Facebook's Ongoing Security Challenges Are a Cautionary Statement for All Companies

Posted on by Tony Kontzer

For a company that actively sought the more than 2 billion people that use its platform, Facebook sure is having a hard time staying on top of all of that personal data.

With the company still reeling from the Cambridge Analytica fiasco that brought attention to just how little regard it had for its users' data privacy, Facebook's data security practices—or lack of them—have continued to find the headlines. And make no mistake, its security headaches could be anyone's in this data-intensive age.

Here's the thing: none of the recent reports have had anything to do with being attacked or facing an immediate threat. Rather, the news has highlighted how Facebook's security practices have languished for years, and are now creating mounting issues for the company.

Let's start with a biggie: Australian cybersecurity firm UpGuard recently discovered more than 540 million Facebook user records that had been exposed for years on two unprotected Amazon Web Services S3 "buckets," which store data files.

One of those buckets contained data held by a Facebook-integrated matchmaking app called "At the Pool" that ceased operations five years ago. The other bucket was operated by Cultura Colectiva, a Mexican digital media publisher.

While the direct responsibility for the data clearly lies with the two companies that were storing it, the discovery raises questions about Facebook's diligence on the security front. So long as the social media giant continues to provide app makers and other partners with access to its users' data, it would behoove the company to be aware of partners who either don't apply sufficient security measures or have ceased operations and may not have corralled any public data.

As if that sloppiness wasn't enough, cybersecurity watchdog Brian Krebs also recently reported that as many as 600 million Facebook users' login info had been stored for years as plain text on internal servers, to which more than 20,000 Facebook employees had searchable access. Clearly this is a case in which Facebook has nowhere to point except at itself.

Meanwhile, while Facebook has been in damage control mode while it shores up the security of its users' data, it also has been contending with the use of its platform as an enabler of the hacker community.

Most recently, Cisco Talos found that 74 groups had been formed on Facebook specifically to offer tools and services for hackers, some with group names as obvious as "Spammer & Hacker Professional," an indication of the ease with which hackers have been able to conduct business in the open on Facebook.

After Cisco Talos alerted Facebook, all 74 groups were shut down, but Talos noted that new groups began appearing immediately, highlighting the need for Facebook to be aggressive on this front.

In a bit of deliciously ironic timing, Facebook rival Google, which had to shutter its Google+ service after exposing the data of 52 million users, just launched a product designed to help companies better protect their customers' data.

Chronicle, a startup borne from Google's "moon shot" unit, X, has introduced its first product, called "Backstory," which is a cloud-based platform on which companies can store their network intelligence data indefinitely, enabling the service to provide constant analysis and history-backed insight to help prevent cyber security incidents.

Perhaps Facebook should consider pursuing a similar path and start developing security tools tailor-made for safeguarding social media platforms?

Given the company's long string of slip-ups, it should come as no surprise that there are growing numbers of people who aren't too happy with Facebook founder and CEO Mark Zuckerberg. And this has led the company to bolster another kind of security: Zuckerberg's. Because of the microscope all of these incidents have put on him, Zuckerberg's security costs rose precipitously to more than $22 million last year, according to an SEC filing last week.

That's more than 10 times what securing other under-the-microscope tech CEOs like Amazon's Jeff Bezos and Uber's Dara Khosrowshahi is costing.

There's a moral there for CEOs of large companies in this age of cyber security breaches: at some point, your security lapses might come home to roost squarely on your shoulders.

There's another message, too, for everyone from CEOs and CISOs down to the security workers in the trenches: just because you're not being breached doesn't mean your security is in good shape. Whether your customers' and employees' data resides on your own servers, is in the hands of a cloud provider, has been taken home on an employee laptop, or has been handed off to a far-flung business partner, protecting it is your responsibility.

Tony Kontzer

, RSA Conference

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community