How to be worth more than 89p on Facebook

 According to Trend Micro, an email address along with a date of birth full name from a facebook account is worth 89p (NZ$2.33) to a cybercrook.

To avoid having your identity stolen, Trend say you should look for the padlock, use social networking privacy settings, protection software and vary your passwords.  The advice is good and just what you would expect from a commercial operation that makes its money by convincing people that they will be secure if they just rely on the right technology (theirs of course) and set it up properly. Even the password comment suggests the technology will save you here.  There’s no suggestion that your new password need be a good one and hard to guess, just different from last week, month, year or other website.

Perhaps what they’re suggesting is that  if it’s going to cost more than $2.33 worth of time and effort for a cybercriminal to get your details, then maybe they will move on.  This tactic resembles one I used when as a student I used to go door to door selling  invisible markers that came with bright stickers. The line when something like this: “If you’ve got a sticker and the neighbour hasn’t, guess where is the burglar going to go?”

Of course there were multiple reasons why this might not be the case, but it made me a lot of commission. For example, if you have a sticker but leave your front door open and your stickerless neighbour keeps theirs closed, who’s going to get home and find their brand new double cassette ghetto blaster missing (yes it’s a while since I was a student).  Likewise, even if you both lock your dooors and windows, but your ghetto blaster is proudly displayed in the front window, you’ll probably have to go next door to listen to your Def Leopard tracks for a while.

So where does the analogy fit in or is this just pointless reminicing about the 80′s?  

Well think of the open window.  Even with a password, good privacy settings and anti-malware on your machine, if you join networks or groups on social sites anyone else in those groups can usually see your pages. And usually anyone can join those groups.  For example if you join the New Zealand network on Facebook, then potentially anyone in the New Zealand network can see everything you post. This includes your date of birth, full name and email address if you were foolish enought to post these.

So Trend should also say ‘Don’t join any networks (which kind of makes social networking a whole lot less fun).

They should also warn you to restrict the amount of personal identification you post ( don’t display your wares in the front window) and think very carefully before responding to messages or opening unexpected attachments least they fall victim to social engineering or malware such as Koobface. 

Just because you have a sticker on your letter box doesn’t mean you shouldn’t lock your door.

Reframing – taking the risk out of information security

David Sherry’s article about creating a security policy which accounts for social networks is thought provoking and presents some excellent advice. While it attempts to provide a positive and proactive approach to securing company assets in a web 2.0 environment, the following quote demonstrates that the article itself relies on the traditional tactic of  focussing on the risks.

While there are numerous benefits to social network solutions, including reducing costs and increasing collaboration, we’ll focus on addressing the risks.

This is a common approach in the information security field.  Time and again we hear “this new technology is great, but let’s focus on the risks”  This sort of statement is all very well in a room full of security professionals, but starting by telling Jo User that we’re going to have a discussion about risk is going to turn Jo off, or put them to sleep whichever comes first.  When I read the above quote even I instantly thought “Oh no, so much for the positive side, from here on it’s going to be  the same ol, same ol about all the risks”.

As businesses realise that there are benefits  in allowing users freedom to utilise their favorite web 2.0 tools, we in the security profession need to be helping them to allow this if they so wish in the safest way possible.  After all, it is not the CISO who decides what tools can and can’t be run, that is a decision for other management areas albeit supported by the CISO’s expert advice.  If Widgets Inc decides they want to allow Facebook use on the company desktops the CISO has to  help Widgets Inc do this while protecting the companys interests. Standing in front of a security awareness workshop spouting “It’s great, BUT LOOK AT THE RISKS!” is a sure fire way to turn half the people off and scare the other half into not using the very app the board is trying to support.

Presenting a negative argument also allows for the counter “it will never happen to me” so how do we embed security in what users do?

I would suggest we borrow a technique from the world of NLP.  ‘Reframing’ involves letting go of a belief which may limit one’s view of the world.  In our case this belief is that security and social networking are mutually exclusive (or pretty close to it).  Now there is some truth in that, so we don’t want to let go of that thought altogether but how do we reframe it?

How about changing “There are many benefits of social networking, but there are risks” to “There are many benefits to operating social networks securely” Here we have taken the word ‘risk’ out, thereby removing the instant sedative for gen Y, and replaced it with ‘securely’ which is our goal.

But have we also introduced the concept that Widgets Inc should be utilising social networks, which may or may not be the company line? Actually this is irrelevant because at the point where we are educating the users, management must have already conceded that social networking has a place at Widgets Inc.

It’s too late to pre-empt the masses involvement in social networks, but not too late help them see how they can do it securely, without being negative.

Once we have ‘reframed’ the issue, we can then start introducing the appropriate measures to manage the issues, hopefully with greater buy in.