S 5.157 Secure use of social networks

Initiation responsibility: Head of IT, IT Security Officer, Supervisor

Implementation responsibility: User

Social network are platforms made available on the Web such as MySpace, LinkedIn, Facebook or Xing, which are conceptionally similar, but the contents of which differ. The content-related design is determined by the corresponding users themselves. For example, social networks are used to find old friends or work colleagues, to be found yourself, or even to establish professional contacts. Besides creating a profile representing the online identity, the platforms serve to network the users with each other. This linking up results from the social interactions between the users and is stored using special platform functions in the software database.

Social networks are used by the users to communicate and to exchange data between themselves. Depending on the orientation of the platform, pictures or other information can also be uploaded in addition to personal data, and different applications can be used.

In order to become part of a social network, the user has to register with the respective platform. In addition to user name and password, other personal information is often collected. What other personal or also official business information is disclosed depends on the respective user and the purpose of using such networks. The mass of information about yourself is used to be noticed in the networks and to be able to participate in these. However, each user must be made aware of the fact that all information on users can be used as a basis for social engineering attacks (see also S 3.5 Training on security safeguards)

Using the background information, attackers may try to obtain the trust of their victims dishonestly and to persuade them to perform other actions, for example, to open specific files. Any information which a user makes available on the Internet about their own person should thus be carefully considered. Information, and this also includes pictures, videos and quotations, can be easily uploaded on the Internet, but may also be spread quickly by other people.

Because of this, each user of a social network should inform themselves about the service provider, especially about the contractual basis which must be accepted when using these services. For example, it should be checked

• what personal data must be entered when registering with the service provider,
• whether and how the service provider protects the user data against unauthorised access, e.g. whether the virtual identity is protected against being abused by third parties,
• how data transmission is protected, which means whether, for example, communication is encrypted generally or partially (typically using SSL), whether passwords or session cookies are only transmitted in encrypted form,
• whether the service provider creates user profiles and discloses and/or passes them on to third parties, e.g. to finance the platform using targeted advertising,
• whether the user data can be deleted at any time independently and completely.

Before registering with a social network, the users should check how the platform handles data protection. If the users are able to configure data protection options independently, they should be set as restrictively as possible. The possible shared data for other users should be handled restrictively, which means, for example, a "public profile" in which only the absolutely necessary information is uploaded.

Users of social networks should examine closely which contacts they accept and what information they disclose and pass on to other users. In all cases, only information which is required for the interaction on the respective platforms should be entered. Information about third parties should only be forwarded upon consultation with them.

Handling social networks in a government agency and/or company should be regulated clearly. In this respect, there are several variants:

• Organisations can decide to generally ban the use of social networks. Of course, the employees must then be notified of this. In addition, this ban can be supported by technical means, i.e. using filters regarding known providers. In this respect, however, you should be aware of the fact that users can always find new ways to access such services.
• There are also organisations in which social networks are officially approved for business purposes, for example to obtain current information from interest groups and relevant bodies or to even actively market their own services or products using social networks.

A government agency or company should establish clear regulations describing

• if and how social networks are allowed to be used officially,
• under which general prevailing conditions they are allowed to be used for business purposes (e.g. for forwarding information, for protection against malicious software (malware), regarding the use of pseudonyms, etc.),
• what employees should observe when using social networks.

Users should not mix business and private use of social networks and be familiar with the rules applicable in their respective organisation.

Review questions:

• Has the use of social networks been regulated clearly in the organisation?
• Are the employees informed of the dangers when using social networks?