This keynote was presented by Scott Wright on June 19, 2009 to the Ottawa Centre for Research and Innovation. It provides a quick view of some of the major risks from using Social Networking Tools, and some tips for how to reduce those risks through security awareness.
Boost Fertility New Invention Ups Success Rates.pdf
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
1. Social Networking Security
How to Manage the Information Security Risks of
Facebook, Linked In and Other Web Marketing Tools
“Don’t Leave the Keys to the Kingdom Under the Door Mat”
by
Scott Wright
The Streetwise Security Coach
June 19, 2009
Ottawa Carleton Research and Innovation
1
3. Social Networking Security Agenda
When you let another entity control your data
Important Risks and Tips for users
Insider Risks to Organizations
A New Approach to Security Awareness
Summary
Questions and Answers
3
4. When You Are Not In Control Of Your Data
Prevention of risks is not always possible
Reaction is the other alternative
Planned reactions are best!
ALWAYS KNOW YOUR ASSETS!
REPUTATION
4
5. Risk #1 - Bogus Profiles
Over 40% of new Facebook profiles are fake
To initiate ID Theft and Phishing attacks
Accepting invitations allows more access to info
Tip 1: #Strangers –
Don’t accept invitations from strangers
Hard to prevent in Twitter unless you block followers (not considered
sociable)
Don’t feel obligated to reciprocate with strangers
5
6. Risk #2 - Too Much Info
The SN value proposition is information sharing
“Linked In” - defaults for outsider access is not bad
“Facebook” - defaults very open
Twitter - no expectation of privacy anyway
Try this: go to your Facebook account and search
for:
<any company name in your city or area> and
“Software” or “Technology”
From the list of results click until you find one that has
all their profile information visible... there are usually
many!
Can lead to guessed passwords or recovery questions
6
7. Sarah’s Hacker: Just a heartbeat away…
“…it took seriously 45 mins on wikipedia and google to find the info,
Birthday? 15 seconds on wikipedia, zip code? well she had always
been from wasilla, and it only has 2 zip codes (thanks online postal
service!) the second was somewhat harder, the question was “where
did you meet your spouse?”
7
8. Security Tip #2 - #Settings and
#Sensitivity
#Settings –
Check your profile’s privacy settings
Facebook – “Friends Only” in “Settings”
Free guide to privacy settings
Linked In – check the defaults (Account & Settings)
#Sensitivity – Remember, Mom may be watching!
8
9. Risk #3: Deception
Identity Thieves, Hackers, Corporate Spies
Which site is likely to be least dangerous?
http://contest.microsoft.com.cn/windows7.html
http://tinyurl.com/windowscontest
http://www.2months-interestfree.com
They can ALL be dangerous!
Malware spreads 10 times faster on Social Networks!
9
10. The Honey Stick Project
Simulating a
potentially dangerous
risk decision
E.g. Conficker worm
Over 60% made the
wrong risk decision
Over 80% of data
breaches have
internal causes
- Ponemon Institute
10
11. Security Tip #3 - #Suspicion
#Suspicion
Be suspicious of unexpected messages and
unknown links (or devices!)
Unexpected changes in patterns, wordings
Single sources of info
Get help from security tools: firewalls, antivirus
11
12. Risk #4 - Account Hijacking / ID Theft
Poor password practices
Weak passwords, used everywhere
“Blending” of business/personal
Most common passwords (2006 from
Bruce Schneier):
Best password?
password1
abc123 “dokitty17darling7g7darling7”
myspace1
password
Blink182
qwerty1
The more information you have in one account,
or protected by the same password, the greater the risk!
12
13. Security Tip #4 - #Separate Accounts
#Separate accounts for business and personal
use
Different passwords for across accounts
Special characters in the middle of words
Password Management Programs
Keepass (www.keepass.info)
Onepassword (agilewebsolutions.com)
13
14. Risk #5 - Insider Threats
HR issues – absence, harassment, hiring
Abuse of computers and networks for personal use
Theft of data for “insurance against layoffs”
14
16. Security Tip #5 - #Security Standards
Have #Security standards, policies or rules
Acceptable use, absenteeism, harrassment,
recruitment screening, risk management
“Stupidity is not protected Information”
- Melanie Polowin (Gowlings)
Communication between execs and IT
managers
e.g. Cisco posting policy
http://blogs.cisco.com/news/comments/ciscos_internet_postings_policy/
16
17. An Alternative Security Awareness Approach
For Business Managers
Leveraging the Internet With Acceptable Risk
For IT Managers
Workflow-based Risk Assessment Process
Beyond lectures
Interactive workshops engage people!
Streetwise Security Awareness means using
collaborative techniques to complement a top-
down IT security program
17
18. For More Help
Streetwise Security Zone Collaborative Community
http://www.streetwise-security-zone.com
Scott is “@streetsec” on Twitter:
twitter.com/streetsec
Email scott@streetwise-security-zone.com
Phone 613-693-0997
Dalian Enterprises for Security Products and
Services (Matt Gervais)
Email mattg@dalian.ca
Phone 613-234-1995 x390
18
19. Social Networking Security Summary
Don’t accept invitations from #Strangers
Check privacy #Settings and #Sensitivity
Be #Suspicious of messages and links
Use #Separate Accounts for business and
personal, with multiple passwords
Have #Security Standards Policies or Rules on
use of Internet
Think #Risk Management by “#Workflow”
19
20. The Security Awareness Revolution
Human risk decisions are becoming much more
important
Technology will lag and leave vulnerabilities
We must educate the people we care about to
consider the risks, before they have a breach!
Don’t Leave the Keys to the Kingdom
Under the Door Mat!
20