McAfee Everyday Presentation Template

Download Report

Transcript McAfee Everyday Presentation Template

Social Networks: Minimizing The Risks Of The
New Frontier
Venkatasubrahmanyam Krishnapur
Senior Director Engineering, Consumer
McAfee India Pvt. Ltd.
July 21, 2015
Contents
• Social networks – interesting stats and facts
• Social networks – why the craze – a members view
• Social networks – philosophy , motivation and where privacy is headed
- a site creators or owners perspective
• Social networks – the risks – Identity and reputation – social engineering
• Social networks – the different attack vectors – malware , xss,csrf
• Social networks – how do you minimise the risks ?
2
July 21, 2015
Confidential McAfee Internal Use Only
Social networks ….some
interesting facts and stats
“MySpace is a place for friends.”
“MySpace is Your Space.”
“MySpace keeps you connected.”
“Twitter is a service for friends, family,
and co-workers to communicate and
stay connected through the exchange
of quick frequent answers to one
simple question:
What are you doing?”
“Delicious is a Social
Bookmarking service, which
means you can save all your
bookmarks online, share them
with other people, and see
what other people are
bookmarking.”
“Your professional network of
trusted contacts gives you an
advantage in your career, and is
“Giving people
the power to
one of your most valuable
share and
makeLinkedIn
the world
assets.
exists to help
more open
you and
makeconnected.”
better use of your
professional network and help
the people you trust in return.”
Confidential McAfee Internal Use Only
Confidential McAfee Internal Use Only
Social Networking facts – Believe it or not !
2.5 BILLION photos are
uploaded to Facebook
every month = 1000
per SECOND !
By 2014 social networking services will
replace e-mail as the primary vehicle for
interpersonal communications for 20
percent of business users
2/3rd US households
use social networks,
twice as many as a
year ago
Facebook has over 500
MILLION “active” users, surpassing Google today
People spend over 700
BILLION minutes per
month on Facebook
The number of e-mails
sent since 2006 – 90
TRILLION
There are more than 75
million professionals on
Linkedin and over 1
million companies
10 BILLION+ Tweets
Sent on Twitter Since
2006
There are 126 Million
blogs on the internet
2 BILLION Videos Are
Streamed each day on
YouTube
Confidential McAfee Internal Use Only
Social networking – why
the craze ??
Why Use Social Media?
• It’s where the Friends are
• Allows you to be part of a network with
common interests, bonds, affiliations
• Provides a sense of community
• Seen as a forum to postulate views
• Fun way to stay connected with old
friends or make new friends
• Forum for communication
(individual/group/mass) and
collaboration
• Allows for self-expression and selfrepresentation
• “Democratizing innovation”
• “Crowdsourcing”
• Job hunting
Confidential McAfee Internal Use Only
Social Networks – Their
Philosophy and motivation.
Privacy – ha!ha!ha !
Privacy Policy Protection? LOL
Social Network “A”
Additionally, you grant Social Network “A” a nonexclusive, irrevocable,
Network
“B”
worldwide, Social
perpetual,
unlimited,
assignable, sublicenseable, fully paid up and
royalty-free right to us to copy, prepare derivative works of, improve, distribute,
publish, remove,
retain, add,
process,
use
in any
“You hereby
grant
Socialanalyze,
Network
“B”and
ancommercialize,
irrevocable, perpetual,
nonway now known
or in the
future discovered,
any information
provide,
directly
exclusive,
transferable,
fully paid,
worldwideyou
license
(with
the right to
or indirectlysublicense)
to Social Network
including
but not limited
to any
userretain, publicly
to (a)“A”,
use,
copy, publish,
stream,
store,
generated content, ideas, concepts, techniques or data to the services, you
perform or display, transmit, scan, reformat, modify, edit, frame,
submit to Social Network “A”, without any further consent, notice and/or
translate,
excerpt,
adapt,
create
and distribute
(through
compensation
to you or
to any third
parties.
Anyderivative
informationworks
you submit
to us is
tiers), any User Content you (i) Post on or in connection with
at your ownmultiple
risk of loss.
the Social Network “B” Service or the promotion thereof subject only to
your privacy settings or (ii) enable a user to Post, including by offering
a Share Link on your website and (b) to use your name, likeness and
image for any purpose, including commercial or advertising, each of (a)
and (b) on or in connection with Social Network “B” Service or the
promotion thereof. You may remove your User Content from the Site at
any time. If you choose to remove your User Content, the license
granted above will automatically expire, however you acknowledge that
the Company may retain archived copies of your User Content.”
Confidential McAfee Internal Use Only
The Evolution of “Network “A” “Privacy”
(blue =
default
availability of
your
personal
data)
Confidential McAfee Internal Use Only
A Friend of Mine Is A Friend of Yours
Confidential McAfee Internal Use Only
Social networking – The
Risks….
