Social Networking Security


             How to Manage the Information Security Risks of
           Facebook, Linked In a...
What Kind Of Day Would It Be For You?




2
Social Networking Security Agenda
     When you let another entity control your data

     Important Risks and Tips for ...
When You Are Not In Control Of Your Data
      Prevention of risks is not always possible

      Reaction is the other a...
Risk #1 - Bogus Profiles
     Over 40% of new Facebook profiles are fake
      To initiate ID Theft and Phishing attacks...
Risk #2 - Too Much Info
     The SN value proposition is information sharing
      “Linked In” - defaults for outsider a...
Sarah’s Hacker: Just a heartbeat away…




    “…it took seriously 45 mins on wikipedia and google to find the info,
    B...
Security Tip #2 - #Settings and
                 #Sensitivity
     #Settings –
      Check your profile’s privacy settin...
Risk #3: Deception
     Identity Thieves, Hackers, Corporate Spies

     Which site is likely to be least dangerous?
   ...
The Honey Stick Project
      Simulating a
       potentially dangerous
       risk decision
       E.g. Conficker worm
...
Security Tip #3 - #Suspicion
      #Suspicion
       Be suspicious of unexpected messages and
        unknown links (or ...
Risk #4 - Account Hijacking / ID Theft
      Poor password practices
        Weak passwords, used everywhere
        “B...
Security Tip #4 - #Separate Accounts
      #Separate accounts for business and personal
       use
       Different pass...
Risk #5 - Insider Threats

      HR issues – absence, harassment, hiring

      Abuse of computers and networks for pers...
Oh yeah? Prove it…
          Niresh = HR   Kyle = Absentee




15
Security Tip #5 - #Security Standards
      Have #Security standards, policies or rules
         Acceptable use, absente...
An Alternative Security Awareness Approach
        For Business Managers
         Leveraging the Internet With Acceptabl...
For More Help
      Streetwise Security Zone Collaborative Community
       http://www.streetwise-security-zone.com

   ...
Social Networking Security Summary
      Don’t accept invitations from #Strangers

      Check privacy #Settings and #Se...
The Security Awareness Revolution
      Human risk decisions are becoming much more
       important

      Technology w...
Upcoming SlideShare
Loading in …5
×

Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009

854 views

Published on

This keynote was presented by Scott Wright on June 19, 2009 to the Ottawa Centre for Research and Innovation. It provides a quick view of some of the major risks from using Social Networking Tools, and some tips for how to reduce those risks through security awareness.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
854
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009

