a best practices guide for mitigating risk in the use of social media

8/3/2019 A Best Practices Guide for Mitigating Risk in the Use of Social Media

1/36

Strengthening

Cybersecurity Series

A Best Practices Guide for Mitigating Risk in the Use of Social Media

Alan Oxley

Universiti Teknologi PETRONAS

Malaysia


2/36


3/36

A Best Practices Guide for Mitigating Risk

in the Use of Social Media

Strengthening Cybersecurity Series 2011

Alan Oxley

ProfessorComputer and Information Sciences Department

Universiti Teknologi PETRONAS Malaysia


4/36

2

Foreword ............................................................................................................................3

Executive Summary ............................................................................................................. 4

Introduction ........................................................................................................................ 5Background .................................................................................................................... 5

How We Participate and Collaborate Online ........................................................................6

The Potentialand Potential Risko Social Media ............................................................ 7

Relevant Security Threats ................................................................................................. 8

Mitigating The Risk o Identity Thet ...................................................................................... 9

Inormation Scraping ........................................................................................................9

Social Engineering .........................................................................................................12

Phishing .......................................................................................................................14

Spoofng .......................................................................................................................18

Mitigating the Risk o Malware ............................................................................................ 20

E-mail Attachments .......................................................................................................20

Social Media Websites ...................................................................................................22

Unsecured Data Storage Devices .....................................................................................25Reerences ........................................................................................................................ 27

About the Author ............................................................................................................... 30

Key Contact Inormation ..................................................................................................... 31

TABLE OF CONTENTS


5/36

3

On behal o the IBM Center or The Business o Government, we are pleased to present this report,A Best Practices Guide or Mitigating Risk in the Use o Social Media, by Proessor Alan Oxley.

Social media continue to grow across the globe, and the United States ederal government is no exception.The administration and Congress actively and increasingly use social media to communicate, to take inorma-tion in, and to collaborate across boundaries. Yet the benefts o increased involvement through social mediaalso raise new risks to the security o agency inormation.

This guidewas written to help government managers, IT sta, and end users understand the risksthey ace when turning to social media to accomplish agency missions, and to mitigate those risks.The guideollows the publication o several other recent IBM Center reports which examine the cur-rent and potential use o social media by government agencies, including:

Assessing Public Participation in an Open Government Era by Carolyn J. Lukensmeyer, Joseph P.Goldman, and David Stern

Using Wikis in Government: A Guide or Public Managers by Ines Mergel Using Online Tools to Engageand be Engaged byThe Public by Matt Leighninger

Thisguide complements these reports, presenting a view o the cybersecurity risks intrinsic to socialmedia use and, more important, how to mitigate them. We hope that its suggested risk mitigationactivities inorm government agencies on how best to leverage social media in accomplishing theirmissions more eectively and efcientlyand more securely.

FOREWORD

Jonathan D. BreulExecutive DirectorIBM Center or The Business o Governmentjonathan.d.breul @ us.ibm.com

Dan ChenokSenior Fellow, IBM Center or The Business oGovernmentIBM Global Business Serviceschenokd @ us.ibm.com
http://www.businessofgovernment.org/report/assessing-public-participation-open-government-erahttp://www.businessofgovernment.org/report/using-wikis-government-guide-public-managershttp://www.businessofgovernment.org/report/using-online-tools-engage-publichttp://www.businessofgovernment.org/report/using-online-tools-engage-publichttp://www.businessofgovernment.org/report/using-wikis-government-guide-public-managershttp://www.businessofgovernment.org/report/assessing-public-participation-open-government-era


6/36

4

EXECUTIVE SUMMARY

This guide explores how security controls can be used by government inormation technology sta,managers, and users to mitigate the risks intrinsic to social media. Specifcally, this guide seeks tohelp readers understand the risks posed by many Web 2.0 applications and how best to mitigate

those risks. Throughout the text, the term government reers to ederal, state, and local government.

Cybersecurity is a complex topic. Social media have vulnerabilities, as do all computer applications.Some o these are specifc to certain websites or applications, while others are intrinsic to all socialmedia. The goal o this guide is to suggest hardware and sotware controls and acceptable use poli-cies (AUPs) that mitigate risk.

The extent to which social media should be used in government depends on the likely benefts andpotential risksa determination that government managers must make. Government managers should

place a high priority on the security o their digital assets, computer networks, sta, and constituents.They will have to decide whether or not there is a business case or the use o social media in theirindividual organizations. A risk assessment is inherent in the decision.

This guide describes the security measures that can be applied in the context o Web 2.0 socialmedia applications. The guide covers two topics: identity thet, which is a threat both to governmentemployees and the constituents they serve, and malware, which is a threat to computers and com-puter networks.

This guide presents risk mitigation activities or our identity thet threats: inormation scraping, socialengineering, phishing, and spoofng. The guide also presents risk mitigation activities or three malwarethreats: e-mail attachments, spoofng, and unsecured data storage devices.


7/36

5

INTRODUCTION

BACKGROUND

In January 2009, President Barack Obama issued a memorandum on the subject o transparency

and open government, calling or transparency, participation, and collaboration (Obama, January2009). Technological advances, especially those related to social media, have the potential to bringabout a greater engagement by the public in government. Governments interest in using social mediais growing rapidly, encouraged by administrators, politicians, and the general public.

Governments should implement strategies to motivate citizens to become active. Public involvementin society is desirable in democracies, and Web 2.0 is one way to achieve it. A main beneft oincreased public involvement is increased public service efciency with a consequent reduction incost. A social network also has the potential value o building social capital.

As ar as ormulating U.S. technology policy is concerned, a conerence was held in 2008Computers,Freedom, and Privacy: Technology Policy 08to discuss cybersecurity issues. Its organizers drewattention to the act that In the areas o privacy, intellectual property, cybersecurity, telecommunica-tions, and reedom o speech, an increasing number o issues once confned to experts now penetratepublic conversation (Computers, Freedom, and Privacy Conerence, 2008).

This guide addresses the cybersecurity measures, tools, and approaches that can enhance national,agency, and individual security (Bertot et al., August 12, 2010). The issues to be discussed are

undamental to the successul adoption o social media by government.


