Most enterprises don’t think small when it comes to cybersecurity. Bigger is better — bigger budgets, bigger reach, bigger payoff, right? However, at Facebook’s recent F8 conference, Chief Executive Officer Mark Zuckerberg touched on “small” security tactics the site uses to avoid larger issues down the line. Can enterprises benefit from this kind of scaled-down security thinking?

Fast and Stable

While most F8 attendees got what they were hoping for — more about new developer initiatives such as the Messenger Platform and the evolving Facebook Login app — Zuckerberg also made it clear that he is committed to improving security. According to a recent Motley Fool article, safety is vital for users’ ability to trust a social platform.

“We need to put people first by keeping them safe and giving them more control of their experiences,” Zuckerberg said.

Meanwhile, Fortune noted that Zuckerberg had taken to repeating a slightly altered version of a Silicon Valley mantra: “Move fast and break things.” His version? “Move fast and with stable infra.”

So how is Facebook thinking small but getting big results? It starts with events such as Hacktober, which sees the company’s internal security experts trying to dupe other employees into falling for security scams such as phishing attacks and other socially engineered threats. Additionally, the company scatters USB sticks and other devices marked “confidential” around its headquarters and satellite offices and then tracks their use to see which employees take the bait. On the surface, this seems like small potatoes; tricks and traps are hardly enterprise-grade security measures. However, according to Facebook security engineer Ted Reed, the idea here is to create a company culture that is naturally resistant to security threats, which helps limit the chance of a large-scale breach.

Curated Security Tactics

Meanwhile, social sharing site Twitter just debuted a new feature that aims to filter out offensive tweets and notifications. As reported by Naked Security, this “quality filtering” will remove any content that contains “threats, offensive or abusive language, duplicate content” or anything sent from suspicious accounts. The new feature is currently only available to verified Twitter users and those running iOS, but if the service proves to be popular and effective, expect to see this roll out across devices and even to unverified users.

The small lessons here? First is the concept of starting small and only expanding security services as necessary. Spending big on company-wide rollouts does no good if security measures can’t keep up or don’t have their intended effect. Twitter’s effort also speaks to the opposite side of the security coin: While Facebook looks to create a culture of security among its employees, Twitter wants to do the same among users. Not only does this help them feel safe — and more likely to use the sharing app — but it also makes it more likely they will report emerging security issues.

Evolving Information

Professional sharing site LinkedIn is also taking small steps to shore up its security tactics. According to its official blog, the company has launched a new security site to “help our members and the businesses that use LinkedIn better understand our security practices.” The site includes a safety center with tips to protect user information, a list of LinkedIn security practices and a security blog to offer more direct insight into the company’s efforts to keep users safe. The takeaway for enterprises? Information matters. Easy-to-find best practices and use expectations, combined with transparency about existing security measures, goes a long way toward bolstering large-scale security efforts. When employees and users feel like they are in the loop, security becomes more than just a buzzword.

For social media sites such as Facebook, Twitter and LinkedIn, the mandate is clear: Smaller security tactics make a world of difference. The same holds true for enterprises. By getting employees involved, curating user content and providing easy ways to access pertinent security data, it’s possible to think small, spend less and sidestep bigger security issues.

Image Source: Flickr

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read