  1. 1. Social Networking Security How to Manage the Information Security Risks of Facebook, Linked In and Other Web Marketing Tools “Don’t Leave the Keys to the Kingdom Under the Door Mat” by Scott Wright The Streetwise Security Coach June 19, 2009 Ottawa Carleton Research and Innovation 1
  2. 2. What Kind Of Day Would It Be For You? 2
  3. 3. Social Networking Security Agenda  When you let another entity control your data  Important Risks and Tips for users  Insider Risks to Organizations  A New Approach to Security Awareness  Summary  Questions and Answers 3
  4. 4. When You Are Not In Control Of Your Data  Prevention of risks is not always possible  Reaction is the other alternative  Planned reactions are best! ALWAYS KNOW YOUR ASSETS! REPUTATION 4
  5. 5. Risk #1 - Bogus Profiles  Over 40% of new Facebook profiles are fake  To initiate ID Theft and Phishing attacks  Accepting invitations allows more access to info  Tip 1: #Strangers –  Don’t accept invitations from strangers  Hard to prevent in Twitter unless you block followers (not considered sociable)  Don’t feel obligated to reciprocate with strangers 5
  6. 6. Risk #2 - Too Much Info  The SN value proposition is information sharing  “Linked In” - defaults for outsider access is not bad  “Facebook” - defaults very open  Twitter - no expectation of privacy anyway  Try this: go to your Facebook account and search for:  <any company name in your city or area> and “Software” or “Technology”  From the list of results click until you find one that has all their profile information visible... there are usually many!  Can lead to guessed passwords or recovery questions 6
  7. 7. Sarah’s Hacker: Just a heartbeat away… “…it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?” 7
  8. 8. Security Tip #2 - #Settings and #Sensitivity  #Settings –  Check your profile’s privacy settings  Facebook – “Friends Only” in “Settings”  Free guide to privacy settings  Linked In – check the defaults (Account & Settings)  #Sensitivity – Remember, Mom may be watching! 8
  9. 9. Risk #3: Deception  Identity Thieves, Hackers, Corporate Spies  Which site is likely to be least dangerous?  http://contest.microsoft.com.cn/windows7.html  http://tinyurl.com/windowscontest  http://www.2months-interestfree.com They can ALL be dangerous! Malware spreads 10 times faster on Social Networks! 9
  10. 10. The Honey Stick Project  Simulating a potentially dangerous risk decision  E.g. Conficker worm  Over 60% made the wrong risk decision  Over 80% of data breaches have internal causes - Ponemon Institute 10
  11. 11. Security Tip #3 - #Suspicion  #Suspicion  Be suspicious of unexpected messages and unknown links (or devices!)  Unexpected changes in patterns, wordings  Single sources of info  Get help from security tools: firewalls, antivirus 11
  12. 12. Risk #4 - Account Hijacking / ID Theft  Poor password practices  Weak passwords, used everywhere  “Blending” of business/personal Most common passwords (2006 from Bruce Schneier): Best password? password1 abc123 “dokitty17darling7g7darling7” myspace1 password Blink182 qwerty1 The more information you have in one account, or protected by the same password, the greater the risk! 12
  13. 13. Security Tip #4 - #Separate Accounts  #Separate accounts for business and personal use  Different passwords for across accounts  Special characters in the middle of words Password Management Programs Keepass (www.keepass.info) Onepassword (agilewebsolutions.com) 13
  14. 14. Risk #5 - Insider Threats  HR issues – absence, harassment, hiring  Abuse of computers and networks for personal use  Theft of data for “insurance against layoffs” 14
  15. 15. Oh yeah? Prove it… Niresh = HR Kyle = Absentee 15
  16. 16. Security Tip #5 - #Security Standards  Have #Security standards, policies or rules  Acceptable use, absenteeism, harrassment, recruitment screening, risk management  “Stupidity is not protected Information” - Melanie Polowin (Gowlings)  Communication between execs and IT managers e.g. Cisco posting policy http://blogs.cisco.com/news/comments/ciscos_internet_postings_policy/ 16
  17. 17. An Alternative Security Awareness Approach  For Business Managers  Leveraging the Internet With Acceptable Risk  For IT Managers  Workflow-based Risk Assessment Process  Beyond lectures  Interactive workshops engage people! Streetwise Security Awareness means using collaborative techniques to complement a top- down IT security program 17
  18. 18. For More Help  Streetwise Security Zone Collaborative Community  http://www.streetwise-security-zone.com  Scott is “@streetsec” on Twitter: twitter.com/streetsec  Email scott@streetwise-security-zone.com  Phone 613-693-0997  Dalian Enterprises for Security Products and Services (Matt Gervais)  Email mattg@dalian.ca  Phone 613-234-1995 x390 18
  19. 19. Social Networking Security Summary  Don’t accept invitations from #Strangers  Check privacy #Settings and #Sensitivity  Be #Suspicious of messages and links  Use #Separate Accounts for business and personal, with multiple passwords  Have #Security Standards Policies or Rules on use of Internet  Think #Risk Management by “#Workflow” 19
  20. 20. The Security Awareness Revolution  Human risk decisions are becoming much more important  Technology will lag and leave vulnerabilities  We must educate the people we care about to consider the risks, before they have a breach! Don’t Leave the Keys to the Kingdom Under the Door Mat! 20

×