8/36

6

INTRODUCTION

HOW WE PARTICIPATE AND COLLABORATE ONLINE

Participation and collaboration are acets o sel-governance, and the tools we use to participate and

collaborate are shaped by (and in turn shape) the relationship between collaborating parties. Theprimary vehicle or participation and collaboration is sharing: inormation, perspectives, tasks, andeven resources. In discussing social media, there are our broad ways in which sharing can take place(Drapeau & Wells II, April 2009):1. Inward sharing, or sharing inormation within agencies. This type o sharing is restricted to gov-

ernment ofcials and excludes the public. Proprietary sotware exists or this, such as SharePointand the micro-blogging service Yammer.

2. Outward sharing, or sharing inormation with entities beyond agency boundaries. Examples o this

type o sharing are GovLoop and STAR-TIDES. GovLoop is a social network or the governmentcommunity which is not run by the U.S. government. STAR-TIDES is an acronym or Sharing ToAccelerate ResearchTransormative Innovation or Development and Emergency Support, a DoDsponsored knowledge-sharing research project that promotes sustainable support and humanitar-ian assistance to stressed populations across the world.

3. Inbound sharing, also called crowdsourcing, allows government to obtain input rom citizens andother persons outside the government more easily. One kind o crowdsourcing task is online voting,but there are several others. Two experiments in crowdsourcing are the Obama administrationsSAVE awards, which requested ideas on how to streamline the U.S. government, and the House

Republican website America Speaking Out, which requests ideas rom Americans on how to bal-ance the budget and reduce the defcit.

4. Outbound sharing, whose purpose is to communicate with and/or empower people outside thegovernment. This can be achieved by web conerencing. A control group experiment to evaluate theacceptability and eectiveness o holding online town hall meetings was conducted in 2009 (Lazeret al., 2009). One fnding: Participants in the sessions were more likely to vote and were dramati-cally more likely to ollow the election and to attempt to persuade other citizens how to vote.


9/36

7

INTRODUCTION

THE POTENTIALAND POTENTIAL RISKOF SOCIAL MEDIA

This guide provides advice on the security issues relating to the use o social media. Social media

usage has the potential to enable U.S. citizens to participate more ully in government. It has alreadyplayed a signifcant role in some o todays dramatic events.

Throughout the world, the public can use social networking websites to voice objections abouttheir governments plans. At a more extreme level, social networks have played a role in organiz-ing protests that have brought down national governments. In the January 2011 protests in Egypt,social networking was credited with being a key mobilizing orce. Facebook, a social networkingwebsite central to Egyptian protestors, has also been reported as being instrumental in the February2011 social unrest in Bahrain. At the end o April 2011, it was widely reported that a Facebook

page entitled Syrian Revolution 2011 called or mass demonstrations ater Friday prayers. Also inlate April 2011 in Vietnam, Nguyen Cong Chinh was arrested, allegedly due to his anti-governmentstance, partly expressed through web posts (Viet Nam News, April 29, 2011).

Leaving these sensational examples aside, social media can allow people to interact in a more prosaicway with their elected leaders and know that the leaders themselves are listening. For example, DavidPloue, senior advisor to the president, monitors social networking chatter or Barack Obama (Scherer,May 30, 2011), an activity termed sentiment analysis. Ploue ollows what is happening on Twitterand Facebook. On Twitter, the hashtags used to identiy the topic o a tweet (or example, #immigration)allow all those who ollow the specifc topic to view the tweet.

Social media, however, also present a variety o new threats posed by cybercriminals and oreignpartners. For example, when people use a social media website, they do not know how vulnerablethe website is to security breaches. Furthermore, there is the problem o social engineering, a termused when someone is trying to raudulently acquire confdential personal inormation rom a user.Another problem is that social media websites also allow users to run third-party applications suchas games and provide tools to personalize their page, and these uses have vulnerabilities.


10/36

8

INTRODUCTION

RELEVANT SECURITY THREATS

Government inormation systems are a constant target o attacks rom malicious individuals. There

are a variety o threats, but most that are perpetrated through social media all into one o two types:identity thet and malware.

Mitigating the Risk o Identity Thet

Identity thet is a crime that may occur to individuals or groups as large as hundreds o thousands opeople at a single time. The damage may be as little as the loss o a hundred dollars (usually borneby fnancial institutions, in the case o stolen credit or debit cards) or hundreds o thousands o dol-lars in the case o raudulently opened bank, credit, or even mortgage accounts; resulting in more

losses rom the legal work that must be done by both fnancial institutions and individuals to achieveresolution and restitution. To mitigate this risk, it is essential to understand how identity thet is per-petrated. Identity thet can occur by inormation scraping via social media websites and social mediaapplications; social engineering; phishing; and spoofng.

Mitigating the Risk o Malware

Malware is short or malicious sotware, and covers a range o threats, including viruses, worms,trojans, bots, and other harmul code. Hackers develop malware or a number o reasons, includ-ing the desire to cripple the government or simply the potential o personal gain. Some malware is

designed to attack the system in which it is installed; other orms are intended to take over their hostsystem to launch an attack on a third party; and yet other applications are written not to cause anydamage to the system, but to enable the creators to steal data residing on that system.

Whatever the goal o the malware, there are steps that end users, managers, and technical sta cantake to mitigate the risk o malware. The point o attack determines the best countermeasures. Thethree most common sources or malware are e-mail attachments; websites, including social mediawebsites; and unsecured data storage devices, such as thumb drives.


11/36

9

INFORMATION SCRAPING

Understanding the Risk

People put an astounding amount o personal inormation online: a phone number on one website, apicture on another, a birthdate on a third, an address on a ourth, and so on. What they ail to real-ize is that this inormation can be harvested or scraped rom many websites and compiled into asingle, comprehensive portrait o the user. This inormation can then be used by cybercriminals eitherto commit identity raud or to sell to organizations who will commit identity raud.

Why Social Media are Vulnerable

Social media websites are especially tempting targets or inormation scraping. There are two ways

that this can happen. The frst way is simply through accessing a persons inormation page. Oten,people will divulge inormation through a social media website, and then relax their privacy controls.Thankully, this is easy to correct.

