Lecture 9 11/21/2012 Security in Social Media Dr. Barbara Endicott-Popovsky Ilanko Subramaniam IMT551
Week 9 Security in Social Media – MSIM group• Students Assemble at Portal 5:30-5:40• Lecture: Security in Social Media 5:40-6:10 Barbara Endicott-Popovsky• Mentor Briefing 6:10-6:15• Group Activity: Cybersecurity Challenge 6:15-6:35 Students led by Stylianos or Cooper, respectively. Cooper will be the floating Mentor, available to assist should the need arise.• Regroup 6:35–6:45 Final return to plaza for dismissal by Barbara Students e instructed to log off the island & encouraged to return at later date for independent exploration.
Week 9 Security in Social Media – PCE Group• Students Assemble at Portal 6:00-6:10• Lecture: Security in Social Media 6:10-6:40 Barbara Endicott-Popovsky• Mentor Briefing 6:40-6:45• Group Activity: Cybersecurity Challenge 6:45-7:15 Break students into two groups, led by Stylianos or Cooper, respectively. Cooper will be the floating Mentor, available to assist should the need arise.• Regroup 7:15–7:25 Final return to plaza for dismissal by Barbara Students e instructed to log off the island & encouraged to return at later date for independent exploration.
ITS TIME FOR ANOTHER AGORA• WHEN: MEETING... Friday, December 7, 2012, 8:30 AM to 12:30 PM• WHERE: WE ARE MEETING ON THE UW SEATTLE CAMPUS (Different location than last time!): Husky Union Building (HUB) South Ballroom - Just re-opened after a lengthy remodel UW Campus, Seattle, Washington www.washington.edu/home/maps/• CONTACT: Kirk Bailey - email@example.com Ann Nagel - firstname.lastname@example.org Daniel Schwalbe - email@example.com• TIMELY TOPICS, PROFESSIONAL NETWORKING, FREE PASTRIES AND HOT COFFEE What more could you want on a Friday morning? We need to be working together and sharing information about our common challenges. In the Pacific Northwest, the Agora has a long history of being one of the best opportunities for professional networking for folks working in the cyber-security field. There are plenty of reasons to take some of your valuable time to attend the meeting. Itshappening on a beautiful university campus in a comfortable venue. There will be a few hundred fun people, interesting presentations, free coffee and goodies, and timely conversationswith all manner of security and privacy experts.• AGENDA• 9:00am - WELCOME AND ANNOUNCEMENTS• 9:15am "CYBER-THREAT BRIEFING: IRAN"• PRESENTATION BY: KIRK BAILEY Its a very small world. Despite how difficult it may be, assessing and understanding current cyber-based, posed by various nations political, economic, and strategic interests, is an evolving responsibility for security professionals. Planned and targeted attacks against both public and private sector organizations around the world are now part of the daily grind. Based on open source information, conversations with professionals across the country, and UWs operational experience, Mr. Bailey has developed abriefing about Irans interests on our networks.• Bio: Since 2005, Kirk Bailey has been the University of Washingtons CISO. Prior to his current position, he was the first CISO for the City of Seattle and held similar positions in the healthcare and financial sectors. Kirk is a strong advocate for re-thinking the industries current practices and approach to cyber-security. With the founding and sustainment of the Agora since 1995, he has demonstrated his ongoing belief in trusted information sharing as a cornerstone for shaping the appropriate protection strategies for network-accessible assets and critical services.• 10:15am - "ANATOMY OF AN ATTACK - AGORA EDITION"• PRESENTATION BY: CHESTER WISNIEWSKI Chester Wisniewski will explain his expert views regarding "the who, what, why and how" of cybercrime. Mr. Wisniewski has consolidated the lessons learned by Sophos researchers from around the globe into an entertaining and informative presentation highlighting the changing threat landscape and the methods utilized to thwart our defenses.• Bio: Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He has over 15 years of experience designing, implementing and consulting on network security and related technologies. Since joining Sophos in 2003, Chester has worked exclusively in security related engineering work. He works closely with SophosLabs to study threats in-depth and provide timely information how best to secure networks and data against evolving threats.
