This keynote was presented by Scott Wright on June 19, 2009 to the Ottawa Centre for Research and Innovation. It provides a quick view of some of the major risks from using Social Networking Tools, and some tips for how to reduce those risks through security awareness.

1. Social Networking Security
How to Manage the Information Security Risks of
Facebook, Linked In and Other Web Marketing Tools
“Don’t Leave the Keys to the Kingdom Under the Door Mat”
by
Scott Wright
The Streetwise Security Coach
June 19, 2009
Ottawa Carleton Research and Innovation
1

2. What Kind Of Day Would It Be For You?
2

3. Social Networking Security Agenda
 When you let another entity control your data
 Important Risks and Tips for users
 Insider Risks to Organizations
 A New Approach to Security Awareness
 Summary
 Questions and Answers
3

4. When You Are Not In Control Of Your Data
 Prevention of risks is not always possible
 Reaction is the other alternative
 Planned reactions are best!
ALWAYS KNOW YOUR ASSETS!
REPUTATION
4

5. Risk #1 - Bogus Profiles
 Over 40% of new Facebook profiles are fake
 To initiate ID Theft and Phishing attacks
 Accepting invitations allows more access to info
 Tip 1: #Strangers –
 Don’t accept invitations from strangers
 Hard to prevent in Twitter unless you block followers (not considered
sociable)
 Don’t feel obligated to reciprocate with strangers
5

6. Risk #2 - Too Much Info
 The SN value proposition is information sharing
 “Linked In” - defaults for outsider access is not bad
 “Facebook” - defaults very open
 Twitter - no expectation of privacy anyway
 Try this: go to your Facebook account and search
for:
 <any company name in your city or area> and
“Software” or “Technology”
 From the list of results click until you find one that has
all their profile information visible... there are usually
many!
 Can lead to guessed passwords or recovery questions
6

7. Sarah’s Hacker: Just a heartbeat away…
“…it took seriously 45 mins on wikipedia and google to find the info,
Birthday? 15 seconds on wikipedia, zip code? well she had always
been from wasilla, and it only has 2 zip codes (thanks online postal
service!) the second was somewhat harder, the question was “where
did you meet your spouse?”
7

8. Security Tip #2 - #Settings and
#Sensitivity
 #Settings –
 Check your profile’s privacy settings
 Facebook – “Friends Only” in “Settings”
 Free guide to privacy settings
 Linked In – check the defaults (Account & Settings)
 #Sensitivity – Remember, Mom may be watching!
8

9. Risk #3: Deception
 Identity Thieves, Hackers, Corporate Spies
 Which site is likely to be least dangerous?
 http://contest.microsoft.com.cn/windows7.html
 http://tinyurl.com/windowscontest
 http://www.2months-interestfree.com
They can ALL be dangerous!
Malware spreads 10 times faster on Social Networks!
9

10. The Honey Stick Project
 Simulating a
potentially dangerous
risk decision
 E.g. Conficker worm
 Over 60% made the
wrong risk decision
 Over 80% of data
breaches have
internal causes
- Ponemon Institute
10

11. Security Tip #3 - #Suspicion
 #Suspicion
 Be suspicious of unexpected messages and
unknown links (or devices!)
 Unexpected changes in patterns, wordings
 Single sources of info
 Get help from security tools: firewalls, antivirus
11

12. Risk #4 - Account Hijacking / ID Theft
 Poor password practices
 Weak passwords, used everywhere
 “Blending” of business/personal
Most common passwords (2006 from
Bruce Schneier):
Best password?
password1
abc123 “dokitty17darling7g7darling7”
myspace1
password
Blink182
qwerty1
The more information you have in one account,
or protected by the same password, the greater the risk!
12

13. Security Tip #4 - #Separate Accounts
 #Separate accounts for business and personal
use
 Different passwords for across accounts
 Special characters in the middle of words
Password Management Programs
Keepass (www.keepass.info)
Onepassword (agilewebsolutions.com)
13

14. Risk #5 - Insider Threats
 HR issues – absence, harassment, hiring
 Abuse of computers and networks for personal use
 Theft of data for “insurance against layoffs”
14

15. Oh yeah? Prove it…
Niresh = HR Kyle = Absentee
15

16. Security Tip #5 - #Security Standards
 Have #Security standards, policies or rules
 Acceptable use, absenteeism, harrassment,
recruitment screening, risk management
 “Stupidity is not protected Information”
- Melanie Polowin (Gowlings)
 Communication between execs and IT
managers
e.g. Cisco posting policy
http://blogs.cisco.com/news/comments/ciscos_internet_postings_policy/
16

17. An Alternative Security Awareness Approach
 For Business Managers
 Leveraging the Internet With Acceptable Risk
 For IT Managers
 Workflow-based Risk Assessment Process
 Beyond lectures
 Interactive workshops engage people!
Streetwise Security Awareness means using
collaborative techniques to complement a top-
down IT security program
17

18. For More Help
 Streetwise Security Zone Collaborative Community
 http://www.streetwise-security-zone.com
 Scott is “@streetsec” on Twitter:
twitter.com/streetsec
 Email scott@streetwise-security-zone.com
 Phone 613-693-0997
 Dalian Enterprises for Security Products and
Services (Matt Gervais)
 Email mattg@dalian.ca
 Phone 613-234-1995 x390
18

19. Social Networking Security Summary
 Don’t accept invitations from #Strangers
 Check privacy #Settings and #Sensitivity
 Be #Suspicious of messages and links
 Use #Separate Accounts for business and
personal, with multiple passwords
 Have #Security Standards Policies or Rules on
use of Internet
 Think #Risk Management by “#Workflow”
19

20. The Security Awareness Revolution
 Human risk decisions are becoming much more
important
 Technology will lag and leave vulnerabilities
 We must educate the people we care about to
consider the risks, before they have a breach!
Don’t Leave the Keys to the Kingdom
Under the Door Mat!
20