Social media websites also allow users to personalize their pages and to run third-party applicationssuch as games. However, this grants the application access to all o a users personal inormation,irrespective o any privacy setting made in the social media website (Thomas et al., 2010). The vastmajority o these applications only need basic personal details o a user. Furthermore, anyone canwrite an application and so some applications will have no security controls. Worse still, an application

could have been developed by a cybercriminal.

Risk Mitigation Activities

Both managers and end users can help mitigate the risk o inormation scraping by creating and thenollowing prudent social media guidelines. Though the specifcs will be dierent or each ofce, theguiding principle is the same: dont put any more personally identifable inormation (PII) online thanis strictly necessary.

MITIGATING THE RISK OF IDENTITY THEFT


12/36

10


To protect citizens who are accessing government services or communicating with their governmentonline, management and IT sta must work together to ask or the least amount o personally identifableinormation possible rom citizens, and either delete that inormation once it is no longer necessary or

saeguard it against possible thet.

By users

Set privacy settings to their maximum, so that only trusted sources have access to personallyidentifable inormation.

Review all changes to the privacy policies o requently visited websites, including social mediawebsites.

Careully review the permissions requested by social media applications, including games andother add-ons requested by riends.

Never divulge more personal inormation than absolutely necessary on any website. Personallyidentifable inormation includes: Tagged photos A social security number (even a partial number) Full name Full date o birth Schools attended Work address (and phone number)

Family photos The names o children and amily members Home address (and phone number) Places regularly visited Dates and details o uture outings and vacations, and other times that the user will be away

rom home


13/36

11


By management

Create an acceptable use policy (AUP) speciying the rules o behavior when using social media.Among other things, this should inorm employees and the general public what inormation can

and cannot be posted on the social media website. Stay abreast o proposed confguration changes to social media websites. Decide how long social media messages are to be retained. Respect the privacy o users rom the general public. This applies not just to government data, but

to data hosted by the social media provider. Periodically warn citizens o the threat o identity thet rom inormation shared on social media

websites. Additionally, managers should share the link to their ofcial guidelines on what inorma-tion should and should not be shared through social media.

Create a process to handle unauthorized or raudulent postings.By IT sta

Ensure that all websites are compliant with management guidelines. Update all security patches as required. Research ways to serve constituents without requiring them to divulge personally identifable

inormation.


14/36

12

SOCIAL ENGINEERING


Social engineering is a method used by hackers to acquire confdential personal inormation throughraud. Sometimes the hacker will contact the victim directly and try to solicit personal inormationover the phone, through a web-based application like e-mail, or through a social media website.Another tactic is or a hacker to contact a third party, like an ofce administrator, executive assistant,or even IT sta. The hacker may ask or personally identifable inormation such as birthdates, homeor work addresses, or other data.


Managers, IT sta, and end users alike must recognize that connecting with people online posesprivacy and security risks. One orm o social engineering occurs when a cybercriminal on a socialmedia website tries to beriend others. The intention is to build up trust so that confdential privateinormation can be more easily extracted. The cybercriminal can create a ake Facebook profle or abogus Twitter account.

On social media websites there are difculties in establishing the authenticity o a persons identitywhen communicating with them, and in determining the accuracy o posts. Social media providersmay be ineective at detecting compromised accounts and subsequently restoring them. Another

cybercriminal ploy is to try to beriend someone by claiming to have something in common; thecybercriminal may then contact the person through e-mail, over a social media website, or even onthe telephone.


Social engineering relies primarily on person-to-person contact, bypassing many technical securitymeasures. Because o the ocus on individuals, the precautions all mainly to end users and manage-ment, though IT sta may play a supporting role or each.



15/36

13

By users

Never reveal personally identifable inormation (PII)whether through e-mail, a social mediawebsite, or even a phone conversationunless certain o the recipients credentials.

Review and ollow managements guidelines or interactions with constituents and IT administratorsto protect all parties PII.

By management

Create a set o guidelines or sharing PII that encourages users to: Understand the kinds o inormation that may be shared, and whom it may be shared with.

This includes personal inormation about individuals. Be cautious divulging their private inormation. Appreciate the risks and understand the methods o social engineering. Realize the legal issues involved in social engineering. Attend training programs at regular intervals.

By IT sta

Conduct training sessions at regular intervals and perorm spot-checks to ensure compliance withsocial engineering rules.

Ensure that systems are in place to help users guard against social engineering attacks.



16/36

14

PHISHING


When social engineering is done via e-mail or social media website, it is reerred to as phishing. Themessages could be sent indiscriminately, or target an individual or a specifc group. In the latter case,the practice is reerred to as spear phishing. When the individual or group is a powerul one, the termwhaling is used.

Phishing using social media messages raises additional security implications as these messages arenot subjected to the checks perormed by e-mail systems. Many web browsers do, however, have aphishing flter in them. The flter helps detect suspicious websites by comparing a website against a

list o known rogue websites, and by checking to see whether a website fts the profle o a phishingwebsite.


A message is more likely to be taken seriously i it contains inormation about the receiver. This inor-mation could be publicly available, as on a social media website, or it could be stolen.

The more the message is tailored to the receiver, the easier it is to pass through systems that flter outspam and messages with virus links or attachments, as the messages do not ft the pattern o typical

rogue communication. There are also many scams, such as an e-mail asking or money because thepresumed sender (a trusted person whose e-mail has been hacked) is stranded somewhere.

It is also conceivable that phishers could try to use a government agency as a cover or their scam,orging a .gov domain or their e-mail. Thus, in addition to guarding against internal employees all-ing prey to a phishing attack, government managers should be vigilant against raudulent use o theiragency domain.



17/36

15


Phishing can be countered both through technological and behavioral approaches.

By users Social Media Websites

Join only those social media websites with explicit and strong privacy policies. Not all socialmedia websites privacy policies ully protect users personally identifable inormation. Severalsocial networking websites allow non-registered individuals to view a profle, and others shareusers e-mail addresses and preerence inormation with third parties.

Account Settings

Frequently check the available privacy options to ensure that personal inormation is private.

