7 Social Media Security Tips To Protect Your Business

/in /by

Your employee’s online life could open your business to some serious dangers.

1SMany small businesses recognize the benefits of having a social media presence for customer service and long-term marketing purposes. However, many are slow to recognize social media’s security issues and how employees’ own social presence can add to the company’s security issues.

Some companies restrict internal access. Others may prevent employees from having any corporate association outside of work on their own social platforms. This is due to the fact that whatever an employee says outside of work publicly can have a significant impact on the organization.

Turns out the robbers scanned the teller’s social media sites based on searching the name of the bank as employer.

Last year I presented a robbery response program to a credit union. My presentation came after a mock robbery was staged, using real cops acting as masked robbers with guns. The robbers came in, guns blazing and screaming profanities, and, quite frankly, were very disturbing in their delivery. Some tellers cried, others cowered. Pregnant women were not allowed to participate and for good reason: Cops make great robbers!

At the end of the robbery, we all circled and discussed what happened. The teller who received the robbery note read it aloud, stating: “Your husband works at the Main Street Garage. We intercepted him when he was opening this morning. He is in a trunk at an undisclosed location. If you hit the silent alarm and the police come, we will kill him.”

Turns out the robbers scanned the teller’s social media sites based on searching the name of the bank as employer. Once done, they looked up her spouse’s place of employment. They were able to learn what time he opened and closed the shop. Scary.

Follow these social media security tips for small business to prevent security issues just as scary:

Institute a policy. Social media policies must be in place to regulate employee access and establish guidelines for appropriate behavior. Policies must specifically state what can and cannot be said, referring to slang, abusive language, etc. Employers should train their employees on proper use, as well. At this point, many of the mistakes have already been made; a quick search for “social media policy” will return lots of great ideas.

Consider a no-employment disclosure. Request employees leave their employment status blank when setting up a social site profile. Employees represent their employer 24/7/365, so what an employee says on or off the job and online directly reflects on his or her employer and, as stated in my credit union story, can be used against the organization.

Limit access to social networks. There are numerous social networks serving different uses, from wine and recreation to music to movies, used for everything from friending to finding a job. Some are more or less appropriate, and others are less than secure. Employee association with a social network that is considered off-color in any way will come back and haunt the company.

Train IT personnel. Policies and procedures begin from the top down. Managers and IT personnel responsible for managing technology need to be fully up to speed with social media security risks and set leadership examples.

Maintain ongoing monitoring and security. Once a policy is in place, it needs to be updated and enforced, and employees’ online lives must constantly be scrutinized. Invest in consulting, hardware, software and anti-virus protection, and update critical security patches for your operating system to make sure your business network is up to date.

Lock down social settings. Require employees to learn about and incorporate maximum privacy settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.

Don’t completely eliminate social media. Eliminating access to social media opens an organization up to other business security issues. Employees who want access will get it—and when this happens, they sometimes go around firewalls, making the network vulnerable.

How do you ensure social media security in your business? Share your experiences in the comments.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

The Definitive Guide to Facebook Security

/in /by

Facebook Security

Social media is permeating every facet of our lives. It is extremely important to understand security and privacy settings with so much personal information becoming so accessible. Here is the definitive guide to security on Facebook:

Step One

Logging In

Social Authentication: Facebook uses social authentication to verify your account. This system asks you to identify your friends based on pictures. This is information that makes it incredibly hard for a hacker to hack and gain access to your account. It also helps you access your account  more easily without having to remember, yet another, password.

ID Verification: Every new user must create a security question and answer for their account. For added security, users can add their mobile number to enable them to verify their identity through a text message.

One Time Passwords: You can opt to receive a one time password by sending a text to 22605

Tip: Did you know that Facebook employs 300 full-time staff solely focused on security and safety?

Login Approvals: If a user logs onto your account using a new or unrecognized device,  a required code will be sent to your mobile device. The user will then be prompted to verify the login on their next attempt.

Tip: Did you know that all logins on Facebook are done through a secure connection? You can enable HTTPS for your entire Facebook experience from the Account Settings page.

Session Classifier: This system uses location, device, and other account details to verify every login (e.g. a Wyoming user suddenly accessing their account from Jamaica)

Fun Fact: Facebook has dedicated millions-of-dollars to build a supreme security infrastructure.