Information People Post in On-line Social Networks
for Others to View – Identity loss
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
16
Name
Geography
Status
Sex
Year
Concentration
Residence
Birthday
Hometown
State
Zip
High School
Email
Preferred Email
Screen Name
Cell Phone
Address
Other Phone
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Website
Sexual Preference
Relationship Interest
Relationship Status
Political Views
Interest
Clubs
Favorite Movies
Favorite TV Shows
Favorite Books
Favorite Quotes
About Me
Job Type
Company Job Title
Job Description
Work History
Pictures
All or a combination of
these can be used to
construct a profile of
yourself that can be
used for nefarious
activities by criminals !!
Phishing attacks
Picture stealing for porn sites
Location tracking
Financial fraud
Reputation analysis (HR)
Reputation damage
Password stealing
Predators in the guise of friends
Government Agencies (Tax evasion)
Literally anyone interested
July 21, 2015
Confidential McAfee Internal Use Only
What Are The Security Risks?
Confidential McAfee Internal Use Only
What is a Network?
node
node
node
node
node
node
node
node
node
node
node
node
node
node
node
node
node
Web Definition : A set of nodes, points, or locations connected by means of
data, voice, and video communications for the purpose of
exchange.
18
July 21, 2015
Confidential McAfee Internal Use Only
Viewers
LOOKING
FOR
PERSONAL
INFORMATION
KEEPING
IN TOUCH
LOOK AT
NEW
PICTURES
ATTEMPTING
TO LOCATE
OLD
FRIENDS
STAYING
UP TO
DATE
SEXUAL
ASSAULT
JUST TO
SAY HI
Friends
ENCOURAGE
MENT
HARASSMENT
LEAVING
MESSAGES
Unaffiliated
SENDING
INVITATIONS
USER
KEEPING
TABS ON
INDIVIDUAL
OR GROUP
PREDATORS
ADDING TO
SOCIAL
GROUP
STALKING
SELLING
DEVULGED
INFORMATION
Exposure possible due to :
- a ‘friend’s account being compromised – now controlled by an impersonator
- Inadvertently added someone as a friend – but not someone you know
- Breach of trust by real friend (s)
- Poor identity management ( privacy controls)
Confidential McAfee Internal Use Only
Dangers and Misuse of On-line Social Networks
Profile content and information could be gathered and used for the
following:
•
•
•
•
•
Stalking
Arming Predators
Harassment
Sexual Assault
Slander
Internet connectivity and a trusting attitude toward this technology
can facilitate:
•
•
•
•
•
21
IP Tracking
Dangerous links
Spy ware threats
ID Theft
Information sold to third party
July 21, 2015
Confidential McAfee Internal Use Only
What Are The Security Risks?
• Malware distribution
• Cyber-bullying (“trolling,”
emotional abuse)
• “Shelf-life” of information (lives forever in cyberspace)
• Privacy concerns
– Information about you that you post
– Information about you that others post
– Information about you the social networking sites collect and share with
others
Confidential McAfee Internal Use Only
Who’s peeking?
•
•
•
•
Friends\family
Friends of friends\family
Parents
Employers and co-workers
– Dec 2009 study commissioned by Microsoft
said 79% of recruiters & hiring mgrs
researched applicants online
– CareerBuilder.com study – 45% of employers
use social networks to screen job candidates
•
•
•
•
•
•
Customers
Universities
Marketing companies\vendors
Criminals\hackers
Government agencies (IRS, SRS!)
EVERYONE ELSE
Confidential McAfee Internal Use Only
Take my stuff, please!
Confidential McAfee Internal Use Only
Law of Unintended Consequences
Confidential McAfee Internal Use Only
Legal Issues
• Copyright violations
• COPPA (Children’s Online Privacy Protection Act) covers sites
directed to children under age 13 or general audience sites that know
they’re dealing with kids younger than 13.
• Cyberbullying\stalking laws (recent)
Confidential McAfee Internal Use Only
Oh no! URL Shorteners
• bit.ly, TinyUrl, ReadThisURL, NotLong
• Hides the true destination URL – no way to tell where you’re
going until you click!
http://www.hacker.com/badsite?%20infect-your-pc.html
is now
http://bit.ly/aaI9KV
Confidential McAfee Internal Use Only
Malware Distribution
• Similar to other threats that can lead to downloading/installing
malware
– Malicious ads
– Clickjacking (aka “likejacking”)
– Wall posts, inbox or chat messages with malicious links from “Friends”
(hijacked user account)
– “My wallet was stolen and I’m stuck in Rome. Send me cash now.”
– Spam email pretending to be from Facebook admins
Confidential McAfee Internal Use Only
Malware Distribution
Confidential McAfee Internal Use Only
Malware Distribution
• Koobface is a well known malware targeting the biggest social
network ; continues to evolve and infect today
• Suspicious friend or follow request, or link
• Bogus FB groups/Pages/profiles to entice you
• Suspicious/malicious application
mashable.com/2010/05/29/xxxxx-hilarious-video/
Confidential McAfee Internal Use Only
XSS, CSRF Attacks – Inheritance of all the Web
2.0 vulnerabilities
• Web 2.0 increased the power of dynamic and shareable content
taking the internet to a different level.
• However, the flat serial structure of html documents that included
scripting amongst formatting and content introduced many risks.