Use the How others see you tool on the ReclaimPrivacy.org website to check that the privacysettings are unctioning as expected. (ReclaimPrivacy.org provides a tool that can be used toinspect a users Facebook privacy settings, and give warnings about settings which make theusers inormation public.)

When available, confgure privacy settings so that only trusted individuals have access to postedinormation. Restrict the number o people who can post inormation on a personal page.

Have a setting that will limit access to account data to protect it rom an undesirable audience,as well as limiting access to your profle to amily members, riends, teammates, or personalacquaintances.

Personal Inormation Publish only the inormation necessary to maintain communication with other social media users. Ask what personal inormation about me do I wish to be available online? (Once inormation

is online, it is no longer private. Individually, personal acts can seem to not pose a securityrisk; collectively, these personal acts constitute an individual profle.)

Consider the type o inormation to be posted. For example, do not publish credit card numbers,fnancial account numbers, or confdential workplace inormation. Even birthdate inormation,coupled with a zip code, is oten enough to identiy someone.

http://www.reclaimprivacy.org/http://www.reclaimprivacy.org/http://www.reclaimprivacy.org/http://www.reclaimprivacy.org/


18/36

16


Remember the importance o personal privacy, either while creating profle inormation or post-ing inormation on a social networking website.

Use only private messages (i available) to send personal or sensitive data to responsible per-

sons. Sending sensitive data through social networking websites is not advisable, however, as itis not possible to be sure o the security protection on these websites.

Post only general inormation that you are comortable sharing with any social networkingwebsite member.

Do not divulge certain inormation pertaining to plans, hopes, and goals. This inormation isoten used by social engineering schemes.

When uploading a photo, remember to take advantage o security measures that prevent othersrom copying and making use o the photo. (Beore downloading a picture, a user should have

concern or the owner o the picture and seek permission to download it, where necessary.) Do not publish private inormation about other people or the workplace. Divide riends into dierent lists, such as Family, Friends Outside o Work, Colleagues,

etc. (A dierent level o access can be given to each list.) Building up a Relationship

Exercise caution when adding a previously unknown riend or joining a new group or page.Beore admitting a new person behind a privacy wall, whether a riend-o-a-riend or someonesuggested by the social media website, attempt to confrm details about this new person. Findout their relationship to another trusted riend, perorm a web search or the person, or use

some other way o fnding out more about the person. Be conscious o behavior while on a social networking website. Remember to go through the

above steps in order to avoid any unpleasantness. (Getting to know people in a virtual environ-ment has many hazards. Although it can be rewarding, such interaction also carries signifcantrisk. The above steps only suggest ways o countering some threats and do not necessarilyprevent threats rom materializing.)


19/36

17


Screen Names

Choose a screen name (identiying online pseudonym) that does not reveal too much personalinormation.

By management

Prepare a guideline and training sessions or end users and technology sta on the dangers ophishing and how to handle suspicious e-mails.

Develop a section o the agencys websitewith a single point o contactto help citizens veriythat an e-mail purportedly sent by your agency is not the product o a phisher.

Send inormation to the general public at regular intervals, reminding them o the existence oindividuals who are trying to raudulently acquire inormation, and the guidelines on what inorma-tion should and should not be posted using social media.

By IT sta

Use tools to monitor user behavior so that a check can be made on whether policy is beingadhered to.

Request the social media website owner to remove certain felds rom a government users page sothat the user cannot give out personal inormation, such as a resume, through the page.

Make users aware o the risks involved and give them examples o the types o attack. Make users aware o the acceptable use policy (AUP). Train users in the sae usage o social media websites. Make users aware o what inormation can be shared and with whom. This includes personal

inormation about individuals. Caution users about divulging private inormation. Inorm users about social engineering. Make users aware o the legal issues. Repeat awareness development and training at regular intervals.


20/36

18


SPOOFING


The term spoofng reers to the practice o developing a website that mirrors a trusted website, butcan be used either or identity thettypically by asking users to send login inormation or theduplicated websiteor to install malware onto the user s computer. Spoofng can be accomplished intwo ways: frst, by sending a link in an e-mail or social media message; second, by hacking a trustedwebsite, changing its behavior in a way that most users would not notice.

E-mail spoofng. Clicking a link in a message could cause a malicious webpage that installs malwareto be displayed. The webpage sends malicious script to the user s browser. When this happens it is

reerred to as a drive-by download. It is possible to get a rough idea o where the link is taking a userby looking at the URL. Note that the link that you see does not necessary take you to that address.To see where the link is taking you, you have to position the mouse cursor over the link. Furthermore,there are services which will take a URL and rename it. This is particularly useul in Twitter postswhere the number o characters is limited. TinyURL and bit.ly are examples o URL shortening ser-vices. Developed to replace long URLs with short ones, they can also be used by malicious individu-als to obscure the actual URL.

Website spoofng, including social media websites. Even i the website is a legitimate one, it may

have been compromised with malicious scripts that will be downloaded to the users browser whenthe webpage is displayed.

Two examples are cross-site scripting (XSS) and cross-site request orgery. Cross-site request orgeryis similar in operation to XSS, but allows a hacker to send unauthorized messages to the genuinewebsite accessed by the victim.


21/36


22/36

20

MITIGATING THE RISK OF MALWARE

E-MAIL ATTACHMENTS

Understanding the Risks

Files can be attached to an e-mail message. Similarly, fles can be attached to social media mes-sages, such as in Facebook. Attached fles could be malware. Once again, the receiver is more likelyto open the fle i the flename is relevant to the receiver. For example, i an employee o the IBMCenter or The Business o Government receives a message with an attachment that looks as thoughit has come rom a co-worker, then the employee is more likely to open it.


A social media message can have a fle attached to it and this could be inected.


Because many ofces use e-mail to send fles, it may not be easible simply to ban the practice.Short o that ail-sae method to counter this threat, there are measures that end users, managers,and IT sta can take to mitigate this risk.

By users

Watch out or messages which require guesswork by user to determine subject and sender othe e-mail.

Exercise caution in opening fles attached to e-mails and social media messages.

