SlideShare uma empresa Scribd logo

Social networking-website-security-mitigation

Transferir como DOC, PDF
B
bipinsunar
Tecnologia
1 de 4
Social Networking Website Security Mitigation The use of social networking site at CDC, such as Facebook and MySpace, increases risk to CDC systems and data via three main mechanisms: 1) Web mail communication, which by-passes enterprise mail filtering, and 2) public comments on blog posts, which are often vulnerable to cross-site scripting (XSS) or blog-phishing attacks, and 3) malicious ‘friends’, whereby those who are accepted as ‘friends’, may change their profiles after being approved to purposely include malicious code, spurious, offensive, inappropriate or political content. Social networking sites and other Web 2.0 technologies offer health communicators powerful new channels to deliver relevant and targeted health messages, often through trusted sources, when, where and how users want information. Since these technologies are newly emerging and are unfortunately prone to security vulnerabilities and attack vectors, mitigating these risks to protect the CDC network remains paramount to OCISO and the programs alike. This document aims to outline the steps of risk assessment for individual sites and recommendations for mitigating these known risks when they are present. OCISO makes two general recommendations1 regarding social networking sites and the first two main vulnerability classes: Do not use the Web mail portion of these sites. Disable comments on blogs and other public commenting sections. OCISO does not offer recommendations regarding the third vulnerability, malicious ‘friends’. Web Mail: Most functions of social networking sites are usually available even when Web mail is not used or blocked by Websense. When possible, this is the recommended route, not only in terms of security, but also convenience. If possible, have incoming mail automatically redirected to a specific, group CDC account, since it would allow the regular enterprise mail filters to scan the incoming mail traffic. If Web mail is required to effectively use the site, then a computer off the CDC network will have to be used to manage and maintain the site. This requires separate hardware and connection to the Internet. Public Comments: OCISO recommends that comments be disabled. Even moderated comments pose a risk to the CDC network, since each of the comments have to be opened and evaluated by someone on a CDC network computer. There is no way to moderate the comments without the moderator’s system being in jeopardy. However, not allowing comments on blog posts and other content not only is contrary to the very nature of these peer-to-peer communications platforms and thereby reducing the site’s effectiveness, often a
negative backlash is encountered, which undermines the effectiveness of our communications efforts. From a communications perspective, we recommend allowing comments, but having all comments moderated. A special computer off the CDC network will be required to manage and maintain the site. This necessitates the purchase of separate hardware and connection to the Internet. Malicious ‘Friends’: Once friends are approved on a social networking profile, vigilance is required to make sure that the friend’s profile hasn’t changed to include inappropriate content, an inappropriate profile image or malicious code. The simple act of reviewing proposed friends may make the administrator’s system vulnerable to attack. Although most users of such social networking site already understand this, disclaimers about friends and content on their profiles should be posted. Clear policies about accepting friends should be posted as well. Some sites such as MySpace allow you to control which friends get listed on your main profile page, whereas others such as Facebook randomly place any of your friends on the main page, in which case, care must be taken in approving friends. This vulnerability is the same as attacks whereby developers work to get a site high in Google or other search engine results, and then changing the content of their pages to purposely introduce attacks. Again, the main recommendation is to use computer resources off the CDC network to manage and maintain the profile. This requires separate hardware and connection to the Internet. Primary recommendations: Since most Web 2.0 technologies are still emerging and secure coding practices are not industry-wide, it is recommended to do a risk assessment for each social networking, Web 2.0 community you wish to use for official CDC communications to determine whether Web mail and public comments are allowed and are necessary. Most times they are either required or greatly preferred, and in those cases the only way to currently protect the CDC network is to manage and maintain these sites on hardware off the CDC network. Programs must work with OCISO to develop appropriate Rules of Behavior (ROB) for those who will use the special hardware to manage these profiles. These ROB will include provisions of not connecting the hardware to the CDC network, trying to reenable ports if OCISO has blocked them, or moving files from the system to the network directly in any way. Special connections to the Internet must be acquired, which is usually a wireless Internet card. If DSL, cable or T1 connections are required, then the program must also include ITSO in on the discussions at an early stage. Programs should develop a system to regularly and systematically review the URLs in any comment for XSS on the destination. Those who do the scanning and review should be trained on how to look for suspicious XSS type of code in a page. The use of automated tools are generally restricted by license agreements.
Programs should also develop a system to regularly and systematically review the profile pages of friends as well, to ensure that content has not changed since initial acceptance and that those profiles have not been compromised. Programs should also routinely scan the security environment and vulnerabilities databases to stay breast of the changing security landscape associated with these sites. System Definition and Boundaries: Until these sites can be made more secure across the board, it is not recommended at this time to treat the information published to these systems as information of record or official. Disclaimers should be made on the profiles of each of these sites to state that official CDC information can be found at CDC.gov and that in the case of any discrepancies that the content on CDC.gov be considered correct. Even though clear system boundaries are established, programs participating in the spaces must assume the risk that content may be subject to attack and change, since ITSO and OCISO do not maintain these systems. It is not recommended to use these social networks to gather personal information or to be used for private or secure communications. Social Networks Site Analyses: MySpace: Since this site relies on Web mail to solicit and accept friends and the blog moderating functions have been known to have XSS vulnerabilities in the past, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Facebook: Since this site allows blog posts and there is limited or no control over which of your friends appear on your home page, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Twitter: An interesting site in terms of social networking in that comments and posts are allowed, but are limited to 140 characters with no HTML or JS allowed. Hyperlinks are allowed and are automatically converted to the actual HTML code by the system. Eg – http://www.cdc.gov becomes <a href=http://www.cdc.gov>http://www.cdc.gov</a> automatically. Comments are designed to be sent by SMS messaging, which is text based. Requests for followers come through email and can be accepted without Web mail. Whereas it does seem to be secure against XSS exploits, the site does rely on AJAX technologies and can be used to post links to malicious sites. In order to vet these links, they must be followed, which would put the system at risk. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. DailyStrength: This site relies on Web mail to solicit and accept friends, allows blog comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be
done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. YouTube: This site allows comments on videos and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Flickr: This site allows comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

