• United States




Twitter is a security risk… yes, and?

Feb 17, 20093 mins
Business Continuity

Twitter is a security risk.  This is a ubiquitous topic in the blogosphere Net.  As a recent joiner into the Twitter community, I can see how a service which allows 140 character comments to instantaneously appear on a Twitter site or delivered to numerous mobile devices might cause concern.  However, Twitter is just another communication technology with which we have to contend.  It, like Tumblr, Facebook, and other social interaction online services are not going away.

The latest post I found on this topic is a post in the ZDNet blog, IT Project Failures.  In the post, Michael Krigsman writes,

As the expanding population of Twitter users makes the service increasingly ubiquitous among some communities, this security problem will become more serious over time. I blogged about this same issue over a year ago:

Twitter has the power to turn groups of innocent bystanders into instant analysts. Even seemingly innocuous comments, when put before a large group of people, can be analyzed more rapidly, and in more depth, than you might expect. This can easily cause ranges of unintended, highly negative, consequences.

To be fair, Krigsman invites comment via his Twitter…

As with all emerging technology, it is our responsibility as security professionals to understand the risks and deal with them.  Decrying the use of new communications media, trying to force unreasonable compliance by demanding employees not use them, or simply ignoring them and hope they’ll go away are not actions which serve to reduce business risk.  What does reduce risk is a calm, measured response, including

  • Continuing to vet potential hires.  The hiring process related to employees who handle sensitive information should include inquiries into whether they exhibit responsible behavior.
  • Continuing to communicate what the organization considers acceptable behavior.  Be sure to address the use of social networking technology in the company’s acceptable use policy, a policy which should be reviewed with employees at least annually.  Clearly state possible sanctions for violations.
  • Take quick, decisive action when it is discovered an employee has posted information about the organization in violation of policy or government regulations (e.g., the HIPAA).
  • Strict enforcement of the need-to-know principle.  This extends beyond technical access controls to meeting, email, and distributed document content. 
  • Assume information about the company will leak out.  Manage what might leak and monitor for information about the organization (see Figures 1 and 2).  Further, ensure you take into account the possibility of leaks about security controls before you rely on security through obscurity—never a good idea for highly sensitive data in the first place.

Technology continually changes.  New ways to communicate with each other seem to emerge as the first applications to which emerging capabilities are applied.  This is a fact of life we have to live with, and plan for, as we design business continuity and general security frameworks.

Figure 1: Google Alerts


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.