Cont’d.• 11:15am - "CATCHING AND PROSECUTING THE BAD ACTORS"• PRESENTATION BY: KATHRYN WARMA, DAVID DUNN, AND CHRIS HANSEN AUSA Warma, Detective Dunn and Detective Hansen will describe the chronology of the investigation, arrest and prosecution of three defendants recently sentenced in Seattle, Washington for their participation in a complex network intrusion, fraud and identity theft scheme. This scheme involved a variety of tactics, from primitive burglaries to innovative "war-driving" seeking vulnerable networks. The theme of this discussion denotes the importance of victim reporting and building working trust relationships with law enforcement to identify, track, and apprehend targets.• Bio: Assistant United States Attorney Kathryn Warma is a "CHIP" (Computer Hacking and Intellectual Property) prosecutor for the U.S. Attorneys Office in the Western District of Washington. During her past decade as a CHIP, Ms. Warma has prosecuted cases involving Internet fraud, Internet threats and stalking, theft of computer code, sales of counterfeit software, P2P-based fraud, botnets, criminal spamming, and assorted flavors of hacking.• Bio: David Dunn is a 12 year veteran of the Seattle Police Department and has been assigned to the U.S. Secret Service Electronic Crimes Task Force for the past six years. During this time he has investigated numerous online and financial crimes. His investigations have focused on international cyber criminals and have included all forms of network intrusion, abuse and fraud cases.• Bio: In six years as a Fraud Detective for the Seattle Police Department, Chris Hansen has investigated criminal activity ranging in complexity from check forgery, credit card fraud and embezzlement to identity theft, insurance fraud, securities fraud and mortgage fraud. As a member of the E-Crimes Task Force, Mr. Hansen investigates skimming cases, identity theft, network intrusion and POS hacking cases. Additionally, Mr. Hansen provides digital forensic support to the Seattle Police Department and other agencies participating in the E- Crimes Task Force.• The 2013 AGORA Meeting Dates - Mark Your Calendars! March 29th, 2013 June 28th, 2013 September 6th, 2013 December 6th, 2013• You are receiving this email through the AGORA email list. If you do not wish to receive future AGORA announcements, please send email to firstname.lastname@example.org requesting removal.• Please do not distribute this announcement or post online without express permission from one of the Agora contacts listed above.
IA Reporting: Throughout the process Module 1 Module 2 Module 3 Module 5 Module 4
IA Reporting• Corporate Reporting – Audience • External entities and government and regulatory bodies • Executive Management • Key Stakeholders and employees – Type of reporting • Policy compliance • Risk management • Incident management • Health index• Self Reporting• System Reporting
Types of Reports: You need a plan• General corporate• Compliance• Incidents, flaws, malicious activities• Explore the Office of the CISO website to get a sense of how UW organizes its reporting function: http://ciso.washington.edu/
A generational problem?SECURITY IN SOCIAL MEDIA
Employer’s View: Pluses and Minuses of Social Media (….read Facebook)Pluses Minuses• Marketing reach • Information breach • Data release• Opinion making • Employee rants • Liability issues ?• Human resource research • Data management for litigation• Intelligence gathering • Control ?• Situational awareness • How? • Mobile devices• Collaboration • Lose Gen Y workers• A plus for Gen Y workers • Kids
Controls• Employee Orientation• Pervasive awareness training • Culture of online safety • Example: Boeing online awareness program• Policy • Leverage awareness • Example: City of Seattle’s Social Media Policy site: http://www.seattle.gov/pan/SocialMediaPolicy.htm
What about the kids?• ‘Every pedophile has a Facebook account’ CISO Correction systems, SecureWorld 2011• Resources for parents/teachers: • Safe and Secure Online – https://cyberexchange.isc2.org/safe-secure.aspx • Stay Safe Online - http://www.staysafeonline.org/ • Internet Crimes Against Children Task Force - https://www.thecjportal.org/ICAC/Pages/Resources.aspx • Look Both Ways Online Safety – http://look-both-ways.org/
What is at risk for you, personally?• Time and effort • repair damage, • deal with consequences, • prevent re-occurrence• Computing resources • bandwidth, • CPU, • storage• In game and real world resources • money, • sensitive data, • Identity• Things more sinister?