Step Two

Online

User Action Classifier: The user action classifier identifies when users are acting maliciously or spammy.

Link Scanner: All links are compared against Facebook’s and other internet security company’s databases of known spammy and malicious links. Facebook scans over 1 trillion links per day.

Photo DNA: Facebook maintains a blacklist database from federal, state and international law enforcement agencies of explicative images. Each one of the 300 million photos uploaded to the site each day is checked against this list.

Clickjacking Domain Reputation System: You see a link to an “outrageous video” off-site, but once you click it, it automatically publishes the fake link to your wall. This behavior is a result of a browser bug, but Facebook is doing more to prevent this from occurring by taking steps to verify suspected bad links before they’re posted.

Application Classifier: The application classifier analyzes application behavior and tries to decide if they are acting maliciously.

Step Three

Log Out

Suspected Hacking: Users can manually shut down Facebook sessions and reset their passwords if an unauthorized login is detected.

Remote Logout: User who have forgotten to log out can check their login status and log themselves out remotely.

Guardian Angels: If you lose access to your account or have problems logging in, a code can be sent to your friends to help you get back into your account. You can pre-select these friends from the account settings page.

Login Notifications: Users get to approve the devices from which they log in. As an added measure of security a notification can be sent if they have logged in from an unapproved device.

Roadblock: If your account is compromised by malicious software, Facebook will temporarily lock your profile and scan it with security software until your account is certified to be clean.

Some important things to know:

  • 89% of email is spam and less than 4% of content shared on Facebook is spam.
  • Ony .06% of over 1 billion logins per day are compromised.
  • Less than .5% of Facebook users experience spam on any given day.
  • People spend over 700 billion minutes per month on Facebook.
  • The average user has 130 friends.

Sources: Facebook.com

7 Small Business Social Media Risks

/in /by

Many executives are concerned about social media related risks (e.g., data security and ID theft), but far fewer actually have any social media training.

4DA recent survey of executives puts the concerns into four categories: disclosure of confidential information; damaged brand reputation; ID theft; and legal and compliance violations.

Another feature that the survey unveiled was that 71 percent of the participants believed that their company was worried about potential risks, but they also thought these risks could be avoided or resolved.

Over half the respondents said that their company lacked any social media risk assessment strategy.

Here’s another striking finding: 33 percent of businesses had a social media policy; 27 percent of participants reported no such policy; and the remaining 40 percent consisted of an even split: those who said their company was planning on creating such a policy, and those who said their organization had some other related policy.

Solutions

While social media can bring benefits to businesses, namely in the realm of marketing exposure, they can also bring in lots of trouble as far as security issues.

How can companies find the right balance in between the two extremes of either banning social media altogether and allowing free reign of social media? Below are some solutions.

#1. Ban the ban. First of all, don’t outright ban access to social media. Otherwise, this can lead to other security issues. Furthermore, an employee who really wants to gain access to social media will dodge security, making the organization more susceptible.

#2. Execute policies. Do implement some kind of structure that regulates employee activity regarding social media. Employees need guidelines for proper use, which would also include what not to do.

#3. Social networks should be limited. There are hundreds of social networks—many uses are served, ranging from movies to music. But there are other uses that are not so innocent and less secure. Learn about these and make sure employees know not to go near them.

#4. No default settings. Default settings typically leave networks very vulnerable to attack. Settings should be locked down; most social networks do provide privacy settings and these must be managed at the highest level.

#5. URL lengthening service. Employees should never click on a shortened URL without first decoding it to see where it leads to. Shortened URLs can be pasted into an URL lengthening service.

#6. Train IT personnel. Don’t effectuate policies from the bottom up, but rather, from the top on down. Those in charge of managing technology need to be fully geared up with the risks of social media.

#7. Keep security updated. A business network always needs to be up to date with its security.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

IT Guys get duped Pretty Girl on Social Media

/in /by

Defenses of a U.S. government agency were duped by an experimental scam created by security experts.

9DThe “scam” involved Emily Williams, a fictitious attractive woman with a credible online identity (including a real photo that was allowed by a real woman), posing as a new hire at the targeted agency.

Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 for Facebook, with the targeted agency’s employees and contractors. Job offers came, along with offers from men at the agency to assist her with her new job.

Around Christmastime the security experts placed a link on Emily’s social media profiles linking to a Christmas card site they created.