By management

Make a plan documenting security controls and review this plan at regular intervals. Decide on the process or handling security issues raised by the general public.


23/36

21

By IT sta

Continue with the controls that the government organization already has in place to combatmalicious e-mail.

Connect to the Internet via a Trusted Internet Connection. The U.S. ederal government has aTrusted Internet Connection program. These connections oer increased levels o security.

Take measures to protect the actual PCs used by users. Use tools to monitor user behavior so that a check can be made on whether policy is being

observed. Install the latest web browsers on PCs; they are likely to have better security controls than older

browsers. Consider storing all communication, i it is technically easible.

Make users aware o the risks involved and give them examples o the types o attack. Make users aware o the organizations AUP. Make users aware o the legal issues. Repeat awareness development and training at regular intervals.



24/36

22

SOCIAL MEDIA WEBSITES


With the advent o interactive websites, hackers gained a way to install malware on a users com-puter through seemingly innocuous meanssometimes without the user even being aware that theirmachine was being inected at all. Using any one o a number o technologiesAJAX, Java, andDirectX are examplesand in combination with spoofng or social engineering, hackers can bypasssecurity sotware and introduce malware.


Visitors to social media websites do not always know how vulnerable the website is to security

breaches. Although a security standard has recently been developed or web application developersto adhere to, it is difcult to know i a particular website is adhering to it or not. The standard is theApplication Security Verifcation Standard, developed by the Open Web Application Security Project.It specifes our levels o security control provision.


Threats rom websites are emerging all the time, and it can be difcult or end users to keep abreasto all the dangerous websites. Even well-known websites can all victim to hackersin act, the most

popular websites are also the most tempting targets due to their large audience. Still, end users,managers, and IT sta all can play a part in reducing this risk.

By users

Use a password that is at least 10 characters long and has a mixture o letters, numbers, andsymbols. Use a dierent password or each website, so that i a cybercriminal discovers onepassword, the users identity at only one website is compromised.



25/36

23

Beore creating a password, ask what personal inormation is available about me online? (Thenew password should not contain any o this inormation. When setting up a password, a websiteoten asks the user to speciy security questions and the answers to them. Do not select questions

or answers containing personal inormation available online.) Exercise caution when using third-party applications within social media websites.

By management

Make a plan that documents the security controls and review this plan at regular intervals. Decide on the process or handling security issues raised by the general public. Perorm a risk assessment. Making use o social media may expose a government organization to

new security risks. A risk assessment can analyze these new risks. Consider asking an indepen-dent party to give a risk assessment.

Put all social media products in one o our categories: can be used at work or at home; can onlybe used at work, i.e., rom behind the ofce frewall; can only be used only on certain ofce PCs,either those that have better security or those that are isolated rom the bulk o the ofce network;or cannot be used anyplace.

Consider only social media websites that have a responsible attitude toward security. Consider thepurpose given or using social media and look into the specifcs o the particular website(s) thathave been recommended.

Make a plan to review the security controls implemented by the social media provider.

Develop an AUP speciying the rules o behavior when using social media. Among other things,this should inorm employees and the general public o what inormation can and cannot beposted on the social media website.

The Security Operations Center (SOC) o the government organization needs to interact with thesecurity experts o the social media provider. Make the roles and responsibilities o both partiesclear. The SOC should ensure that the social media provider is adhering to government policy.

Ask the social media website provider to make the government organization aware o proposedconfguration changes.



26/36

24

By IT sta

Continue with the online usage controls that the government organization already has in place tocombat rogue websites.

Connect to the Internet via a Trusted Internet Connection. The U.S. ederal government has aTrusted Internet Connection program. These connections oer increased levels o security.

Take measures to protect the actual user PCs. Use tools to monitor user behavior so that a check can be made on whether policy is being

adhered to. Install the latest web browsers on PCs; they are likely to have better security controls than older

browsers. Consider storing all communication, i it is technically easible.

Decide which websites, or content, users are prohibited rom viewing and flter websites accord-ingly. Many flters on the market have advanced eatures that can grant dierent levels o permis-sions or dierent users, based on their roles and social media needs.

Consider using a sandbox, a digital virtual environment, to test new social media websites andapplications.

Consider separating the network used or social media access rom the one used or general ofceuse, so as to isolate any security breaches should they occur.

Consider reaching out to the administrators o social media websites requented by users in yourofce, and coordinate with them to encourage strong authentication mechanisms.

I the government has negotiated a security contract with the social media website owners, thenthe government organizations SOC should monitor adherence o the website owners to the con-tract. This includes logging incidents and the speed with which they are addressed.

Make users aware o the risks involved and give them examples o the types o attack. Make users aware o the organizations AUP. Make users aware o the legal issues. Train users in the sae usage o social media websites. Repeat awareness development and training at regular intervals.



27/36

25

UNSECURED DATA STORAGE DEVICES


Even computers and networks that are not connected to the Internet are in danger o being inectedby malware through the unwitting use o portable data storage devices, such as the ubiquitous thumbdrives. In the most high-profle case, a worm called Stuxtnet was transmitted into a closed computernetwork when someone used an inected thumb drive on an otherwise secure computer. The resultwas a severely compromised network.


The availability o small portable data storage devices, such as thumb drives, allows data intended or

uploading to social media to be introduced behind the government departments frewall. Further, thedrives themselves are oten used by more than one person, increasing the likelihood o malware inec-tion and exposing all users to the risks engendered by the least careul.


Because o the straightorward nature o the attack, this is as easy to prevent as it is to occur.Through end user behavior or technical activity, data storage devices should simply not be used oncomputers connected to secured networks.

By users Adhere to the AUP.

By management

Make a plan documenting security controls and review this plan at regular intervals. Decide on the process or handling security issues raised by the general public. Decide on the mobile devices that will be allowed access to PCs.



28/36


29/36

27

Abdul Waheed, S. & Elis, S. (2011, February 13). PM: No parallels between Egypt and Malaysia,New Sunday Times, Malaysia.