• Poor programming of Web 2.0 applications without proper validation
can result in attack vectors like :
– Cross site scripting attacks and cross-site request forgery attacks are
serious concerns
– These are attacks that exploit the trust the user has for a given site ( CSS)
or the trust the site has in a user’s browser (CSRF)
– SQL injection at the database layer
• Hackers use a combination of social engineering and slick scripting to
fool victims into running malicious code in their browsers.
31
July 21, 2015
Confidential McAfee Internal Use Only
3rd Party Applications
• Games, quizzes, cutesy stuff
• Untested by the Social
Networks – anyone can write
one
• No Terms and Conditions – you
either allow or you don’t
• Installation gives the
developers rights to look at your
profile and override your privacy
settings!
Confidential McAfee Internal Use Only
Social networking sites
….Risk mitigation
How technology helps ( SMB / Enterprises )
• Application control:
– Granular application control, based upon the business and regulatory requirements of the
organization, gives organizations the ability to create access policies specific to user identities,
and to reduce risks for some employees without restricting participation for others.
• Next-generation firewalls:
– Many firewalls today don’t provide effective protection for Web 2.0 technologies. Organizations
should consider next-generation firewalls that provide more sophisticated discovery, control, and
visualization of applications, along with predictive threat protection for network infrastructures.
• Endpoint protection:
– The shared and highly participatory nature of Web 2.0 requires that businesses protect their
endpoints against multiple threats, including spam, viruses, malicious software, spyware,
rootkits, and hacker attacks. Endpoint protection remains a critical piece of information
assurance and security in organizations.
• Data loss protection:
– Data exfiltration is a continuing challenge of organizations participating in the Web 2.0
environment. Protecting the integrity and confidentiality of organizational information from theft
and inadvertent loss is a key issue today. Data loss protection guards private, sensitive, and
confidential information and data from accidental or malicious loss.
34
July 21, 2015
Confidential McAfee Internal Use Only
How technology helps ( SMB / Enterprises )
• Encryption:
– Important data should be encrypted, as should communication channels, with keying material
kept separate from the encrypted material. Compromise or loss of endpoints should not
automatically give access to sensitive information.
• Authentication:
– Strong, non-password based authentication should be deployed and used for access to
sensitive information and resources. Web2.0 applications usually employ weak authentication,
and are targets for a chain of penetration and social engineering attacks that can compromise
valuable resources. Requiring appropriate token-based or biometric authentication at key points
can help to prevent incidents.
• Integrity Monitoring and Whitelisting:
– Many current attacks against Web2.0-enabled hosts involve the installation or modification of
code to enable access, or to install malware. Traditional anti-malware technologies are not
sufficient to prevent these threats, so additional methods that use configuration integrity
monitoring or application whitelisting should be considered. Solutions that monitor and control
patching and upgrades should also be considered.
• Gateway Anti-malware:
– Proactive scanning of code in web pages for malicious intent. By analyzing the code at the web
gateway—a gateway located physically in the enterprise or in the cloud as a hosted service,
malware can be detected and blocked before it reaches the endpoint or other network assets.
35
July 21, 2015
Confidential McAfee Internal Use Only
Tips for Safer Social Networking ( Consumers )
•
•
•
•
•
Use a strong, unique password
Provide as little personal information as possible – avoid
revealing exact birth date, address – in general
information that can be used to determine your identity.
Understand and customize the privacy settings in all of
your social networking accounts
Use extreme care with 3rd party applications that access
your information and change settings
Be careful about what you post
–
–
–
•
Photos of self or others
Opinions on controversial topics
Don’t rip classmates, professors, coworkers,
employers …– it WILL come back to haunt you
•
Do not post anything related to your
employer (unless you’re authorized)
Segregate your network – friends, colleagues, family
Supervise your kids’ use of social
networking sites
Be a ‘friend’ of your kid
•
Use Family Protection Software .
•
•
Confidential McAfee Internal Use Only
Tips for Safer Social Networking (Consumers )
•
•
•
Be suspicious of friend/follow requests, ads, 3rd party
applications, chat messages, etc.
Minimize exploration – don’t carelessly click on lots of
ads, videos, games, etc.
Use built-in and add-on features in web browsers to
warn you of malicious sites
–
–
–
–
–
•
•
•
Anti-phishing filters in IE and Firefox
Web of Trust
NoScript
Adblock Plus
Preview features of bit.ly, TinyURL
Use Web reputation software with real time analysis
and remediation capability
Visit websites that have been scanned and certified
Google for your name frequently and look for privacy
violations
Confidential McAfee Internal Use Only
Conclusion
• In conclusion , the value of social networking far outweighs the risks.
• Use social networking effectively and positively to establish new relationships,
strengthen existing ones, innovate, learn, collaborate,
and have fun.
• But beware of the risks so you can do your best to steer clear of
them
– Some of the dangers can easily be mitigated through common sense and discipline
on the internet.
– Use software products that rate and certify links and applications
And importantly
–
think before you post and
–
think before you click !!
38
July 21, 2015
Confidential McAfee Internal Use Only