Facebook « SecureThinking

Posts tagged Facebook

Wednesday, August 11, 2010

Data breaches – the new daily reality

By Ben Rothke, Senior Security Consultant, BT Global Services

Two stories from July about data breaches should give everyone pause.

The WikiLeaks’ Afghan War Diary shows the staggering effect of a large-scale breach, even within a military organization with strong security controls. And while not a breach in the classic sense, the issue of 100 million Facebook users’ data published online underscores the fact that many people are clueless and will eternally be clueless about how to share their personal data.

Many people still think they are required to enter their personal data on a warranty card for their new appliance. Entering one’s birthday and other lifestyle data is used by the manufacturer’s marketing department, not quality control. When these same people use social media, little do they know that every bit of data they post is essentially entered into the public domain.

While Facebook is constantly touting new security and privacy features, its responsibility to you, the end user, is quite limited. Review Facebook’s Terms of Use, and it’s clear that from a security perspective, you get what you pay for. Notice Facebook’s use of the term “you” (referring to the end-user), and how sparingly it uses the term “we” to refer to its security and privacy obligations. I use Facebook only as an example here, given its size, yet the same holds true for nearly every other social media site.

Many organizations regard security awareness as the answer and panacea to preventing data breaches. The mindset is that if you educate people regarding security and privacy, they will certainly come to practice safe computing practices. But that’s not necessarily so.

By way of example — nearly 20 years of nutritional awareness via the food pyramid demonstrates that too many people simply don’t understand basic food guidelines. The USDA can attempt to educate people, but education alone simply won’t and, in fact, doesn’t work. Put it this way — in these recessionary times, if your job description has the word diabetes it; you have job security.

As to data security and privacy, awareness alone does not cut it. And security hardware and software alone won’t cut it, even if you use DLP. The answer is that there is no answer and that data breaches are not only inevitable, they are inescapable. Hence, the key is to manage these breaches via an incident management program and have a computer emergency response team (CERT) in place in that can deal with the breaches.

The NIST Computer Security Incident Handling Guide is a great place to start on your journey to establish a CERT. As stated in the guide, performing incident response effectively is a complex undertaking. To establish a successful incident response capability requires substantial planning and resources.

But once you have an established incident response team, you’re in good shape, as long as you keep it current. For those who don’t, you certainly need to establish a CERT and you need to do it yesterday.

Data breaches are the new daily reality. Make sure your daily reality check includes a CERT.

Wednesday, March 3, 2010

Evil Memes: Toby Weir-Jones Guest Blogs for Jennifer Leggio’s ‘Social Business’

By Toby Weir-Jones, Vice President Product Management, Managed Security Solutions Group, T Global Services

Internet memes are harmless, right? Fun little things that make you giggle, right? According to Toby Weir-Jones these innocent memes have a much darker side. Today, as part of Jennifer Leggio’s RSA week guest blogger series, Toby explores the security implications of a business’s decision to enter the social media space as well as suggesting some social media-security best practices for those who have taken the plunge.

To read Toby’s post click below:

A few years ago, in 2006 – ancient history in social media – various researchers proposed methodologies to study how quickly a meme can spread. Some tried to characterize based on qualitative attributes of the meme itself, such as how funny it was, or how socially relevant, while others avoided those grey areas and focused instead on the quantitative attributes of network owners who posted links or tracked referral URLs. In both cases, the general conclusions were fairly predictable: given a good story, it can go viral and appear everywhere within hours . . .

Thursday, February 18, 2010

Virtual Currencies – The changing world of online payments

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, PCI QSA, CISSP, CISA, CISM, BS 7799 Lead Auditor

While our real economy still struggles, the virtual economy is flourishing. In fact, some experts predict the virtual goods in the United States could be worth up to $5 billion in the next five years.

Virtual currency is used for purchasing virtual goods. However, the question is, will virtual currency go beyond the world of virtual goods and into the real world? Providing the opportunity for people without bank accounts, which includes the majority of world’s population, to buy virtual currency and then use it for online purchases is an interesting concept.

