Managing Social Media Risk – LinkedIn Edition
By now everyone has heard about the breach at LinkedIn, where 6.5 million email password hashes were leaked (over half of which have been cracked, or converted into plain text). Those who read this blog regularly know how I feel about social media in general:
“So managing social media risk boils down to this: You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis. Both costs (reputation, and other residual risks) and benefits (strategic and financial) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit.“
This is not to say that social media can never be properly risk managed, only that the decision to engage (or not) must be analyzed the same way you analyze any other business decision. And this is a challenge because social media does not easily lend itself to traditional risk management techniques, and this incident is a good case in point.
So once again, let’s use this latest breach as yet another incident training exercise. In your initial risk assessment, chances are you classified the site as low risk. There is no NPI/PII stored there, and it doesn’t offer transactional services beyond account upgrades. Additionally, regarding the breach itself, only about 5% of all user password hashes were disclosed, and as I said previously, about half of those were converted into the underlying plain text password. And what exactly is your risk exposure if your password was one that was stolen and cracked? First of all, they would also need your login name to go with the password. But if they were able to somehow put the two together, they might change your employment or background information, or post something that could portray you or your company in a negative light. So there are certainly some risks, but they come with lots of “ifs”. So low probability + low impact = low risk…change your password and move on, right?
Well maybe, depending on how you answer this question: Is your LinkedIn password being used anywhere else? If you have a “go-to” password that you use frequently (and most people do) you should assume that it’s out there in the wild, and you can also assume it is now being used in dictionary attacks. So yes, if you are an individual user, change your LinkedIn password, but also change all other occurrences of that password.
But back to our training exercise…if you are an institution with an official (or unofficial) LinkedIn presence through one or more employees, even if they’ve changed their password(s), you may still be at risk. If the employee uses the same password to access your Facebook or Google+ page, or remotely authenticate to your email system, or access anything else that is connected to you, your response procedures should require (and validate) that all affected passwords have been changed. In fact, since you have no way of knowing if your employee has a personal LinkedIn (or Facebook, etc.) presence, it might be good practice to have your network administrator force all passwords to change just to be safe. You may also want to change your policy to state that internal (or corporate) passwords should never be duplicated or re-used on external or personal sites (although enforcing that may be a challenge).
As far as what you can do to reduce the chance of this type of incident happening again, there isn’t much. You have to rely on your service providers to properly manage their own security. You do this in part by obtaining and reviewing third-party reviews (like the SOC reports) if they exist, but also by reviewing the vendor’s own privacy and security policy. For example, LinkedIn’s privacy policy says this about the data it collects from you:
- Security
- Personal information you provide will be secured in accordance with industry standards and technology. Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. (Bold is mine)
- You are responsible for maintaining the secrecy of your unique password and account information, and for controlling access to your email communications at all times.
Even though they have made public statements that they have taken steps to address the root cause of the breach, given the above policy there is no indication that LinkedIn feel it necessary to obtain a third-party review for validation of their enhanced privacy and security measures. Granted, given the nature of the information they collect and store they may not feel compelled to do so, and you may not require it, but at the very least you should expect the passwords to be secure.
The first step in managing risk is to identify it. In this case because of the breach, the unanswered questions*, the lack of a third-party review, and their privacy policy, you are accepting a higher level of residual risk with them than you would normally find acceptable in another vendor. You can still rationalize your decision strategically, but you must quantify the expected return and then document that the return justifies the increased risk. And then do the same for your other social media efforts!
*Indeed there are several issues raised by this breach that are yet to be answered: How did it occur? Could the breach be worse than disclosed? Why did they encrypt the passwords using the older SHA1 hash algorithm? Why did they not salt the hashes? Why didn’t they have a CIO? Did they truly use industry standards to secure your information? If they did, those standards are clearly inadequate, so will they now exceed industry standards?
4 comments
Write a Comment
You must be logged in to post a comment.
June 13, 2012
So if you can not control or stop an employee from using social media personally, and one of the two biggest risk of an employee using it personally is a “shared password”, wouldn’t implementing a token or biometric authentication system to your LAN solve one of the major issues?
The second issue could be partially mitigated by training on acceptable personal use of social media and taking action against those that break it?
June 13, 2012
Good point. Tokens would definitely eliminate the risk of re-using internal passwords externally, not sure about biometrics though. Even so (and to your second point) the cost of the control should be proportional to the risk, and not all FI’s will see the residual risk high enough to justify the time and expense of implementing tokens enterprise-wide. Additional training is a given though!
June 13, 2012
Interesting post! Security breaches are good opportunities to re-evaluate strategies and standards. Also, beneficial detail for the ISO to include as part of a table top incident response testing excercise. Also, creates an opportunity to update your social media risk assessment and host an information security education session with employees.
June 13, 2012
Training has always been required for information security and disaster recovery (and suggested for merchants engaged in e-banking), but largely overlooked for incident response. Periodic table-top testing is highly recommended. There is certainly no shortage of real-world examples to choose from!