Recomendados

Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risks
osuhaibany
 
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam MethodsToward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Pedram Hayati
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
Aditya K Sood
 
2011 Social Media Malware Trends
2011 Social Media Malware Trends2011 Social Media Malware Trends
2011 Social Media Malware Trends
Lumension
 
Understanding SaaS Concepts
Understanding SaaS ConceptsUnderstanding SaaS Concepts
Understanding SaaS Concepts
guest0e7119
 
Facebook and Security Settings Report
Facebook and Security Settings ReportFacebook and Security Settings Report
Facebook and Security Settings Report
Abhishek Gupta
 
Facebook and security settings settings
Facebook and security settings settingsFacebook and security settings settings
Facebook and security settings settings
Abhishek Gupta
 
social-networking sites
social-networking sites social-networking sites
social-networking sites
puffyarson5604
 

Recomendados

Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risks
osuhaibany
 
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam MethodsToward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Pedram Hayati
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
Aditya K Sood
 
2011 Social Media Malware Trends
2011 Social Media Malware Trends2011 Social Media Malware Trends
2011 Social Media Malware Trends
Lumension
 
Understanding SaaS Concepts
Understanding SaaS ConceptsUnderstanding SaaS Concepts
Understanding SaaS Concepts
guest0e7119
 
Facebook and Security Settings Report
Facebook and Security Settings ReportFacebook and Security Settings Report
Facebook and Security Settings Report
Abhishek Gupta
 
Facebook and security settings settings
Facebook and security settings settingsFacebook and security settings settings
Facebook and security settings settings
Abhishek Gupta
 
social-networking sites
social-networking sites social-networking sites
social-networking sites
puffyarson5604
 
Facebook Security
Facebook SecurityFacebook Security
Facebook Security
thaash95
 
Social Media Safety
Social Media SafetySocial Media Safety
Social Media Safety
Joint Base Myer-Henderson Hall
 
social-networking sites
social-networking sites social-networking sites
social-networking sites
offbeatnominee633
 
