Site Review – LinkedIn
Who doesn’t know about LinkedIn by now? This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?). There are even blogs dedicated to helping you maximize your use of LinkedIn. Really, what more can I add?
You probably already know the basics. If you have an account on LinkedIn, you can add all the businesses associates you know to your account. This gives you a sort of online Rolodex that you can access from anywhere. Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well. You can ask and answer questions and try to use the network to find contacts deeper within an organization.
It’s very useful for sales people and job hunters… and since everyone will likely be one or the other at some point in their career, most people are on it.
However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies. On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.
This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?
The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers. (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)
Another solution is to ignore the site altogether. If your data isn’t online it can’t be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.
Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person’s identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say “yes”, then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn’t address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.