Social Networking Website Security Mitigation

Social Networking Website Security Mitigation


The use of social networking site at CDC, such as Facebook and MySpace, increases risk to CDC systems and data via three main mechanisms: 1) Web mail communication, which by-passes enterprise mail filtering, and 2) public comments on blog posts, which are often vulnerable to cross-site scripting (XSS) or blog-phishing attacks, and 3) malicious ‘friends’, whereby those who are accepted as ‘friends’, may change their profiles after being approved to purposely include malicious code, spurious, offensive, inappropriate or political content.

Social networking sites and other Web 2.0 technologies offer health communicators powerful new channels to deliver relevant and targeted health messages, often through trusted sources, when, where and how users want information. Since these technologies are newly emerging and are unfortunately prone to security vulnerabilities and attack vectors, mitigating these risks to protect the CDC network remains paramount to OCISO and the programs alike.

This document aims to outline the steps of risk assessment for individual sites and recommendations for mitigating these known risks when they are present.

OCISO makes two general recommendations1 regarding social networking sites and the first two main vulnerability classes:

Do not use the Web mail portion of these sites.
Disable comments on blogs and other public commenting sections.

OCISO does not offer recommendations regarding the third vulnerability, malicious ‘friends’.