11
Social Networking Security
How to Manage the Information Security Risks ofFacebook, Linked In and Other Web Marketing Tools
by
Scott WrightThe Streetwise Security Coach
June 19, 2009Ottawa Carleton Research and Innovation
“Don’t Leave the Keys to the Kingdom Under the Door Mat”
22
What Kind Of Day Would It Be For You?
33
Social Networking Security Agenda
When you let another entity control your data
Important Risks and Tips for users
Insider Risks to Organizations
A New Approach to Security Awareness
Summary
Questions and Answers
44
When You Are Not In Control Of Your Data
Prevention of risks is not always possible
Reaction is the other alternativePlanned reactions are best!
REPUTATION
ALWAYS KNOW YOUR ASSETS!
55
Risk #1 - Bogus ProfilesOver 40% of new Facebook profiles are fake
To initiate ID Theft and Phishing attacksAccepting invitations allows more access to info
Tip 1: #Strangers – Don’t accept invitations from strangers
Hard to prevent in Twitter unless you block followers (not considered sociable)
Don’t feel obligated to reciprocate with strangers
66
Risk #2 - Too Much InfoThe SN value proposition is information sharing
“Linked In” - defaults for outsider access is not bad“Facebook” - defaults very openTwitter - no expectation of privacy anyway
Try this: go to your Facebook account and search for:<any company name in your city or area> and
“Software” or “Technology”From the list of results click until you find one that has
all their profile information visible... there are usually many!
Can lead to guessed passwords or recovery questions
77
Sarah’s Hacker: Just a heartbeat away…
“…it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?”
88
Security Tip #2 - #Settings and #Sensitivity
#Settings – Check your profile’s privacy settings
Facebook – “Friends Only” in “Settings”Free guide to privacy settings
Linked In – check the defaults (Account & Settings)#Sensitivity – Remember, Mom may be
watching!
99
Risk #3: Deception Identity Thieves, Hackers, Corporate Spies
Which site is likely to be least dangerous?1. http://contest.microsoft.com.cn/windows7.html2. http://tinyurl.com/windowscontest3. http://www.2months-interestfree.com
They can ALL be dangerous!
Malware spreads 10 times faster on Social Networks!
1010
The Honey Stick Project
Simulating a potentially dangerous risk decisionE.g. Conficker worm
Over 60% made the wrong risk decision
Over 80% of data breaches have internal causes
- Ponemon Institute
1111
Security Tip #3 - #Suspicion#Suspicion
Be suspicious of unexpected messages and unknown links (or devices!)Unexpected changes in patterns, wordingsSingle sources of info
Get help from security tools: firewalls, antivirus
1212
Risk #4 - Account Hijacking / ID Theft
Poor password practicesWeak passwords, used everywhere“Blending” of business/personal
Most common passwords (2006 fromBruce Schneier):password1abc123myspace1passwordBlink182qwerty1
The more information you have in one account,or protected by the same password, the greater the risk!
Best password?
“dokitty17darling7g7darling7”
1313
Security Tip #4 - #Separate Accounts
#Separate accounts for business and personal useDifferent passwords for across accountsSpecial characters in the middle of words
Password Management Programs
Keepass (www.keepass.info)Onepassword (agilewebsolutions.com)
1414
Risk #5 - Insider Threats
HR issues – absence, harassment, hiring
Abuse of computers and networks for personal use
Theft of data for “insurance against layoffs”
1515
Oh yeah? Prove it…
Niresh = HR Kyle = Absentee
Cens
ored
1616
Security Tip #5 - #Security Standards
Have #Security standards, policies or rulesAcceptable use, absenteeism, harrassment,
recruitment screening, risk management“Stupidity is not protected Information”
- Melanie Polowin (Gowlings)
Communication between execs and IT managers
e.g. Cisco posting policyhttp://blogs.cisco.com/news/comments/ciscos_internet_postings_policy/
1717
An Alternative Security Awareness Approach
For Business ManagersLeveraging the Internet With Acceptable
RiskFor IT Managers
Workflow-based Risk Assessment ProcessBeyond lectures
Interactive workshops engage people!Streetwise Security Awareness means using collaborative techniques to complement a
top-down IT security program
1818
For More Help
Streetwise Security Zone Collaborative Communityhttp://www.streetwise-security-zone.com
Scott is “@streetsec” on Twitter: twitter.com/streetsecEmail [email protected] 613-693-0997
Dalian Enterprises for Security Products and Services (Matt Gervais)Email [email protected] 613-234-1995 x390
1919
Social Networking Security Summary
Don’t accept invitations from #StrangersCheck privacy #Settings and #SensitivityBe #Suspicious of messages and links
Use #Separate Accounts for business and personal, with multiple passwords
Have #Security Standards Policies or Rules on use of Internet
Think #Risk Management by “#Workflow”
2020
The Security Awareness Revolution
Human risk decisions are becoming much more important
Technology will lag and leave vulnerabilities
We must educate the people we care about to consider the risks, before they have a breach!
Don’t Leave the Keys to the Kingdom Under the Door Mat!