Virtual currency was recently recognized by the Korean courts, giving people the right to sell virtual currency for real money. Venezuela is pushing the Sucre, which won’t be printed or coined. Instead, it will be used solely as a virtual currency to manage debts between governments.

Why virtual currencies? Because the benefits are bountiful. Consumers will be able to buy the virtual currency in stores or by using their credit card or bank account.

Gaming companies, startups and social networking companies have all been clamoring to offer virtual currencies. The company that becomes the standard de-facto web currency stands to make an enormous amount of money on enabling transactions globally and for micro-payments. Virtual currency and virtual goods remain among the most interesting and potentially the highest growth sectors for 2010.

Facebook could take the lead — PayPal, which has aimed to be the abstraction layer between the payment process and the merchant, is the biggest online payment company. However, the company is just beginning to move beyond the U.S. dollar. Facebook, on the other hand, has been working on a payment service which would introduce Facebook credits that would act as a universal currency on its platform. Facebook is currently working to create applications in which users pay for virtual goods in Facebook credits, enabling Facebook to charge a fee based on selling its virtual currency.

Sizing up the market — The virtual goods market in the United States is estimated anywhere between $1 and $2 billion for 2010. In Asia, the virtual goods market has already hit $5 billion and is rapidly growing. Virtual goods range from virtual gifts such as digital bottles of champagne that users can give online in Facebook to in-game weapons users can buy so they can inflict more damage on other gamers.

Gaming sites, such as the teen site, Neopets, are using this model to cater to minors who don’t have credit cards or bank accounts.

It may seem logical that with Facebook Connect, the social networking site could offer virtual currency to simplify micro-payments, eliminating the reliance on credit card transactions and reducing the per transaction cost. The extension from being a currency for virtual goods to smart phone applications and other “real” goods is not a large leap.

Since PayPal failed to create a virtual currency, it isn’t surprising to see eBay, which owns PayPal, introduce eBay bucks, enabling consumers to buy real goods.

Real need for global secure payment systems — As globalization becomes the reality of everyday life, there is no doubt that payment systems need to change. Micro-payments and varying currencies have posed challenges in a world that is becoming increasingly cashless. Since credit cards were created for face-to-face transactions, organizations have been struggling to make them secure for online transactions. This is proof that there’s a real need for global secure payment systems with centralized access into an account.

So, can virtual currency move past the virtual world and focus on providing a new payment system, one that is secure and enables micro-payments, global and mobile transactions?

I am interested in your thoughts. Feel free to leave a comment below.

Thursday, January 28, 2010

The Year Ahead: Top Security Threats and Trends in 2010

By Jill Knesek, Chief Security Officer, BT Global Services

In the last few weeks, a number of security companies have released their year-end security intelligence threat reports that highlight the biggest vulnerabilities of 2009 and, in some cases, offering signposts for what are likely to be the top threats in 2010.

Based on what I’ve read in these reports, as well as what I see as head of BT’s global security team, these are my thoughts on what will give us headaches in the coming year:

Security Breaches – Social Media – This is clearly the hot topic for this year. Now that it’s clear that social media can be monetized, and businesses are joining Facebook and Twitter in droves, it was only a matter of time before the opportunists, social engineers and hackers began to work out exploits from which they could profit – including shortened URL scams. However, just because social media is ripe for exploitation doesn’t mean your company should abandon the space. Instead, focus on at-work user education policies on how to spot fake URLs, as well as review policy on permissions. Does everyone really need access to Facebook and YouTube at work — or should access be limited by job description or role? With your IT team, make sure to review patching protocols to ensure your network is robust enough to survive common worms, such as Koobface.
Botnets – A perennial favorite, botnets continue to make the top vulnerability lists because they continue to proliferate at an alarming rate due to the potential for economic gain. With organized criminals firmly in control of a number of significant botnets, IT security professionals need to become more savvy — not just about detection, but also about knowing where their sensitive data is housed. As we saw in the Heartland case, not knowing where your data is nor if it has been compromised can make the difference between a minor internal breach and a public relations nightmare.
Mobile Device Security – It doesn’t matter how smart phones are, people still leave them in a New York City cab, and hackers find ways to access data stored or exchanged on devices. So, as phones become smarter, they introduce increasing risk into the IT equation. The more capable these devices are to help employees access and manipulate data, the more capable they are to be used by hackers to do the same. Unfortunately, far too many organizations fail to manage their mobile security risks, or the devices, for that matter. The first step organizations need to make is to take control over the devices by providing staff with a uniform device or set of devices. Just keep in mind that some devices are created for general consumers, while others have been developed for enterprises with security controls, such as requiring authorization and limiting apps.
Remote Access – It also doesn’t matter if employees are traveling to Cleveland or China, or working from home — remote access to networks and data is challenging and must be addressed.
The Absent-Minded Employee – With the economy beginning to pick up, there is less likelihood that your company is dealing with a deliberately malicious employee bent on stealing data or disabling your network as he’s being given his pink slip. However, with most companies still facing hiring and resource freezes, there’s ample opportunity for very costly mistakes to occur due to under-investments in user education and overburdened employees — from the improperly trained employees to the ones who have one too many tasks on their plates and forget to change a password — or worse still, writes the password down next to their computer. Now is the time to refresh or startup a Security Awareness and Training program with mandatory training requirements as well as communication of security messages that educate the employee-base on current threats they are likely to encounter. In addition, it is also a good time to review policy and procedures with all employees and to review core responsibilities with your IT Security team.
Data Loss Prevention – As BT’s Ben Rothke has previously stated, the sound of confidential data escaping from enterprises can be deafening. DLP is imperative for today’s mobile work environment, and of course, it is the very mobility of the workforce which has increased data leakage risk beyond imagination. Organizations must educate employees on how to use mobile devices safely and securely as well as pay serious attention to how many communication channels the IT and security teams are able to fully support.

So, will 2010 be filled with more surprises than 2009? I’m confident that if you prepare for 2010 with a renewed focus on strategic security solutions and on employee education, year you’ll have a successful and safe year.

Monday, November 16, 2009

Integrating Web 2.0 Tools Securely into the Business Environment

Pete Russo, Senior Marketing Manager, BT Global Services

How would you solve this problem? As a network security expert, you understand that your company’s employees need to access Web 2.0 tools to build new business relationships, collaborate with partners and reach prospective customers. But how do you ensure not only their online safety but the company’s overall network security?

Ray Stanton, Global Head of BT’s Business Continuity, Security, and Governance Practice, discusses BT’s approach in a recent Computerworld article (Computerworld, “BT’s Web 2.0 security strategy,” October 19, 2009).

BT was an early adopter of Web 2.0 tools and has a strong social media presence including:

SecureThinking Community Blog and Twitter
Bigger Thinking on Facebook
BT Conferencing on Twitter
BT CloudApps on Twitter
Partnership with the XPrize Foundation on YouTube

Mr. Stanton identified data leakage as his number one concern when employees are allowed to access social media tools at work. Data Leakage not only exposes the company to security risks, such as the inadvertent sharing of proprietary information, but it also can lead to an employee becoming a victim of personal crime. In addition, companies should be mindful of these other top Web 2.0 threats:

Cross Site Request Forgery
Cross Site Scripting
Information Integrity Violations

BT uses a combination of policy and technology to ensure that employees and the company are secure online. By setting acceptable use policies and conducting regular awareness training, users are knowledgeable about their responsibilities and the vulnerabilities their actions could introduce into the network. Acceptable use policies are reinforced by software, hardware and managed solutions which, in addition to providing physical barriers to access, enable flexible access policies. For example, BT works with BlueCoat, using their Proxy SG Appliance to categorize URLs of web pages. Web sites can be identified by their purpose – e.g., “business productivity sites,” such as LinkedIn – or segmented by who needs to access a type of site – such as permitting the marketing department to have access to YouTube, but not the rest of the company.

While no single solution will provide absolute protection for the employee, the company or the network, taking a multi-pronged approach sets up checks and balances throughout the business environment. Let us know what you think of this strategy in the comments or by sending us a tweet @SecureThinking.