Upload
sherrymoon7121
View
382
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This slidecast provides information on the interrelationships between Web 2.0/social network applications and security. It explores the impacts that Web 2.0/social network applications have on security, provides examples of such security attacks, and offer potential solutions.
Citation preview
WEB 2.0/SOCIAL NETWORKS AND SECURITYBy: Sherry Gu
For: ACC626
AGENDA
Definition of Web 2.0 Magnitude on use of Web 2.0/social
networking applications Impacts of Web 2.0/social networks have on
security and security risks Types of security attacks Triggers/motivations behind security attacks Remedies/solutions to security vulnerabilities Implications for accountants
WHAT IS WEB 2.0?
Web 2.0 Conference “Network as Platform” – Web 2.0 “managing, understanding, responding…” “…to massive amount of user generated data…” “…in real time”
MAGNITUDE OF USE
For Businesses: 2008 Survey:
18% of companies use blogs 32% of companies use wikis 23% of companies use RSS-feeds
Forrester Research: Spending on Web 2.0 application: $4.6 billion in 2013
IMPACTS ON SECURITY RISKS
Control/Detection Risk Add complexity to the current system (multiple platforms,
multiple sources) Inherent Risk
Interactive nature Increase in likelihood of leaking confidential data
Statistics: 40% users attacked by malwares and phishing from social
networking sites Ranked as “most serious risk to information security” in
2010 by SMB’s 60% companies believed that employee behaviour on
social networks could endanger network security
XSS ATTACK
Injecting malicious codes into otherwise trusted websites
Gives hackers access to information on browser E.g. “Samy” Attack on MySpace
Add Samy as a friend Add “Samy is my hero” on profile pages One million friend requests
CSRF ATTACK Lure users to open/load malicious links Gives hacker access to already - authenticated
applications Hacker make undesirable
modifications/changes/extractions to applications E.g. Gmail
Malicious codes create email filters that that forward emails to another account
MALWARES/SPYWARES/ADWARES
Malware: worms, viruses, trojan Examples:
Koobface family malware on Youtube and Facebook
Bebloh Trojan: “man-in-the-browser” attack
SPEAR PHISHING
Target specific organizations Seek unauthorized access to confidential data Appearance of sender: more direct relationship
with the victim Social networks: help hackers to build more
complete profile about the sender
IDENTITY THEFT
Researchers from Eurecom Profile cloning Cross-site cloning
Authentication problems
TRIGGERS/MOTIVATIONS
Technical nature: Largely dependent on source codes: e.g. AJAX Open – source Complex scripts and dynamic technology: difficult for
protection software to identify malware signatures
TRIGGERS/MOTIVATIONS
Financial Gain Hack into bank accounts Sell to buyers in the large underground market
Organized crime/bot recruitment Web 2.0 applications are: public, open, scalable,
anonymous
REMEDIES/SOLUTIONS
Employee use policies and education (balance between flexibility and security) Strengthen monitoring and reviewing activities:
extensive logs and audit trails Encryption of user data using public and private
keys
IMPLICATIONS FOR ACCOUNTANTS
Auditors: Assess need for risk assessment
Social network/Web 2.0 strategy, policies, and regulatory compliance requirements
Risk assessment Identify types of risk Analyze threat potential Validate risk ratings Hire IT specialist
ISACA: social media assurance/audit program
CONCLUSION
Heightened security risks Risk assessment is critical Policies and procedures