Keeping Your Secrets Safe in a World Gone Social
Oct 28, 2009 4:00 AM PT
Social networking continues to play an important part of our cultural growth, offering an accessible outlet for expression and a means to explore greater social interactions within a broader community.
These platforms allow both anonymous and open communications with the world, giving us a voice and a forum to share our thoughts publicly and privately. However, with the growing threat of identity theft and other cybercrimes, social networks also present a new set of risks.
Social networks are not inherently evil. On the contrary, most social networks -- Facebook and LinkedIn, for example -- are conscious of both privacy and security. However, they are a community; like all communities, they have varied populations, including some who would prey on the weak.
Some of these opportunists are benign, such as the growing community of corporate marketers who have made a valiant attempt to commercialize this new medium. Some are not.
Making sure that the networks themselves are safe requires the use of various monitoring and management solutions, and a fairly competent IS staff -- nothing new here, and some of the larger providers actually have above-average security operations.
Still, keeping the end-users of social networking services safe depends on something much more difficult to control: the end-users' behavior.
Digital Global Village
Since 1997, when social networks started gaining traction on the Web, the total population of Internet users has grown from around 70 million to more than 1.5 billion. Almost one quarter of the world's 7 billion people are in some form or another "connected" to what Marshall McLuhan originally termed the "global village."
All too often, what many users living in this village forget is that with the loss of anonymity comes a certain level of risk -- and that just because they now have the ability to share information with the world does not necessarily mean that they should.
Who in her right mind would stroll into a dark alley sporting a diamond necklace while singing "We're in the Money"? While perhaps not as unrealistic as that example, social networking users are making many foolish decisions online with respect to disclosure of both personal and professional data.
With little more than your name, an identity thief can get to work. Often, there's a lot more information made freely available to whomever comes looking for it.
Searching on one site might identify a married woman living alone in Los Angeles. She might willingly accept a request to "connect" from a complete stranger who claims to have attended the same high school. Based on the demographic of this user, (Beverly Hills) she's an immediate financial target. Additional details about her community interests can help a cybercriminal determine how valuable this target could prove to be: either as a direct victim or as a valuable pawn in a malicious sphere of social connectedness.
Friends of this user would likely be of a similar stature financially and might be commensurately careless with their personal identities online, especially once the cybercriminal gains the misplaced trust of the first victim. When the poser learns that one of the members of the newly accessed online social community is enjoying a much deserved vacation in the Bahamas -- perhaps via a real-time Twitter update -- the stage is set for an old-fashioned home break-in, with a pretty good chance that the home is vacant while the owners are relaxing poolside, drinking daiquiris.
More-aggressive criminals might lure unsuspecting victims from within their community of "trusted" acquaintances to a Web site laden with malware. This is hacker territory, and once the personal computer of the target is compromised, the full measure of identity theft is realized. In hacker jargon, the target's been pwned.
Don't Be Naive
While it's easy to forget, the scope of your potential audience is far broader than your inner circle of family and friends. Don't post anything online that you wouldn't feel comfortable shouting in public. Change names or use nicknames when posting about yourself and your friends to a public forum, and if you need to share meeting times and places with a friend or colleague, remember that most social networking sites offer a private messaging facility. Use it rather than a public message board or forum.
This sounds simple enough, but you'd be amazed how often the following details can come up in a private conversation: your mother's name, your first pet's name, your favorite color. These are often the answers to "security verification" questions used by real online retailers and banks. They're designed to prove that you're who you claim to be if your identity is ever challenged, making these facts as precious as your social security number or your ATM card PIN.
Don't Be Too Friendly
Many sites separate your public profile, which is appropriately vague, with a more intimate profile that is meant to be shared with family and friends. However, many users are overly promiscuous when it comes to social networking, inviting total strangers to join their online communities -- and thereby providing them easy access to private information and correspondence.
If you were at a party, would you share everything with everyone in the room? It's more likely that you would you keep your more intimate conversations private, either whispered in a corner or -- even better -- unsaid. The social network service that you're using should provide a degree of privacy, but security best practices start with you.
Stake Your Claim
If you have any reason to keep a profile on a social networking site, do it. Even if you never update your profile, you'll be preventing someone else from claiming your own virtual identity.
A stranger who builds a profile in your name immediately gains that "one degree of separation" that can build trust among your friends and family.
Use Your Tools
This is appropriate for both social networking users and for social network providers. There's technology out there to help keep the contents of your digital lifestyle secure. For end-users, protect yourself against malware and viruses, and maintain a firewall.
For providers, enforce the privacy of your users' profiles by monitoring network access using an intrusion-prevention system; monitoring application access using a database- or application-monitoring system; and by using the plethora of security management, log analysis and security information management tools that are available to ensure that if you are compromised, you can address the problem as quickly as possible.
But Don't Rely on Them
The moral of this story is "don't be naive," and being lulled into complacency because of the assumption that you're adequately protected is a clear violation of that primary rule.
If you're uncertain, assume the worst. Stay secretive when you're strolling through the global village, and you'll stay safe.
Michael Leland is the CTO of NitroSecurity, a provider of security information and compliance management solutions.