Impact on social networks
Impact on social networksImpact on social networks
Impact on social networks
Bhargava Ganti
 
Mark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers' Social Network Presentation
Mark Rogers' Social Network Presentation
Mark Rogers
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
Tin180 VietNam
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
ijtsrd
 
Capilano University Personal Branding Online
Capilano University Personal Branding OnlineCapilano University Personal Branding Online
Capilano University Personal Branding Online
Mhairi Petrovic
 
facebook secrets by SHASHI
facebook secrets by SHASHIfacebook secrets by SHASHI
facebook secrets by SHASHI
shashi patel
 
Google plus 10 mar15
Google plus 10 mar15Google plus 10 mar15
Google plus 10 mar15
Naval OPSEC
 
Social Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSocial Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest Chapter
Sandra Masters
 
Facebook
FacebookFacebook
Facebook
STOBARTEVANS
 
Social networks threats
Social networks threatsSocial networks threats
Social networks threats
Catalin Cosoi
 
Social Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieSocial Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvie
BitDefender GmbH
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
rohitsinsan
 
โพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนโพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอน
Piyatida Prayoonprom
 
ครูผู้ช่วย
ครูผู้ช่วยครูผู้ช่วย
ครูผู้ช่วย
Piyatida Prayoonprom
 
La contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament iLa contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament i
magdalena serra
 
презентация Fly cam Semey
презентация Fly cam Semeyпрезентация Fly cam Semey
презентация Fly cam Semey
Ravil LogOff
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
rohitsinsan
 
Attitude
AttitudeAttitude
Attitude
rohitsinsan
 
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net and Zelda:Internet Stories and Video Games
 

Mais conteúdo relacionado

Mais procurados

Facebook Security
Facebook SecurityFacebook Security
Facebook Security
thaash95
 
Impact on social networks
Impact on social networksImpact on social networks
Impact on social networks
Bhargava Ganti
 
Mark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers' Social Network Presentation
Mark Rogers' Social Network Presentation
Mark Rogers
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
ijtsrd
 
Social networks threats
Social networks threatsSocial networks threats
Social networks threats
Catalin Cosoi
 

Mais procurados (14)

Facebook Security
Facebook SecurityFacebook Security
Facebook Security
 
Social Media Safety
Social Media SafetySocial Media Safety
Social Media Safety
 
social-networking sites
social-networking sites social-networking sites
social-networking sites
 
Impact on social networks
Impact on social networksImpact on social networks
Impact on social networks
 
Mark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers' Social Network Presentation
Mark Rogers' Social Network Presentation
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Capilano University Personal Branding Online
Capilano University Personal Branding OnlineCapilano University Personal Branding Online
Capilano University Personal Branding Online
 
facebook secrets by SHASHI
facebook secrets by SHASHIfacebook secrets by SHASHI
facebook secrets by SHASHI
 
Google plus 10 mar15
Google plus 10 mar15Google plus 10 mar15
Google plus 10 mar15
 
Social Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSocial Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest Chapter
 
Facebook
FacebookFacebook
Facebook
 
Social networks threats
Social networks threatsSocial networks threats
Social networks threats
 
Social Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieSocial Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvie
 

Destaque

Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
rohitsinsan
 
โพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนโพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอน
Piyatida Prayoonprom
 
презентация Fly cam Semey
презентация Fly cam Semeyпрезентация Fly cam Semey
презентация Fly cam Semey
Ravil LogOff
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
rohitsinsan
 
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net and Zelda:Internet Stories and Video Games
 
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Net and Zelda:Internet Stories and Video Games
 
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα ΡοϊνιώτηZelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Net and Zelda:Internet Stories and Video Games
 
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net and Zelda:Internet Stories and Video Games
 
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Net and Zelda:Internet Stories and Video Games
 
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος ΧιώτηςZelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Net and Zelda:Internet Stories and Video Games
 
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος ΚαζαμίαςZelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Net and Zelda:Internet Stories and Video Games
 