Bertot, J.C, Jaeger, P.T., Munson, S., Glaisyer, T. (2010, August 12). Engaging the Public in OpenGovernment: Social Media Technology and Policy or Government Transparency. Retrieved romwww.tmsp.umd.edu/TMSPreports_fles/6.IEEE-Computer-TMSP-Government-Bertot-100817pd.pd

Catholic Education Ofce, Sydney. (2011, February 21). Sta Use o Social Media in Sydney CatholicSchools. Retrieved rom www.ceosyd.catholic.edu.au/Parents/Curriculum/Documents/pol-socialmedia-sta.pd

Chie Inormation Ofce. (2009, September). Guidelines or Secure Use o Social Media by FederalDepartments and Agencies, Version 1.0.

City o Chandler, Arizona. (2009, August).Administrative Regulation: Social Media/SocialNetworking. Retrieved rom http://icma.org/en/icma/knowledge_network/documents/kn/Document/300737/Social_Media_Policy__City_o_Chandler_AZ

Coleman, C. (2009, August 25). Web 2.0 Tools Encourage Public Debate, Remarks at the CRMEvolution 2009, New York. Retrieved rom www.gsa.gov/portal/content/103720

Computers, Freedom, and Privacy Conerence. (2008). Technology Policy 08. Retrieved romwww.cp2008.org/wiki/index.php/Main_Page

comScore, Inc. (2011, February). U.S. Digital Year in Review 2010: A Recap o the Year in DigitalMedia.

De Jong, J., and Rizvi, G. (eds.) (2009). The State o Access: Success and Failure o Democraciesto Create Equal Opportunities (Innovative Governance in the 21st Century). Brookings InstitutionPress.

REFERENCES
http://www.ceosyd.catholic.edu.au/Parents/Curriculum/Documents/pol-socialmedia-staff.pdfhttp://www.ceosyd.catholic.edu.au/Parents/Curriculum/Documents/pol-socialmedia-staff.pdfhttp://icma.org/en/icma/knowledge_network/documents/kn/Document/300737/Social_Media_Policy__City_of_Chandler_AZhttp://icma.org/en/icma/knowledge_network/documents/kn/Document/300737/Social_Media_Policy__City_of_Chandler_AZhttp://www.gsa.gov/portal/content/103720http://www.cfp2008.org/wiki/index.php/Main_Pagehttp://www.cfp2008.org/wiki/index.php/Main_Pagehttp://www.gsa.gov/portal/content/103720http://icma.org/en/icma/knowledge_network/documents/kn/Document/300737/Social_Media_Policy__City_of_Chandler_AZhttp://icma.org/en/icma/knowledge_network/documents/kn/Document/300737/Social_Media_Policy__City_of_Chandler_AZhttp://www.ceosyd.catholic.edu.au/Parents/Curriculum/Documents/pol-socialmedia-staff.pdfhttp://www.ceosyd.catholic.edu.au/Parents/Curriculum/Documents/pol-socialmedia-staff.pdf


30/36

28

REFERENCES

Drapeau, M. & Wells II, L. (2009, April). Social Sotware and National Security: An Initial NetAssessment, Center or Technology and National Security Policy, National Deense University.Retrieved rom www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA497525

Edelman, B. (2011, JanuaryFebruary).Adverse selection in online trust certifcations and searchresults. Electronic Commerce Research and Applications, Volume 10, Issue 1, Pages 1725.

European Union, Ministers or eGovernment Policy. (2009, November 18). Ministerial Declarationon eGovernment. Retrieved rom www.egov2009.se/wp-content/uploads/Ministerial-Declaration-on-eGovernment.pd

Governor, J., Hinchclie, D., Nickull, D. (2009). Web 2.0 Architectures, OReilly.

Hrdinova, J., Helbig, N., and Peters, C.S. (2010, May). Designing Social Media Policy orGovernment: Eight Essential Elements, Center or Technology in Government, University o Albany,New York. Retrieved rom www.ctg.albany.edu/publications/guides/social_media_policy/social_media_policy.pd

Kundra, V. (2009, May 19). The State o Federal Inormation Security. Retrieved rom www.cio.gov/pages.cm/page/Vivek-Kundra-Testimony-on-the-state-o-Federal-inormation-security

Lavasot AB. (2010, June). 9 Ways to Control Your Privacy on Social Network Sites. Retrieved romwww.lavasot.com/company/newsletter/2010/06/article_9_ways_to_control_your_privacy_on_social_

networking_sites.php

Lazer, D., Neblo, M., Esterling, K., Goldschmidt, K. (2009) Online Town Hall Meeting: ExploratoryDemocracy in the 21st Century, 2009 Congressional Management Foundation, Washington, D.C.Retrieved rom www.cmweb.org/storage/cmweb/documents/CMF_Pubs/online-town-hall-meetings.pd

Lim, P. (2011, April 29). Singapores top satirist thrives in election season, AFP News. Retrievedrom http://sg.news.yahoo.com/singapores-top-satirist-thrives-election-season-025109933.html
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA497525http://www.egov2009.se/wp-content/uploads/Ministerial-Declaration-on-eGovernment.pdfhttp://www.egov2009.se/wp-content/uploads/Ministerial-Declaration-on-eGovernment.pdfhttp://www.ctg.albany.edu/publications/guides/social_media_policy/social_media_policy.pdfhttp://www.ctg.albany.edu/publications/guides/social_media_policy/social_media_policy.pdfhttp://www.cio.gov/pages.cfm/page/Vivek-Kundra-Testimony-on-the-state-of-Federal-information-securityhttp://www.cio.gov/pages.cfm/page/Vivek-Kundra-Testimony-on-the-state-of-Federal-information-securityhttp://www.lavasoft.com/company/newsletter/2010/06/article_9_ways_to_control_your_privacy_on_social_networking_sites.phphttp://www.lavasoft.com/company/newsletter/2010/06/article_9_ways_to_control_your_privacy_on_social_networking_sites.phphttp://www.cmfweb.org/storage/cmfweb/documents/CMF_Pubs/online-town-hall-meetings.pdfhttp://sg.news.yahoo.com/singapores-top-satirist-thrives-election-season-025109933.htmlhttp://sg.news.yahoo.com/singapores-top-satirist-thrives-election-season-025109933.htmlhttp://www.cmfweb.org/storage/cmfweb/documents/CMF_Pubs/online-town-hall-meetings.pdfhttp://www.lavasoft.com/company/newsletter/2010/06/article_9_ways_to_control_your_privacy_on_social_networking_sites.phphttp://www.lavasoft.com/company/newsletter/2010/06/article_9_ways_to_control_your_privacy_on_social_networking_sites.phphttp://www.cio.gov/pages.cfm/page/Vivek-Kundra-Testimony-on-the-state-of-Federal-information-securityhttp://www.cio.gov/pages.cfm/page/Vivek-Kundra-Testimony-on-the-state-of-Federal-information-securityhttp://www.ctg.albany.edu/publications/guides/social_media_policy/social_media_policy.pdfhttp://www.ctg.albany.edu/publications/guides/social_media_policy/social_media_policy.pdfhttp://www.egov2009.se/wp-content/uploads/Ministerial-Declaration-on-eGovernment.pdfhttp://www.egov2009.se/wp-content/uploads/Ministerial-Declaration-on-eGovernment.pdfhttp://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA497525


