Security at the Digital Cocktail Party. Social Networking meets IAM

Similar documents
Data protection legal jungle or common sense Susan Healy. Religious Archives Group 22 Mar 2010

Privacy Policy. Optimizely, Inc. 1. Information We Collect

Privacy Policy GENERAL

GDPR. What is GDPR? GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.

GRANDSTREAM PRIVACY STATEMENT

UTILIZING THE NEW ALDA WEBSITE (CHAPTER LEADERS GROUP) PRESENTER: BRIAN JENSEN SEPTEMBER 16, 2016

CLIENT ONBOARDING PLAN & SCRIPT

CLIENT ONBOARDING PLAN & SCRIPT

How to Build a Culture of Security

Breach Notification Form

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

SOCIAL NETWORKING'S EFFECT ON BUSINESS SECURITY CONTROLS

Cyber security tips and self-assessment for business

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records

Cognizant Careers Portal Privacy Policy ( Policy )

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Down Under Centre Employment Hub - Privacy Policy Introduction

The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

CSE 484 / CSE M 584: Computer Security and Privacy. Usable Security. Fall Franziska (Franzi) Roesner

4 Information Security

Subject: Kier Group plc Data Protection Policy

Information security guidance for schools

User Authentication + Human Aspects

TITLE SOCIAL MEDIA AND COLLABORATION POLICY

Is Your Web Application Really Secure? Ken Graf, Watchfire

What personal data or information do we collect? The personal information we collect may include:

INTERNET SAFETY IS IMPORTANT

Last updated 31 March 2016 This document is publically available at

WHO DOES THE POLICY APPLY TO?

facebook a guide to social networking for massage therapists

RECOMMENDATIONS HOW TO ATTRACT CLIENTS TO ROBOFOREX

You can find a brief summary of this Privacy Policy in the chart below.

PRIVACY NOTICE. This policy may be updated from time to time so please check back occasionally to make sure you re happy with any changes.

UWTSD Group Data Protection Policy

Social Networking Applied

But the foundation of marketing success is the quality and size of your permission-based list.

When this policy mentions WanderJaunt, we, us, or our, it refers to the WanderJaunt, Inc.

Privacy Policy. Information we collect about you

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Social Media Reputation Management

Cybersecurity The Evolving Landscape

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

TOP ETF PICKS PRIVACY NOTICE Last updated October 2018

Security Awareness Training Courses

UNTITLED HIP HOP PROJECT Privacy Policy. 1. Introduction

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

You are Who You Know and How You Behave: Attribute Inference Attacks via Users Social Friends and Behaviors

Evolution of Spear Phishing. White Paper

Facebook Basics (for individuals)

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

A General Review of Key Security Strategies

Prayerful Living Singles User s Manual

Frequently Asked Questions- Communication, the Internet, Presentations Question 1: What is the difference between the Internet and the World Wide Web?

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Compliance vs Competence: Cyber Security Management for Data Centers. Dr. Suku Nair University Distinguished Professor and Chair, SMU

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

The John Fisher School ICT Policy

Suggested Facebook Privacy Settings

This policy also applies to personal information about you that the Federation collects from any other third party.

Using video to drive sales

Privacy Notice

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Website Privacy Policy

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Electronic Communication of Personal Health Information

Data Protection Policy

Cyber Security Guide. For Politicians and Political Parties

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Personal Physical Security

Financial scams. What to look for and how to avoid them.

Personal Cybersecurity

Octopus Online Service Safety Guide

Protecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series

Privacy Notice - General Data Protection Regulation ( GDPR )

PRIVACY POLICY. We collect and process your personal information and data in the following ways:-

PRIVACY POLICY 1. ABOUT THIS POLICY

POMONA EUROPE ADVISORS LIMITED

Policy on Privacy and Management of Personal Information

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

10 FOCUS AREAS FOR BREACH PREVENTION

Promise Dreams Privacy Policy

NESTLÉ Consumer Privacy Notice Template PRIVACY NOTICE

Table of Content. Market Trend

PRIVACY POLICY TABLE OF CONTENTS. Last updated October 05, 2018

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Phishing Read Behind The Lines

A practical guide to IT security

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Governance Ideas Exchange

ECDL / ICDL IT Security. Syllabus Version 2.0

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Website and Marketing Privacy Policy

SUMMARIES OF INTERACTIVE MULTIMEDIA

with Advanced Protection

Privacy Information - Privacy and Cookies Policy In Full

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

Transcription:

Security at the Digital Cocktail Party Social Networking meets IAM

What I m going to talk about Social Networking and its benefits Social Networking is an Identity Management System But not always a very good one Key vulnerabilities Attacking the vulnerabilities at the root Stop Press portable data social networking sites as Identity Providers

Social Networking Digital Cocktail Party Define my profile (define myself online- interests, skills etc ) Define relations to other profiles (including some access control) Interact with my Friends via IM, wall posts, blogs.

