Social Networking and Balancing It To Network Security Objectives

With the explosion of social networking, interaction and  collaboration, email has lost its position as the primary Internet-based
communication tool. In fact, in a related literature that I’ve recently read, it reported that there were more social networking accounts than Webmail accounts in 2009.

Today, users rely more on blogs, tweets, social networking posts and  even video clip communications to enrich both personal and professional information exchange. Even businesses are leveraging social networking to communicate with customers, employees and partners.

While these sites and services offer tremendous business benefits, they also present serious risks that have to be managed. For instance,they are often the target of malicious attacks due to their popularity. Video sites like YouTube consume tremendous amounts of bandwidth if they are not properly managed on the corporate network. And employees may intentionally or accidentally leak sensitive company data onto a social networking site, breaches that can result in lost competitive information, public relations headaches, fines, legal action and more.

The good news is, with the right security approach, these consequences can be successfully avoided.

In addition to addressing technology gaps, you also have to educate users  about social networking security problems that stem from simple human error. And while the end user will likely remain the number one security risk for any organization, dramatic results can be achieved with just general security training.

Education should begin with the basics, but can be placed in the context of social networking to make them fresh and interesting.
For example, good login and password practices are a common problem within social networking. Routinely changing login credentials and protecting the confidentiality of passwords are basic security requirements – or should be. While this may sound like common sense, there was this recent fiasco may have been caused by one scientist who actually included his password in his email signature. So even highly educated users need to be reminded about basic security measures. Cybercriminals also know that many users use the same login ID and password on multiple sites, which enables attackers to easily gain access to social networking accounts. In one instance, many Twitter accounts were hacked when users were tricked into creating an account on a fake torrent site.

Other examples that are much less dramatic, but occur much more frequently, take place when users try to share something to a select group in an appropriate way, but do not realize that the way they shared it made it available to a broader group. Some applications may be popular enough to reasonably provide in-depth application training for users. A great example of an easily avoidable issue
recently occurred when over 100 million Facebook pages were compromised simply because most users did not understand some of the security settings available.

It may be worthwhile to start surveying users to identify their needs, applications of choice and perhaps even their own list of concerns. Then prepare a plan to ensure users are aware of how to use those applications safely.

Also, users need to be reminded that there are no safe zones on the web – including social networking sites. Assume that everything revealed on a social networking site will be visible on the Internet forever. Once it has been searched, indexed and cached, it may later turn up online no matter what steps are taken to delete it.

Finally, most users are no different than IT – no one reads the manual. So many users won’t really understand security guidelines until they violate them once or twice. “Coaching screens” are informational pop-ups or browser redirects that would appear at the instant a violation occurs to inform the user they have violated a policy, someone else knows about it, and explains how to prevent it from happening again. From a product standpoint, IT should look for solutions that not only provide security, but can also support education efforts.

Conclusion
Social networking has achieved a level of popularity that requires reasonable access at work, but it is also sufficiently mature to bring value to many businesses. But safe social networking requires an aggressive and layered security strategy at the web gateway, as well as the definition of new usage policies and priorities from management and IT. Better end-user education will also be required to ensure workers use social networking applications safely and appropriately.

The combination of layered security and education can help organizations dramatically reduce the risks from malware, phishing, data loss and bandwidth abuse.

Why is all this necessary? Cybercriminals are taking advantage of social networking’s fundamental model of familiarity, trust, sharing and open communications  to dupe users and steal valuable data.”

To close these security gaps, IT and business leaders must ensure they have the right security strategies   in place to identify and protect against the rapid evolution of social networking threats.

Don’t you know that computer viruses can….

• make your computer behave abnormally?
• make your computer run slower?
• rename your files?
• or in worst cases, delete your files?
• fight for its survival?
• steal your files?
• steal confidential information?
• slowdown the network?
• disconnect your computer from the network?
• make your hard disk full?
• destroy your RAM?
• or in worst cases, destroy your computer’s CMOS?
• evade detection?
• cause your anti-virus software to stop? 
• disable your computer’s dos prompt?
• disable your computer’s registry editor?
• attach itself to all files? even pictures, movies and music?
• be acquired from a website?   
• be transferred from a USB flash disk?
• be transferred within the network?
• be transferred via e-mail?
• lie there inside your computer for years? and is triggered to run in a specific date and time?
• not just be removed by a simple scan and clean?
• now be found in mobile phones?
• destroy programs? which makes it easier to replicate during program execution?
• delete everything in your hard disk?   
• crash your computer?
• bring down your network?
• make your computer useless?
• even exist in servers?
• even exist in androids, symbians, macOS and Linux?
• destroy your privacy?
• destroy your schedules?
• drive you crazy?     
• make you sick too?
• ruin your life?

