On 12 April 2009, the social networking service Twitter reported that a series of malware attacks had compromised some user accounts. The malware is reportedly similar to the Samy worm, which struck another networking service in 2007. Twitter reported that approximately 190 user accounts were compromised before the attack was contained.
Twitter's recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site's business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are "sprinkled on."
This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are "business-strength." Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work (see
"Optimal Security Approaches for the Secure Use of Consumer IT"
Ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter.
Update Web security gateways and network intrusion prevention systems to block transmission of the malware used in the Twitter attacks.
Require malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies.
"Optimal Security Approaches for the Secure Use of Consumer IT”
— Mapping the business gain against potential risks will enable enterprises to determine the most effective constraints and security controls for consumer-grade technologies.
By John Pescatore and Mark Nicolett
"A Buyer's Guide to Secure Web Gateways”
— No single secure Web Gateway vendor leads in all functional areas, so buyers need to prioritize their requirements to address the needs of their specific business, technical and regulatory environments.
By Peter Firstbrook and Lawrence Orans
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)