By: Chris Merritt

According to this by Maryland-based blogger/attorney Judd Legum, the state Office of Legislative Information Services there banned access to Facebook and MySpace last week. And not for the usual time-wasting or inappropriate usage reasons. Nope, it was the “significant increase in viruses and malware … [which they] have determined … are originating from pages hosted on Facebook and MySpace.”

Apparently, Facebook was a popular medium of communication; over 40 state legislators have set up pages on the service. As the Baltimore Sun wrote, some of the pols were stunned, as were many others who follow the goings-on in their state capital. Some of them, interviewed in the Washington Post, said things like “It’s like blocking cellphones,” and “It puts the General Assembly in the Stone Age,” and “This is like China.” [Is this last one the newest corollary to Godwin’s Law?] And as a city legislator said to the Baltimore Sun, “I don’t know if they’ve also banned every porn site … Because there’s probably more chance of a virus there. Not that I’ve tried it. I’m just sayin’.” So, as one commentator noted, this leaves Twitter (ironically, as we remember the events of late-January) as the main / only way to stay in touch with constituents in real-time.

So, is this a reasonable move? Leaving aside the question of time-wasting or inappropriate usage, the issue of malware borne on social networks such as Facebook or MySpace has been on the minds of a lot of folks in the IT security arena for some time now. [Remember koobface?] The problem is, of course, that there are plenty of other sites which might contain malware; the recently-released 2008 X-Force Trend and Risk report from IBM stated that:

… Websites have become the Achilles’ heel for corporate IT security. Attackers are intensely focused on attacking Web applications so they can infect end-user machines. Meanwhile, corporations are using off-the-shelf applications that are riddled with vulnerabilities or even worse, custom applications that can host numerous unknown vulnerabilities that can’t be patched. Last year more than half of all vulnerabilities disclosed were related to Web applications, and of these, more than 74 percent had no patch.

So, is the Maryland LIS office going to chase down and block all these potentially bad sites? Heckuva big job, and one, I’d suggest, that is doomed to failure. Rather than trying to ban these sites, they should embrace these new social tools (and the productivity they engender) but take some basic precautions, such as …

Up-to-Date Patching– Despite IBM’s dire warning, keeping your browser (and plug-ins such as Java, Flash, etc…) patched. This will limit the amount of malware which can downloaded from infected sites. After all, the Conficker (aka Downadup) infestation which has been in the news these past few weeks exploits a vulnerability for which a patch has existed since last October … however, due to slow patch implementation, it has gained a foothold in some places and then exploded.

Modern Application Controls– it’s no secret that traditional, reactive AV is running out of steam: rapidly morphing malware (some say an average of 22,000 new strains a DAY in 2008) are difficult to keep up with, let alone to scan against. Instead of trying to guard your network against all this malware, you should create a list of known *good* applications which you want to allow to run … using this is (presumably) a much shorter and more manageable list, you can then prevent anything else from executing, stopping malware cold in its tracks.

Some other ideas, which I’ll explore at some later time: remove local admin rights (see James Gaskin’s rant on this topic here), disable autorun (see CERT’s how-to and commentary here), implement “strong” passwords (MS has a primer here), and (hope I’m not going too far here) use Firefox with the NoScript extension. Oh, and let’s not forget some simple (and on-going) end user training.

As I’ve discussed before, the consumerization of IT means that, unlike the days of yore when the best computing tools were at work, these days consumer applications are being brought into the workplace by folks wanting to be more productive, be more connected, be more effective. Taking these steps will allow you to open up your network to these legitimate tools that your users want / need to be productive, while safeguarding against the risks against your network. And that is, after all, the *real* holy grail: enabling your users with safe access to the best, most productive tools get their jobs done effectively and efficiently.

What do you think?