getting staff "backs up" and pitting them against the security programme, as ultimately business security always comes down to the individual business employees, who should be and need to be supportive of the security programme, and coached to be security proactive and aware, it's these individuals which can have the biggest impact in mitigating information leakage risk.

Finally, in recent times more and more people are being sacked for Twittering including recently a magistrate and perspective Cisco employee So understanding the acceptable social network boundaries is not just in the interest of the company, but in the interest of each business employee, who needs to be told and understand the social networking line which shouldn’t be crossed. I think many companies today are not doing a great job in clearly explaining those boundaries to their employees.

Wednesday, 8 April 2009

Big EU is Watching You

As of last Monday all Internet Service Providers (ISPs) in the European Union (EU) are required to store the details of every email and every internet phone call placed by anyone, for at least one year. Principally this European law is in the name of protecting us all from terrorism. Let me make it crystal clear, this law is not about collecting and storing Email and internet phone call content, just tracking the “when”, “the sender” and “the recipient”, think of the information listed on your telephone bill, which is already legally required to be stored by telecoms companies.

Most ISPs in Europe already store this type of information, with the Email information used to help fight Spam for instance. Despite this most ISPs were dead against the law due to the hassle factor, but in the UK, ISPs have been “talked round” thanks to the UK government offering to reimburse ISPs the cost of storing and maintaining the data.

So why the law? Well I think one of the key reasons is to allow EU governments “easier” and direct access to the information on mass, so bypassing the legal system (no court orders), wait a minute, isn’t the legal system in place to protect individuals from governments? I think we can assume this information will be used for data mining, as well as the specific investigations of individual suspects. By data mining, I mean the scanning of these vast amounts of electronic communications data for patterns which match terrorism activity, whereby the system analyzes the data and then spits out the names of who it deems are terrorist suspects.

It’s not about the “Chatter”
In the Second World War before the German Enigma machine encryption was cracked, the UK intelligence would look for “chatter”, which is the tracking of the number of encryption communications being sent, with spikes in encrypted communications usually meant a german attack was being organised and therefore about to occur. The germans counteracted this by having all enigma operators send random messages periodically, so the spikes were not so obvious, in fact this counter activism actually helped with the breaking of the enigma code.
Anyway my point is looking for “chatter” in high volume Email and Internet telephone calls to predict a terrorist attack is about to occur is not likely to work, as unlike the mobilising of large military forces to carry out an attack, terrorist groups are very small and very insular in nature, generally very careful with their communications, which is why they aren’t discovered in the first place. Given the vast amount of daily communications taking place over EU part of the Internet, I just can’t see how it is possible to see terrorism communication chatter spikes, so this law cannot be about using chatter to help prevent or prepare against a terrorist act, not that anyone has said this publically, but it’s worth pointing out.

If anyone knows how the data mining of millions of the daily EU electronic communications is going to protect us from terrorism attacks, I’d love to know. In my view, surely it is much better to target our anti-terrorism resources with good old fashion "police work" approaches, and so investigate individual suspects, infiltrate suspect groups, rather than assume everyone is a suspect. Good luck if this big brother system decides you are a terrorist suspect, as ironically you will be the last person to find out if it does.