Set Your “Evil Bit”* to 1Would you have thought of these attacks:• Facebook “Error check system”• Facebook “get rich quick” scams – only $1 down – how can you lose?• Clickjacking (invisible objects)• Would you like Bots with that?*See RFC3514 –The Security Flag in the IPv4 Header
Security and Trust in Virtual Worlds• Some ways to attempt to maintain trust – eBay ratings – Craigslist community flagging – Second Life Abuse• Some ideas to manage identity in VWs • VW user agreement • VW side channels • VW security zones • Certification/verification of avatars
User Agreements• End User License Agreements (EULAs) – What are they? – Who reads them anyway?• Types of Virtual World EULAs ? • VW alternatives to the EULA Scheme • Degrees of Protection
Side Channels• Processes outside of the virtual world that can be used to help achieve authentication goals• Side channels could provide a “trusted path” to exchange information.• Two main types: • Prior to Virtual World interaction • During Virtual World interaction
Security Zones• Segregated areas within VW • Corporate clients » Example: Training/Education, highly valued services • Second Life – Private Regions – $1,000 purchase, $295/mo maintenance – Secure intranet space – Restricted or open• Cost to clients and VW vendors
Virtual World Authentication• ‘SSL-like’ authentication for the Avatar• Accreditation handled by requesting agency• Questions: • How does the VW display the accreditation flag? • Potential pitfalls?
Remember not to trustanyone?What starts off in theVW can havesignificantconsequences in thereal world.http://website-tools.net/google-keyword/site/oddorama.com/
Final Projects• Presentations Nov 28 • # of Minutes dependent on # teams (quick count—help me here!) • Faculty presiding » MGH 271 Board of Directors Board Chairman Ginger Armbruster » PCE Ilanko Board of Directors • Industry audience members• Reports Dec 5
NEXT WEEK - MSIM PRESENTATION OF FINAL PROJECTS 1011/28 GUEST APPEARANCE: A CISO’s Top Concerns Kirk Bailey, CISO University of Washington,Board Leader of AgoraMSIM Cybersecurity pioneer LAB: Final Presentations to Board of Directors Tracy Kosa Sr. Strategist, Privacy and Online Safety; Trustworthy Computing, Microsoft Corporation Doctoral Candidate, Computer Science; Faculty of Science, University of Ontario Institute of Technology ------------------------------------------------------------------- GUEST LECTURE VIDEO: Information Security Challenges of the 21st Century Ming-Yuh Huang, Technical Fellow, The Boeing Company and Program Director Boeing, IA ks R&D, http://www.engr.washington.edu/edge/aut06/lis498L4.asx This week’s guest lecturer addresses the trends in IA into the 21st Century based on his experience at a large manufacturing company. Pop the URL in your browser and watch at your convenience. DUE: Final Project Presentations and Reports
NEXT WEEK PCE PRESENTATION OF FINAL PROJECTS Mather, et.al. 10 Chapter 9-10, 1211/28 GUEST APPEARANCE: A CISO’s Top Concerns Herb Canfield, Security The Boeing CompanyIlanko LAB: Final Presentations ------------------------------------------------------------------- GUEST LECTURE VIDEO: Information Security Challenges of the 21st Century Ming-Yuh Huang, Technical Fellow, The Boeing Company and Program Director Boeing, IA ks R&D, http://www.engr.washington.edu/edge/aut06/lis498L4.asx This week’s guest lecturer addresses the trends in IA into the 21st Century based on his experience at a large manufacturing company. Pop the URL in your browser and watch at your convenience. DUE: Final Project Presentations and Reports