slidecast ppt

Download Slidecast ppt

Post on 25-May-2015

753 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

  • 1. Web 2.0/Social Networks and Security
    By: Sherry Gu
    For: ACC626

2. Agenda
Definition of Web 2.0
Magnitude on use of Web 2.0/social networking applications
Impacts of Web 2.0/social networks have on security and security risks
Types of security attacks
Triggers/motivations behind security attacks
Remedies/solutions to security vulnerabilities
Implications for accountants
3. What is Web 2.0?
Web 2.0 Conference
Network as Platform Web 2.0
managing, understanding, responding
to massive amount of user generated data
in real time
4. Magnitude of Use
For Businesses:
2008 Survey:
18% of companies use blogs
32% of companies use wikis
23% of companies use RSS-feeds
Forrester Research:
Spending on Web 2.0 application: $4.6 billion in 2013
5. Impacts on Security Risks
Control/Detection Risk
Add complexity to the current system (multiple platforms, multiple sources)
Inherent Risk
Interactive nature
Increase in likelihood of leaking confidential data
Statistics:
40% users attacked by malwares and phishing from social networking sites
Ranked as most serious risk to information security in 2010 by SMBs
60% companies believed that employee behaviour on social networks could endanger network security
6. XSS Attack
Injecting malicious codes into otherwise trusted websites
Gives hackers access to information on browser
E.g. Samy Attack on MySpace
Add Samy as a friend
Add Samy is my hero on profile pages
One million friend requests
7. CSRF Attack
Lure users to open/load malicious links
Gives hacker access to already - authenticated applications
Hacker make undesirable modifications/changes/extractions to applications
E.g. Gmail
Malicious codes create email filters that that forward emails to another account
8. Malwares/Spywares/Adwares
Malware: worms, viruses, trojan
Examples:
Koobface family malware on Youtube and Facebook
Bebloh Trojan: man-in-the-browser attack
9. Spear Phishing
Target specific organizations
Seek unauthorized access to confidential data
Appearance of sender: more direct relationship with the victim
Social networks: help hackers to build more complete profile about the sender
10. Identity Theft
Researchers from Eurecom
Profile cloning
Cross-site cloning
Authentication problems
11. Triggers/Motivations
Technical nature:
Largely dependent on source codes: e.g. AJAX
Open source
Complex scripts and dynamic technology: difficult for protection software to identify malware signatures
12. Triggers/Motivations
Financial Gain
Hack into bank accounts
Sell to buyers in the large underground market
Organized crime/bot recruitment
Web 2.0 applications are: public, open, scalable, anonymous
13. Remedies/Solutions
Employee use policies and education
(balance between flexibility and security)
Strengthen monitoring and reviewing activities: extensive logs and audit trails
Encryption of user data using public and private keys
14. Implications for Accountants
Auditors:
Assess need for risk assessment
Social network/Web 2.0 strategy, policies,and regulatory compliance requirements
Risk assessment
Identify types of risk
Analyze threat potential
Validate risk ratings
Hire IT specialist
ISACA: social media assurance/audit program
15. Conclusion
Heightened security risks
Risk assessment is critical
Policies and procedures