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net and Zelda:Internet Stories and Video Games
 

Destaque (16)

Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
 
โพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนโพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอน
 
ครูผู้ช่วย
ครูผู้ช่วยครูผู้ช่วย
ครูผู้ช่วย
 
La contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament iLa contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament i
 
презентация Fly cam Semey
презентация Fly cam Semeyпрезентация Fly cam Semey
презентация Fly cam Semey
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
 
Attitude
AttitudeAttitude
Attitude
 
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
 
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
 
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
 
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα ΡοϊνιώτηZelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
 
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
 
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
 
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος ΧιώτηςZelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
 
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος ΚαζαμίαςZelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
 
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
 

Semelhante a Social networking-website-security-mitigation

State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
IOSRjournaljce
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
Pixel Crayons
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Nelsan Ellis
 
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
IJARIIT
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 

Semelhante a Social networking-website-security-mitigation (20)

Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009
 
2013 09 liberteks monthly security tips newsletter 518-452-0550
2013 09 liberteks monthly security tips newsletter 518-452-05502013 09 liberteks monthly security tips newsletter 518-452-0550
2013 09 liberteks monthly security tips newsletter 518-452-0550
 
How to Secure your ecommerce website-Threats and tips
How to Secure your ecommerce website-Threats and tipsHow to Secure your ecommerce website-Threats and tips
How to Secure your ecommerce website-Threats and tips
 
Applying web 20 to public health practice
Applying web 20 to public health practiceApplying web 20 to public health practice
Applying web 20 to public health practice
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
 
IRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social Network
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Website Security: A Guide to Defending Your Website
Website Security: A Guide to Defending Your WebsiteWebsite Security: A Guide to Defending Your Website
Website Security: A Guide to Defending Your Website
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
web security
web securityweb security
web security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
 
F018123136
F018123136F018123136
F018123136
 
Web 2 0
Web 2 0Web 2 0
Web 2 0
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Social networking-website-security-mitigation

