Twitter is a security risk… yes, and?

Twitter is a security risk.  This is a ubiquitous topic in the blogosphere Net.  As a recent joiner into the Twitter community, I can see how a service which allows 140 character comments to instantaneously appear on a Twitter site or delivered to numerous mobile devices might cause concern.  However, Twitter is just another communication technology with which we have to contend.  It, like Tumblr, Facebook, and other social interaction online services are not going away.

The latest post I found on this topic is a post in the ZDNet blog, IT Project Failures.  In the post, Michael Krigsman writes,

As the expanding population of Twitter users makes the service increasingly ubiquitous among some communities, this security problem will become more serious over time. I blogged about this same issue over a year ago:

Twitter has the power to turn groups of innocent bystanders into instant analysts. Even seemingly innocuous comments, when put before a large group of people, can be analyzed more rapidly, and in more depth, than you might expect. This can easily cause ranges of unintended, highly negative, consequences.

To be fair, Krigsman invites comment via his Twitter…

As with all emerging technology, it is our responsibility as security professionals to understand the risks and deal with them.  Decrying the use of new communications media, trying to force unreasonable compliance by demanding employees not use them, or simply ignoring them and hope they’ll go away are not actions which serve to reduce business risk.  What does reduce risk is a calm, measured response, including

• Continuing to vet potential hires.  The hiring process related to employees who handle sensitive information should include inquiries into whether they exhibit responsible behavior.
• Continuing to communicate what the organization considers acceptable behavior.  Be sure to address the use of social networking technology in the company’s acceptable use policy, a policy which should be reviewed with employees at least annually.  Clearly state possible sanctions for violations.
• Take quick, decisive action when it is discovered an employee has posted information about the organization in violation of policy or government regulations (e.g., the HIPAA).
• Strict enforcement of the need-to-know principle.  This extends beyond technical access controls to meeting, email, and distributed document content. 
• Assume information about the company will leak out.  Manage what might leak and monitor for information about the organization (see Figures 1 and 2).  Further, ensure you take into account the possibility of leaks about security controls before you rely on security through obscurity—never a good idea for highly sensitive data in the first place.

Technology continually changes.  New ways to communicate with each other seem to emerge as the first applications to which emerging capabilities are applied.  This is a fact of life we have to live with, and plan for, as we design business continuity and general security frameworks.

Figure 1: Google Alerts