31/36

29

REFERENCES

OReilly, T. (2005, September 30). What is Web 2.0 Design Patterns and Business Models or theNext Generation o Sotware. Retrieved rom http://oreilly.com/web2/archive/what-is-web-20.html

Obama, B. (2009, January). Memo on Transparency and Open Government. Retrieved romhttp://edocket.access.gpo.gov/2009/pd/E9-1777.pd

Pelgrin, W.F. (2010, March). Security and Privacy on Social Networking Sites, Monthly SecurityTips Newsletter, Vol. 5, Issue 3, MS-ISAC. Retrieved rom http://msisac.cisecurity.org/newsletters/documents/2010-03.pd

Province o British Columbia, Ofce o the Chie Inormation Ofcer. (2010). Use o Social Media inthe B.C. Public Service, Version 3. Retrieved rom www.cio.gov.bc.ca/local/cio/inormationsecurity/policy/summaries/33_social_media.pd

Rico, S., Bradley, B., Kieer, M. (2010). USA Social Media: Business Benefts and Security,Governance and Assurance Perspectives, ISACA, Rolling Meadows, IL 60008, USA.

Scherer, M. (2011, May 30). Can They Win, One Tweet at a Time?, Time.

State o Caliornia, Ofce o the State Chie Inormation Ofcer. (2010, February). Social MediaStandard SIMM 66B. Retrieved rom www.cio.ca.gov/Government/IT_Policy/pd/simm_66b.pd

Thomas, K., Grier, C., Nicol, D.M. (2010). unFriendly: Multi-party Privacy Risks in Social Networks,

in Privacy Enhancing Technologies, eds. Atallah, M.J., Hopper, N.J., Lecture Notes in ComputerScience, Springer Berlin / Heidelberg.

Viet Nam News. (2011, April 29). Retrieved rom http://vietnamnews.vnagency.com.vn/Social-Isssues/210853/Anti-govt-propagandist-arrested.html
http://oreilly.com/web2/archive/what-is-web-20.htmlhttp://edocket.access.gpo.gov/2009/pdf/E9-1777.pdfhttp://msisac.cisecurity.org/newsletters/documents/2010-03.pdfhttp://msisac.cisecurity.org/newsletters/documents/2010-03.pdfhttp://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/summaries/33_social_media.pdfhttp://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/summaries/33_social_media.pdfhttp://www.cio.ca.gov/Government/IT_Policy/pdf/simm_66b.pdfhttp://vietnamnews.vnagency.com.vn/Social-Isssues/210853/Anti-govt-propagandist-arrested.htmlhttp://vietnamnews.vnagency.com.vn/Social-Isssues/210853/Anti-govt-propagandist-arrested.htmlhttp://vietnamnews.vnagency.com.vn/Social-Isssues/210853/Anti-govt-propagandist-arrested.htmlhttp://vietnamnews.vnagency.com.vn/Social-Isssues/210853/Anti-govt-propagandist-arrested.htmlhttp://www.cio.ca.gov/Government/IT_Policy/pdf/simm_66b.pdfhttp://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/summaries/33_social_media.pdfhttp://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/summaries/33_social_media.pdfhttp://msisac.cisecurity.org/newsletters/documents/2010-03.pdfhttp://msisac.cisecurity.org/newsletters/documents/2010-03.pdfhttp://edocket.access.gpo.gov/2009/pdf/E9-1777.pdfhttp://oreilly.com/web2/archive/what-is-web-20.html


32/36

30

ABOUT THE AUTHOR

Dr. Alan Oxley is a Proessor in the Computer and Inormation Sciences Department (CIS) atUniversiti Teknologi PETRONAS. CIS has several sta and graduate students undertaking research ine-government. At the university, Dr. Oxley supervises a number o graduate students, two o whom

are conducting research on Web 2.0one on mash-ups and one on social networking. Oxley is achartered member o the British Computer Society. He has been an active member, writing a numbero articles or the societys publications.

Dr. Oxley received his Ph.D. in Engineering (thesis title: Computer Assisted Learning o StructuralAnalysis) rom Lancaster University, United Kingdom. He teaches courses on sotware agents andsotware architecture and patterns. He recently revamped the sotware architecture course to makeit more relevant to Web 2.0. Dr. Oxley produced the acceptable use policy or the previous universityat which he was employed; see the article published in Educause Quarterly 2005, Formulating a

Policy on IT Provision. He has obtained grant unds or computer science research.

Dr. Oxley has a number o research interests, a key one o which is IT service management. He haswritten articles and conducted presentations on a variety o topics. Dr. Oxley is currently at work pre-paring or his role in a 2012 conerence.

Acknowledgment

The author wishes to thank Rabiu Ibrahim, a graduate research assistant rom the Computer andInormation Sciences Department at Universiti Teknologi PETRONAS, or his contributions to thisreport.