  • 1. Social Networking Website Security Mitigation The use of social networking site at CDC, such as Facebook and MySpace, increases risk to CDC systems and data via three main mechanisms: 1) Web mail communication, which by-passes enterprise mail filtering, and 2) public comments on blog posts, which are often vulnerable to cross-site scripting (XSS) or blog-phishing attacks, and 3) malicious ‘friends’, whereby those who are accepted as ‘friends’, may change their profiles after being approved to purposely include malicious code, spurious, offensive, inappropriate or political content. Social networking sites and other Web 2.0 technologies offer health communicators powerful new channels to deliver relevant and targeted health messages, often through trusted sources, when, where and how users want information. Since these technologies are newly emerging and are unfortunately prone to security vulnerabilities and attack vectors, mitigating these risks to protect the CDC network remains paramount to OCISO and the programs alike. This document aims to outline the steps of risk assessment for individual sites and recommendations for mitigating these known risks when they are present. OCISO makes two general recommendations1 regarding social networking sites and the first two main vulnerability classes: Do not use the Web mail portion of these sites. Disable comments on blogs and other public commenting sections. OCISO does not offer recommendations regarding the third vulnerability, malicious ‘friends’. Web Mail: Most functions of social networking sites are usually available even when Web mail is not used or blocked by Websense. When possible, this is the recommended route, not only in terms of security, but also convenience. If possible, have incoming mail automatically redirected to a specific, group CDC account, since it would allow the regular enterprise mail filters to scan the incoming mail traffic. If Web mail is required to effectively use the site, then a computer off the CDC network will have to be used to manage and maintain the site. This requires separate hardware and connection to the Internet. Public Comments: OCISO recommends that comments be disabled. Even moderated comments pose a risk to the CDC network, since each of the comments have to be opened and evaluated by someone on a CDC network computer. There is no way to moderate the comments without the moderator’s system being in jeopardy. However, not allowing comments on blog posts and other content not only is contrary to the very nature of these peer-to-peer communications platforms and thereby reducing the site’s effectiveness, often a
  • 2. negative backlash is encountered, which undermines the effectiveness of our communications efforts. From a communications perspective, we recommend allowing comments, but having all comments moderated. A special computer off the CDC network will be required to manage and maintain the site. This necessitates the purchase of separate hardware and connection to the Internet. Malicious ‘Friends’: Once friends are approved on a social networking profile, vigilance is required to make sure that the friend’s profile hasn’t changed to include inappropriate content, an inappropriate profile image or malicious code. The simple act of reviewing proposed friends may make the administrator’s system vulnerable to attack. Although most users of such social networking site already understand this, disclaimers about friends and content on their profiles should be posted. Clear policies about accepting friends should be posted as well. Some sites such as MySpace allow you to control which friends get listed on your main profile page, whereas others such as Facebook randomly place any of your friends on the main page, in which case, care must be taken in approving friends. This vulnerability is the same as attacks whereby developers work to get a site high in Google or other search engine results, and then changing the content of their pages to purposely introduce attacks. Again, the main recommendation is to use computer resources off the CDC network to manage and maintain the profile. This requires separate hardware and connection to the Internet. Primary recommendations: Since most Web 2.0 technologies are still emerging and secure coding practices are not industry-wide, it is recommended to do a risk assessment for each social networking, Web 2.0 community you wish to use for official CDC communications to determine whether Web mail and public comments are allowed and are necessary. Most times they are either required or greatly preferred, and in those cases the only way to currently protect the CDC network is to manage and maintain these sites on hardware off the CDC network. Programs must work with OCISO to develop appropriate Rules of Behavior (ROB) for those who will use the special hardware to manage these profiles. These ROB will include provisions of not connecting the hardware to the CDC network, trying to reenable ports if OCISO has blocked them, or moving files from the system to the network directly in any way. Special connections to the Internet must be acquired, which is usually a wireless Internet card. If DSL, cable or T1 connections are required, then the program must also include ITSO in on the discussions at an early stage. Programs should develop a system to regularly and systematically review the URLs in any comment for XSS on the destination. Those who do the scanning and review should be trained on how to look for suspicious XSS type of code in a page. The use of automated tools are generally restricted by license agreements.
  • 3. Programs should also develop a system to regularly and systematically review the profile pages of friends as well, to ensure that content has not changed since initial acceptance and that those profiles have not been compromised. Programs should also routinely scan the security environment and vulnerabilities databases to stay breast of the changing security landscape associated with these sites. System Definition and Boundaries: Until these sites can be made more secure across the board, it is not recommended at this time to treat the information published to these systems as information of record or official. Disclaimers should be made on the profiles of each of these sites to state that official CDC information can be found at CDC.gov and that in the case of any discrepancies that the content on CDC.gov be considered correct. Even though clear system boundaries are established, programs participating in the spaces must assume the risk that content may be subject to attack and change, since ITSO and OCISO do not maintain these systems. It is not recommended to use these social networks to gather personal information or to be used for private or secure communications. Social Networks Site Analyses: MySpace: Since this site relies on Web mail to solicit and accept friends and the blog moderating functions have been known to have XSS vulnerabilities in the past, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Facebook: Since this site allows blog posts and there is limited or no control over which of your friends appear on your home page, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Twitter: An interesting site in terms of social networking in that comments and posts are allowed, but are limited to 140 characters with no HTML or JS allowed. Hyperlinks are allowed and are automatically converted to the actual HTML code by the system. Eg – http://www.cdc.gov becomes <a href=http://www.cdc.gov>http://www.cdc.gov</a> automatically. Comments are designed to be sent by SMS messaging, which is text based. Requests for followers come through email and can be accepted without Web mail. Whereas it does seem to be secure against XSS exploits, the site does rely on AJAX technologies and can be used to post links to malicious sites. In order to vet these links, they must be followed, which would put the system at risk. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. DailyStrength: This site relies on Web mail to solicit and accept friends, allows blog comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be
  • 4. done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. YouTube: This site allows comments on videos and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Flickr: This site allows comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.