Visitations to this site led to a chain of events culminating in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.

The experimenters got what they sought within one week. The penetration scam was then done on credit card companies, banks and healthcare organizations with very similar results.

An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.

Recap: The scam began from the ground up, inflating Emily’s social network till it enabled the attack team to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.

Preventing getting suckered into Social Media Scams

  • For agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not the typical annually.
  • Suspicious behavior should always be questioned.
  • Suspicious behavior should be reported to the human relations department instead of shared on social networks.
  • Work devices should not be used for personal activities.
  • Access to various types of data should be protected with separate and strong passwords.
  • The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
  • Learn from this. Reverse engineer this same scenario in your own life or organization to see how this might happen to you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Tips to avoid ‘deadly’ social media

/in /by

The vacant 5,000 square foot house next door to this kicking victim was on sale, and he had agreed with the realtor to keep an eye on it. Some kids got wind of this vacancy and put out a Facebook invitation to a Halloween rave party there.

1DHe called 9-1-1 and the police broke up the party. However, kids kept arriving because the Facebook notice was still up. A mob of perhaps 60 kids was brewing at the end of the street.

The victim-to-be began chatting with the realtor’s partner—in front of the rave house. The realtor then approached a kid and was assaulted. Our victim intervened without much thought, got blindsided by one thug, then kicked by several kids to the ground.

Hindsight is 20/20

The victim, only after the beating, realized that he should have:

  • Fled to his house and called the police.
  • Remained outside and called the police (not as safe as above, but a lot better than jumping into a fight)

However, these weren’t the best options. The best option would have been this victim calling the police to come back when the mob was forming.

  • The victim could have taken pictures of these kids (with his Nokia 1020) before any of the rumbling began.

Conclusion

  1. Avoid mobs at all costs.
  2. If someone is attacked, call the police and take pictures.
  3. Do not jump in to break up a fight. Three scrawny but very angry punks can take down a much bigger well-meaning solitary person.
  4. If you do get attacked, go ballistic—and target the gang’s leader.
  5. Sprint to safety first chance you get.
  6. Warn your kids about the dangers of raves.
  7. Check out the “crime radar” of your neighborhood with this new tool.

 

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Americans Waking Up to Social Media Privacy

/0 Comments/in , , /by

There have been thousands of privacy related news reports over the past year depicting social networks, Google, marketers and advertisers as evil privacy violators who are slowly sucking dry whatever privacy we have left. Facebook has been raked over the coals by advocates and watchdogs who say their tactics violate their own policies. In response, numerous lawsuits have been filed and government agencies have put the pressure on everyone involved to come up with a serious solution.

It is evident that without some type of government oversight that the “self policing” done by all those who stand to gain financially by selling our data will continue to spin out of control to the point where privacy will be something of the past.

My stance as a security professional has always been on the “privacy is dead, get over it” side of the fence. I’ve always been of the belief that the data out there is as a result of the public’s own doing and if they don’t want the world to know their private thoughts they shouldn’t post it.  As they say, “the cat is out of the bag”.

However, my concern is not that the self exposed private data is out for the world to see is a violation of a person’s privacy, but what can be done with the data to affect ones security position.

Now as a result of all this attention to privacy, in a recent study published in the Wall Street Journal, about 36% of American adults said they were “very concerned” about their privacy on social-networking sites in 2010, compared with 30% who felt that way last year. The shift was particularly noticeable among people over age 44; 50% of people age 54 to 64 described themselves as “very concerned,” compared with 32% who said that in 2009.

In response, the WSJ further reports The Obama administration is preparing a stepped-up approach to policing Internet privacy that calls for new laws and the creation of a new position to oversee the effort, according to people familiar with the situation.

This is definitely a good thing as the US significantly lags behind Canada and Europe among others in regards to privacy.

Certainly I care about privacy and wish there was more. But the fact remains that the fundamental issue that affects ones well being is security. Too much information leaked may damage ones social standing in some ways and if you don’t want it out there then don’t put it out there. And considering marketers and advertisers have taken it up a notch, they definitely need to be watched by the watchdogs. But in the end, what’s most important is how that data can be used to hurt or harm you.

Home Security Source

Robert Siciliano personal security expert to Home Security Source discussing Facebook Apps leaking data on Fox News.