33/36

31

To contact the author:

Dr. Alan Oxley, MBCS, CITP, CEng

ProessorComputer and Inormation Sciences DepartmentUniversiti Teknologi PETRONAS (UTP)Bandar Seri Iskandar31750 TronohPerak Darul RidzuanMalaysia605-368 7517

e-mail: alanoxley @ petronas.com.myUTP website: www.utp.edu.my/Oxleys website: www.utp.edu.my/sta/ex.php?mod=ex&sn=132723

KEY CONTACT INFORMATION
http://www.utp.edu.my/http://www.utp.edu.my/staff/ex.php?mod=ex&sn=132723http://www.utp.edu.my/staff/ex.php?mod=ex&sn=132723http://www.utp.edu.my/


34/36

32

Assessing the Recovery Act

Managing Recovery: An Insiders View by G. Edward DeSeveVirginias Implementation of the American Recovery and Reinvestment Act: Forging a New Intergovernmental Partnership by

Anne Khademian and Sang Choi

Collaborating Across Boundaries

Environmental Collaboration: Lessons Learned About Cross-Boundary Collaborations by Kathryn Bryk Friedman and Kathryn A.FosterManaging Innovation Prizes in Governmentby Luciano Kay

Conserving Energy and the Environment

Implementing Sustainability in Federal Agencies: An Early Assessment of President Obamas Executive Order 13514 by Daniel J.Fiorino

Breaking New Ground: Promoting Environmental and Energy Programs in Local Governmentby James H. Svara, Anna Read, andEvelina Moulder

Fostering Transparency and Democracy

Assessing Public Participation in an Open Government Era: A Review of Federal Agency Plans by Carolyn J. Lukensmeyer, JoeGoldman, and David Stern

Using Geographic Information Systems to Increase Citizen Engagementby Sukumar Ganapati

REPORTSfrom

The IBM Center forThe Business of Government
http://www.businessofgovernment.org/report/virginia-implementation-american-recovery-and-reinvestment-acthttp://www.businessofgovernment.org/report/virginia-implementation-american-recovery-and-reinvestment-acthttp://www.businessofgovernment.org/report/virginia-implementation-american-recovery-and-reinvestment-acthttp://www.businessofgovernment.org/report/environmental-collaboration-lessons-learned-about-cross-boundary-collaborationshttp://www.businessofgovernment.org/report/environmental-collaboration-lessons-learned-about-cross-boundary-collaborationshttp://www.businessofgovernment.org/report/environmental-collaboration-lessons-learned-about-cross-boundary-collaborationshttp://www.businessofgovernment.org/report/managing-innovation-prizes-governmenthttp://www.businessofgovernment.org/report/managing-innovation-prizes-governmenthttp://bit.ly/sWzvm3http://bit.ly/sWzvm3http://bit.ly/sWzvm3http://www.businessofgovernment.org/report/breaking-new-ground-promoting-environmental-and-energy-programs-local-governmenthttp://www.businessofgovernment.org/report/breaking-new-ground-promoting-environmental-and-energy-programs-local-governmenthttp://www.businessofgovernment.org/report/breaking-new-ground-promoting-environmental-and-energy-programs-local-governmenthttp://www.businessofgovernment.org/report/assessing-public-participation-open-government-erahttp://www.businessofgovernment.org/report/assessing-public-participation-open-government-erahttp://www.businessofgovernment.org/report/assessing-public-participation-open-government-erahttp://www.businessofgovernment.org/report/using-geographic-information-systems-increase-citizen-engagementhttp://www.businessofgovernment.org/report/using-geographic-information-systems-increase-citizen-engagementhttp://www.businessofgovernment.org/report/using-geographic-information-systems-increase-citizen-engagementhttp://www.businessofgovernment.org/report/assessing-public-participation-open-government-erahttp://www.businessofgovernment.org/report/assessing-public-participation-open-government-erahttp://www.businessofgovernment.org/report/breaking-new-ground-promoting-environmental-and-energy-programs-local-governmenthttp://www.businessofgovernment.org/report/breaking-new-ground-promoting-environmental-and-energy-programs-local-governmenthttp://bit.ly/sWzvm3http://bit.ly/sWzvm3http://www.businessofgovernment.org/report/managing-innovation-prizes-governmenthttp://www.businessofgovernment.org/report/environmental-collaboration-lessons-learned-about-cross-boundary-collaborationshttp://www.businessofgovernment.org/report/environmental-collaboration-lessons-learned-about-cross-boundary-collaborationshttp://www.businessofgovernment.org/report/virginia-implementation-american-recovery-and-reinvestment-acthttp://www.businessofgovernment.org/report/virginia-implementation-american-recovery-and-reinvestment-act


35/36


36/36

About the IBM Center or The Business o GovernmentThrough research stipends and events, the IBM Center or The Business o Government stimulates research and acilitatesdiscussion o new approaches to improving the eectiveness o government at the ederal, state, local, and international levels.

About IBM Global Business ServicesWith consultants and proessional sta in more than 160 countries globally, IBM Global Business Services is the worldslargest consulting services organization. IBM Global Business Services provides clients with business process and industryexpertise, a deep understanding o technology solutions that address specifc industry issues, and the ability to design, build,and run those solutions in a way that delivers bottom-line value. To learn more visit: ibm.com

For more inormation:Jonathan D. Breul

Executive DirectorIBM Center or The Business o Government600 14th Street NWSecond FloorWashington, DC 20005

202-551-9342website: www.businessogovernment.org

e-mail: [email protected]

Stay connected with the IBM Center on:

or send us your name and e-mail to receive our newsletters
http://www.ibm.com/http://www.businessofgovernment.org/mailto:businessofgovernment%40us.ibm.com?subject=mailto:businessofgovernment%40us.ibm.com?subject=Newslettershttp://www.govloop.com/profile/TheIBMCenterforTheBusinessofGovernmenthttp://www.linkedin.com/groups?gid=1802258&mostPopular=&trk=tyahhttp://www.youtube.com/user/businessofgovernmenthttp://www.facebook.com/#!/pages/The-Center-for-The-Business-of-Government/48089474833http://twitter.com/#!/busofgovernmentmailto:businessofgovernment%40us.ibm.com?subject=Newslettersmailto:businessofgovernment%40us.ibm.com?subject=http://www.businessofgovernment.org/http://www.ibm.com/