conference socialmedia

Exploring policy, privacy and compliance issues when using social media: an IT perspective

Mark Monroe, from UMSL, started with a discussion of what social media is. He started with Tufts University using YouTube videos as a replacement for application essays – the dean of undergrad admissions didn’t realize how public and followed these applications would be. He talked about other social media missteps, then went into TOS’s of Facebook and Twitter. He then talked about FB’s ownership grab of user photos over 2009’s Valentines day.
He discussed the idea of cyber-bullying and policies – his school has no specific policies, but the activities are covered by code of conduct policies.
Much of the discussion was very educational institution oriented, so I’m skipping a lot…
The upshot of the discussion was that teachers are asking students to post homework assignments on Facebook and this is probably a bad idea. I’m in agreement, but not for the same reasons – Mark said that students uploading writing or photos to FB as part of an assignment are giving up their copyrights to that work. This is not exactly true – but they are putting that stuff up in a much more public place than their teacher’s desk, so there may be issues with privacy that are more pressing than IP issues, really. There were several questions from the crowd about impersonation accounts, but not a lot of advice – FB is notoriously bad about getting back to folks about issues, though they are getting better at getting rid of accounts that impersonate someone.

conference Training

Connections — Keynote – securing the human

The Connections conference started with a keynote from SANS about securing the human part of your network. Lance started talking about his background in Info Security, honeypots and work with Sun Microsystems (starting originally with work in tanks in the military). “the simplest way to steal your password is to ask for it – the simplest way to infect your computer is to ask you to do it”. Technology has been very well secured – its MUCH easier to get the human users to do the work for the bad guys. The change began in August 2004 – when Service Pack 2 was release for XP with the firewall being turned on by default. This started the drop of technology based hacking and began the era of human hacking. The human OS – you have Windows, Linux and human OS’s in your network. We’ve done nothing to secure that human OS (my note: why training is so very important – it’s updating and patching the human OS in your network).
90% of malware requires human interaction (Symantec)
100% of successful APT attacks compromised the human (Mandiant)
Humans have to click a link, install a program, insert a USB stick or interact in some way to make the malware work.
Humans are bad at judging risk – we overestimate visual risks (lions and tigers, as opposed to something we can’t see) and overestimate risks when we aren’t in control (flying as opposed to driving).
“If it’s on the news, it’s probably really safe, because it almost never happens – or else it wouldn’t be news”
Social engineering – we surf and feel like we are in control (and the hack is silent and not visual at all), we underestimate the risks of getting hacked because of those two factors. You check into your hotel room, get a call from front desk to clarify a problem with your card, you give them your card number, they’ve hacked you. (real problem at Disney World resorts)
Some worms now check keyboard settings before they send out their phishy emails so that they can send out a virus email to your friends in the language that you usually use (if your keyboard is set to Spanish, they send the spanish version of the bad email to your contacts, in order to increase the likelihood that your friends will click on the link in the email).
Many trojans disguise themselves as anti-virus programs so that you not only infect yourself, but you pay $100 or so for the privilege of doing so.
Twitter and Facebook make malicious social engineering attacks easy – Twitter bots search for keywords and respond to any tweet using that keyword with a “discount” link for that particular item.
Goals of Awareness training – compliance and changing behavior. Lance concentrates on changing behavior (more powerful than mindless compliance).
The Plan: who, what and how? Who do you target for training? (employees, admin staff especially, management, IT staff (privileged access to lots of resources – make sure they don’t post router configs (for example) on public listservs, use the same password for servers that they use for their Facebook account) What do you train about? (You are the target, social engineering, email and IM, browsers, etc.). Teach people that it’s not all just about protecting the organization, it’s about protecting the employee. How to train? Use imagery, videos, newsletters – make it as fun as marketing is these days. He showed an example video that promotes security awareness (social engineering, specifically).
SANS has a video awareness library – info in handouts. Newsletters are like patches – they have to be done regularly or people forget.
Inoculation – used to measure end user awareness, used to get their attention and reinforce training. Launch a phishing email of your own (benign, of course) and see who clicked and how many were fooled. Keep doing it as your awareness campaign continues and see how the numbers go down. Start with basic email and work up to targeted emails to test users.
Presentation and newsletters that can be redistributed are available on Lance’s blog.

Relation Browser
0 Recommended Articles:
0 Recommended Articles: