Search

Loading...

Monday, 5 November 2012

Social Networking Security Management

Like it or loathe it, social networking is omnipresent.  From the youthful party picture posting, to professional networking and virtual discussion boards, your on line personality and data sharing can be both powerful and an exploitable vulnerability.

The usefulness of many social networking sites is often increased, the more of your personal information you make available.  This in recent years, has seen many criticisms of the likes of both Facebook and Google+ for how they manage and make use of your personal identifiable information (PII).  Whilst there can be risks will publishing any personal data on line, careful management and protection of such data makes social networking less risky and more powerful than ever before.


Types of Personal Data

Nearly all social networking sites will require a username, many relying on your email address.  This is pretty much unavoidable.  All sites will also require a password for authentication.  The basics for password management will go a long way in providing a basic line of defence to any on line account.

Profile data will then be a next step.  This will obviously vary from site to site, but will generally include first name, last name, perhaps a date of birth, address, telephone number and personal photo.  

Other data sources are more subtle.  They are generally built around your activity and history.  This would include things like personal posts, comments, tags and other data attributed to your connections that relates to you.  The popularity of location tracking applications, will also provide a large range of personal information based on where you have been.  This could include many habitual patterns such as gym attendances, local coffee shops, supermarkets, social outlets and so on.

Based on your connections and 'likes', it is also possible to build up quite a detailed understanding of a users interests, political leanings, music and film tastes and so on.  This maybe be subtle, but can help to build up a picture of individual, which can be used either for impersonation or during a social engineering attack.

Data to Restrict

On line data management is a tricky balancing act.  On one hand, the true power of social networking and the interaction graph, is the data that it contains.  If that data is restricted too much, the networking component loses its power and convenience.  Too much data however and the benefits fall more into the laps of the adversarial attacker and not of the data owner.
 
Out of all data potentially available on line, the date of birth one is probably the most important.  This is asked for, by nearly all government agencies, banking and electoral roll registers and is therefore of a high value.  From a social networking perspective, what is the real value to your connections of them knowing your date of birth?  OK, they will know when it's your birthday and send you a 'congratulations' or 'have a nice day' message on your wall.  Great.  But if the network is for your close friends shouldn't they know this information anyway?  From a professional network perspective, I can't see the benefit of making this information available - unless it's for targeted advertising.

Address and location information is also quite powerful.  Whilst we've had yellow pages and telephone directories for decades, there was always the option to be 'ex-directory'.  Many in service related roles such as police officers or health workers, often removed themselves from public address and telephone directories to reduce the risk of unwarranted out of work attention.  Whilst it maybe good to show your connections, that you have a classy Manhattan or Kensington post code, the main beneficiaries will be attackers not you.  

Photo distribution is certainly one of the main pulling points of the social side of social networking.  Facebook, Twitter and Google+ all make photo distribution and 'tagging' easy and by default.  Everyone has heard of the stories of bosses or work colleagues seeing embarrassing or derogatory photos of individuals at 2am falling out of taxis.  Whilst that can be career limiting, photo distribution also has a security aspect to it as well.  Photo's should avoid things like car number plates, house numbers or work related security badges or uniforms.  All can easily creep into photo's unsuspecting, but in the wrong hands provide valuable personal data.

Security Measures

Avoiding On line Accounts Is Not a Catch All - Avoiding contact with any social networking site at all, isn't always a safe or practical option.  Even for the most internet adverse individuals, creating a limited, locked down profile can have several benefits.  If you don't exist at all, you create a security vacuum.  This vacuum can then be filled by an attacker using basic impersonation techniques.  Like any other example of identity theft, on line identity impersonation is a difficult issue to overcome and is often best managed through prevention.

Implementing Non-Public-Access - All of your on line accounts will have the ability to restrict public access.  Public simply means accessible to users not logged in or registered to that particular site.  This could also mean indexable via the main search engines such as Google or Yahoo.  If the data is publicly available automated bots or scripts can easily build out a profile of you.  From a professional network perspective, restrict a public view to not include current or past employer information,

Delete Non-Needed Accounts - Like any application or on line service or account, regardless of whether it is for social networking, if you're not using it, have it removed, or at least disabled.  They are likely to be several accounts you have signed up for in the past during an invite only period, or the promise of the next big thing.  Check your emails for previous log in details and manage them accordingly.  If left, they are easy targets for impersonation.

Check Cross-Account Authentication and Authorisation - Existing on line identity providers such as Twitter, Facebook and Google, provide API's to allow authentication and authorisation services for other web sites and mobile apps.  Carefully maintain the list of current sites you provide these services to and remove any that are no longer needed.

Connection Management - This may seem like an obvious one, but take a better look at your connections.  It is always tempting to have a large pool for both your social and professional networks.  It makes you look popular and well connected.  However, be sure you really are 'friends' with the individual or have a legitimate professional relationship with them before allowing them access to your personal data.