Our prognosis? Do not use your computer. Or if you cannot avoid it, see to it that your anti-virus program is updated regularly. Observe vigilance. Be proactive.

And yes, BACKUP AS OFTEN AS YOU CAN.

Imagine life…

..if there is no Internet:

• then all the mails will be sent via snail mail or courier. We will all die of suspense while waiting for some important document via mail.
• we will always hear the phrase “Can I request for a fax tone?” or “Fax tone please..”
• private and public libraries will be full.     
• we will pay for every research material that we need.
• long distance phone bills would make us drop our jaws.
• the only means of socialization would be like reunions, bars, singles clubs, club meetings, etc. (what? no face book or twitter?)
• books, magazines and newspapers will still be in, contributing to the cutting of trees.
• the only security that we need can either be: hiring of security guards, bodyguards, bank deposit safe boxes or personal safe vaults.
• people would only be drinking coffee, socialize or eating something in Starbucks.

 

..if there are no cellphones

• then those red public phone booths will still be popular. then Superman can have lots of options on where to change.   
• it would be easier for us to disappear. vacations would be more enjoyable.
• people will not drool over your newer model cellphone.

 

..if there are no computers

• then upon entering an office, that clicking sound of a typewriter will welcome you. (oh i miss this sound.)  
• calculators and adding machines will still be expensive.
• bank teller queues will still be that long. (oh well, it is still long now, isn’t it?)
• offices would be bigger, for they need additional floor space for those storage cabinets to keep the files and records.
• people would patronize the movie houses.
• people would be carrying large stacks of CD’s or even tapes while listening to music using their walkmans or CD players (right….no MP3s.) 
• we need to have a stockbroker.
• we need to go to the bank to transact.
• preparation of our monthly reports would be very tedious. Imagine yourself trying to complete a 24 column accounting worksheet by hand.
• you would need a bigger table. this is also related to my item above, where offices need bigger floor spaces.
• carbon papers will still be in use.
• car repairs would still be a hit and miss thing.
• everything will still be paid in cash (yehey!)
• keeping inventories would really be a chore.
• no expensive IT projects to be competitive.
• on the brighter side of it…..MORE JOBS!
• I could have been a doctor or a pilot…

Life was way simplier then….

Just reminiscing those good old days.

Managing Cloud Computing Security Risks

Cloud Computing is all the rage these days. CIOs seem to be diving into cloud-based solutions with reckless abandon despite the fact that a mistake in planning or execution can have career-limiting effects. So, let’s take a moment to balance the benefits against the potential securiy pitfalls that lie in the clouds.

The really important question is, How safe is your business in the clouds? After all, cloud vendors all aim to put your stuff onto cloud servers, and in most cases, these systems sit outside of your data center and outside of your direct control.

While this may buy you some cost reductions, it carries significant risks. Let’s consider the classic triad of information security: confidentiality, integrity and availability.

There’s no getting around that putting data onto an external server carries confidentiality risks. No matter what your cloud vendor may promise contractually or in its service-level agreement, if its security gets breached, so may yours.

How do you counter that risk? You can encrypt sensitive data, or you can keep the real sensitive stuff off the server. Encryption can be a viable path for some stuff like off-site backups. Being particularly careful about what goes on the server can help as well, so long as you maintain some level of oversight and control over the day-to-day decisions. That is, if you give your users the ability to store stuff on a cloud server, they’re liable to store all sorts of stuff there, blissfully unaware of the security risks.

As to integrity, the risks in cloud computing are relatively small, unless your cloud service provider’s security gets breached anyway. If an attacker breaches its defenses and tampers with your business data, then integrity can become vitally important all of a sudden, depending on the nature of the data.

And then there’s availability. You’re gambling that your data will be available when you need it when you put it in the cloud, betting that the availability won’t be eroded by network outages, data center outages and other single points of failure. You can hedge your bet a bit by going with an industrial-strength cloud provider, but you’ll pay more. If availability of data is important to your business, then you can’t blithely go with the lowest bidder. You need to do appropriate due diligence and find out everything you can about your vendors’ availability, disaster recovery and business continuity plans. “Trust but verify” should be your mantra.

Much of this sounds like Information Security 101. To be sure, there’s a lot of plain old common sense that should be applied when considering cloud solutions.

At my company, we do use some cloud services and get gobs of value from them. For example, we are a fan of Google Docs. It helps us  keep our documents synchronized across my various computing devices. But I’m also careful about the data I put there. I keep business-sensitive information on my local hard drives, and generally encrypted.

I’ve also found great value in using cloud services as part of my  disaster recovery.

But the bottomline is that it is about balancing risks and benefits.

That’s how we should view cloud services in general. It’s important to make informed decisions before diving into the latest trend. There is value to be found in cloud computing. But rely too heavily on it, or place your deepest darkest secrets on it, and you’re likely to be disappointed.

-viz-