Social Networking Plus Points Social Capital has been shown to reduce crime More privacy than a blog restrict your data within your network. SN is an IDM tool Discovery of like-minded individuals and business partners.

Social Networking Plus Points Social Networks business benefits Increase interactivity Exploit the value of relationships Publicise and test results in trusted circles Develop circles of competence

Identity Management System Storage of personal data Tools for managing how data is viewed Access control to personal data based on credentials. Tools for finding out who has accessed personal data.

Identity Management System Storage of personal data Tools for managing personal data and how it s viewed Access control to personal data based on credentials. Tools for finding out who has accessed personal data.

Social Networking is an Identity Management System. LOTS of Juicy Personal data: Recognise these from somewhere? (a) Racial or ethnic origin (b) Political opinions (c) Religious beliefs (e) Physical or mental health or condition (f) Sex life ( data (EU Directive 95/46 definition of sensitive personal

Identity Management System Storage of Personal Data Tools for managing personal data and how it s viewed Access control to personal data based on credentials. Tools for finding out who has accessed personal data.

Tools for Organising my personal data

Identity Management System Storage of Personal Data Tools for managing personal data and how it s viewed Access control to personal data based on credentials. Tools for finding out who has accessed personal data.

Tools for managing access based on credentials

Identity Management System Storage of Personal Data Tools for managing personal data and how it s viewed Access control to personal data based on credentials. Tools for finding out who has accessed personal data.

Social Networking is an Identity Management System. But not always a very good one

Inappropriate (and often Irreversible) Disclosure (Face obscured by me)

10 Minutes Surfing of Myspace - Example

Inappropriate Disclosure

Digital Cocktail Party

It s OK because only my network can see my profile data

Access Control Based on Credentials?

Low friending thresholds (poor authentication)

Only my friends can see my data? Most users don t realise the size of their audience. Only Everyone in the London Network? Only Everyone who pays for a LinkedIn Pro account? Only Everyone in your email address book? Only Social Network employees? Only anyone who s willing to pay for behavioural advertising? Only Plastic green frogs?

It s OK because I don t use my real name?

Data mining tools MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.

Which fortunately don t work very well

It s OK because I can delete my embarassing revelations?

Lock-in the Hotel California effect. Social Networking is like the Hotel California. You can check out, but you can never leave Nipon Das to the New York Times

Caches Internet archives Disactivation of the account Delete comments from other people s walls?

It s OK because I use the privacy settings?

The usual suspects - exaggerated by Social Networking SN-based Spear phishing and corporate espionage Profile-squatting/theft Huge amounts of time wasted on corporate bills. Global Security Systems estimates that SN costs UK Corporations 8 billion Euro every year in lost productivity (infosec 2008)

The usual suspects SN Spam XSS, widgets and other bad programming threats. Extortion and bullying SN Aggregators one password unlocks all

The usual suspects why they do more damage The usual-suspects (Cross-site scripting, SPAM, Social Engineering etc ) do more damage because: SN gives away the relationships for free SN is highly viral

Why? The root cause The value of the network (e.g. 15 billion US$ and counting) is: Its personal data Its ability to profile people for advertising Its ability to spread information virally We need to break the lock-in effect.

Economic success is inversely proportional to strength of privacy settings Speed of spread => Economic and Social Success Privacy

Attacking the root cause: takehome messages 1 Break data monopolies to improve privacy and security: Standardised portable networks (checking out of the Hotel California and going to another one) PLUS Portable, standardised access-control and security (with a secure briefcase). Privacy and anonymity tools for social networks. Better authentication and encryption.

Nice idea but where's the business model?

Stop press new developments The big players embrace data portability and portable authentication Social Networking takes another step in the direction of IAM.

Based on Open IAM compatible standards

Google Friend Connect Sign-in with an existing Google, Yahoo, AIM, or OpenID account Invite and show activity to existing friends from social networks such as Facebook, Google Talk, hi5, orkut, Plaxo, Browse member profiles across social networks

Social Networking takes another step in the direction of IAM?

Or does it?

Take home messages Social networking applications will soon be big players in the Identity Management Space

Take home messages Create clear corporate policies on social network usage inside AND out of the office. E.g. - Clearly define which corporate data is not permitted on social networks. - Recommend privacy settings to be used on networks - Conduct awareness-raising campaigns - Hours where SN usage is allowed enforced by firewall.

Take home messages Social Networking as a trust infrastructure: we can use the network to Authenticate people Provide testimonials and recommendations Provide a scaleable trust architecture Educating people on the risks is vital. Incontext videos and quizzes.

QUESTIONS? More information: http://tinyurl.com/2h7s5e ( http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback