​

Web logs—blogs—are the current darlings of the online world. In these online journals, which cover every imaginable subject from law to technology to humor to hacking, bloggers link to articles they find interesting and post their opinion. However, the free-flowing nature of blogs encourages users to let down their guard, and that creates a risk for businesses.

The problem is that employees may end up saying something they wouldn’t generally say in print or in public. That means blogs may end up containing information that a business would rather not see publicly discussed, either because it is proprietary or because it shows the company in a negative light.

How should companies deal with employees who blog about company matters? Dennis Kennedy, a computer lawyer who runs his own blog, says that companies need to be sure they have a clear policy that deals with how employees communicate with the outside world, whether through email, phone calls from reporters, blogs, or other Internet discussion forums.

These policies are often missing, Kennedy says. The policies should make employees aware of the need to protect proprietary information and the company’s reputation. The policy should let staff know precisely who is authorized to speak on the company’s behalf and what types of information are not meant to be disclosed to anyone outside the organization.

It should also lay out exactly what the consequences of violating these rules would be. Some companies have fired employees who have put negative comments about the company or its management on blogs.

Having the policy is only the first step, however. Many companies that have policies haven’t done a good job of communicating them to employees. “It’s one thing to say you shouldn’t release trade secrets or disclose information before an IPO in violation of securities laws,” Kennedy says. But staff must know that’s the policy.

Another concern is that blogs may offer hackers a new vector in spreading malicious code. The issue here is how the blogs are set up.

Blogs are easy, and often free, for anyone to set up and run, which accounts in part for their astonishing popularity. But of the scores of hosting companies vying for new blogs, not all are taking the right steps toward ensuring information security.

Dan Hubbard, senior director of security and technology research for Websense, Inc., says that researchers in the company’s labs have discovered hundreds of instances of blogs involved in the storage and delivery of harmful code.

Hackers are looking to blogs, says Hubbard, in part because “blogs are in most cases on decent hardware, in an infrastructure that is good, unlike using a ‘Trojaned’ PC or a zombie machine from a zombie network,” both of which are less reliable.

Additionally, logs on these sites are often set up anonymously, and many blog hosts don’t check the types of files that are being uploaded onto their servers. “They shouldn’t allow executables to be uploaded onto the site,” Hubbard says.

Unwitting users are tricked into letting a Trojan horse program be placed on their computer through an e-mail, for example. The Trojan is designed to reach out to the executable file on the blog site where it is hosted, and then begins another round of exploitation, Hubbard says.

This type of attack defeats many firewalls and antivirus solutions because port 80, through which Web traffic flows, is typically open, and much of the malicious code is new, so no antivirus signatures exist.

Hubbard says that some companies are rolling out gateway-based Web-filtering products that augment antivirus programs to offer greater protection against these types of threats. But, he adds, companies that host blogs need to take steps to prevent executable files from being stored as well.

Dennis Kennedy’s blog frequently covers the legal issues relating to blogs and bloggers. Visit it on SM Online atwww.securitymanagement.com.