this document is just an introduction to the subject, and therefore it is in a “bullet list” format, with a main issue introducing each bullet list.
it was presented on 2008-09-28 (WGAW Registered) as a proposal for concept for a chapter on “social networking: security issues”, as part of a wider book on “network security”, but eventually I had to withdraw from consideration my concept.
my original material is published here, with some limited changes, due to the evolution of the subject, and to make this posting as self-contained as possible.
a more structured discussion will be available eventually but, due also to the subject (security and securing the social networking activities), it is still a work-in-progress on what to disclose online in a public forum.
As I already discussed in this blog, my standard approach when publishing potentially contentious material for public consumption online is to discuss with people who could advise what to publish and what to not publish
Table of contents
1. Introduction: social networking online
issue: the democratization of communication technologies
- Since late 1980s interactive communication technologies started being both affordable and easier to use.
- This resulted in a steep increase in the penetration of the technologies beyond the corporate market-
and across the social and demographic spectrum.
- Because all the new technologies share a common factor: you can learn the skills required to use these technologies in minutes.
- Be it a mobile phone, instant messaging tool, chatting or social networking website, people as young as elementary school children can easily participate.
- Moreover, the language used is streamlined- and this allow to equalize the differences in education, social standing, or language communication skills.
- Finally, while previous technologies assumed that users were mainly “consumers” of information provided by the communication experts, users are now producing and spreading information, that is immediately shared in their own social network.
- Nowadays, social networking is usually associated with the online social networks: Facebook, Myspace, others.
- We will adopt a wider perspective, considering any technological communication tool, from mobiles to online website to instant messaging to site for sharing information.
- Therefore, we will focus on the security issues related to being part of a social networking environment- whatever medium or tools is used to communicate with the other members of the social network.
- Before analyzing the security issues, a primer on communication channels involved in social
2. Security in a social networking environment
issue: securing a technology
- The normal attitude in securing a networking technology is identifying the specific weaknesses and business purposes the technology will be used for.
- Then, it is possible to define rules to access and use it, and monitor that they are followed.
- Further technology and human resources then can be used to enforce respect of these rules, monitor the actual use, and audit potential threats, so that improvement can be added to both the technology and its uses.
- All these choices are built around a trade-off between greater security and a reasonable cost and impact on the ease of use.
- It is an approach that is sometimes challenging to enforce even in the corporate sector.
- Moreover, it assumes to operate in a controlled and controllable, pre-defined environment- on a single communication channel.
- Social networking creates unique challenges on all these elements, as the examples in the next section will show.
issue: why social networking online is different
- outline a typical communication in a social networking context, involving multiple channels without a single, unique centre of control- hence, removing the possibility of using the traditional access control approach to security
- summarize new risks related to the addition of new members to each person’s network, from privacy to identity theft to unintentional divulging of corporate information; twittering and google maps examples, e.g. as in some online social networks, while, friend or not, you can actually see a googlemap of all the people inside that social network who shared their address online
- highlight how the cost and impact of protection/monitoring/auditing/damage control is greater than the cost of producing the attack- intentional or unintentional, e.g. the mistaken United Airlines bankruptcy article re-run, that generated a stock-price dive when by mistake a single article was automatically lifted and re-posted by a major news agency.
issue: technology leaders or technology followers?
- In 1990s, Lotus Notes, Compuserve and e-mail were between the tools used to build social networking in a corporate environment, creating discussion groups and document-sharing environments; eventually all migrated to the Internet.
- Before MySpace, Twitter, and the others, personal social networking online started by expanding the use of e-mail and these communication tools by adding groups to share anything from cooking recipes to book reviews ; in Europe, the GSM mobiles in mid-1990s allowed the first multichannel integration, via text messages.
- Social networking technologies users mix personal and business uses: while this was difficult to control under a common corporate environment, using public communication channels removes any possibility of using old controlling approaches.
- Being available online most of the time, the priority shifts to the private uses of communication tools.
- Moreover ,the longer social networking are carried out, the more the communication patterns of its users are influenced- changes in language, attention timespan, respect of the format and rules appropriate to each communication channel.
As customary in this blog, an example from my personal business experience.
I started delivering the first ICT training to senior non-specialist in mid-1986, while in the Army.
At the time, I could talk talk talk- 5-7 minutes or more, before I lost a sizeable chunk of people. That was the “attention span” (how long people will listen before they start thinking about something else).
Solution? Whenever I had to deliver some longer argument, I used the blackboard, and walking and talking and eliciting interaction from class members, so that the audience kept listening (ok- I used to go often to movies: this is a reference to the THX sound system commercial :D)
But it was a time when in Italy private TV had not yet reached its full, soap-opera-based, potential.
When, in early 1990s, I was delivering training on methodology and associated processes, I saw that a 5 minutes attention span started to be a stretch, and I had to devise other “tricks of the trade” to keep the audience focused.
But it was still before the videogame- and instant-messaging audience really joined the workforce (remember: GSM started in Italy really just in 1995).
Fast forward to mid-2000s: MSN, text messaging, “pinging” on mobile or PCs, Internet, e-mailing, videogames.
A brave new world: with an attention span of 30 seconds.
A not-so-simple issue: if you try to use my old tricks with that attention span length, probably you will end up in a straight jacket- or get a lawsuit for generating RSI (repeated strain injuries) on the neck of your audience… to keep following you up-and-down.
Solution: build a multi-layered argument delivery system.
In English: do not convert your main argument into 30 second bites.
Instead, keep it as the backbone, and build “spots” of 10-20 seconds that reinforce the message.
Because your audience is used to be interrupted every 10-20 seconds.
And also when they are not (e.g. nobody is “pinging” them on Facebook, MSN, or whatever they are using)… they stop to have a look if they got a message, but simply did not hear the “ping”.
3. Managing security in the XXI Century
issue: a new framework of reference
- People born in the 1980s and after (the so called “Generation Y”) are used to have communication technology as part of their day-to-day life.
- Until recently, it used to be true only in developed countries, but it is now spreading worldwide, thanks to the mobile communication devices and Internet.
- Also people that are not used to “pervasive computing” (see chapter XXX) are starting to mimick the approach to technology adopted by younger users.
- The XXI century social networking technologies :
- are so easy to use and affordable, that also children are using them
- give the users the freedom to choose the device or mean to communicate with members of their own social network
- usually the social network is expanded online with unknown people, sometimes only because they are already in the social network of somebody
- over time, personal and business social network membership mix, also in supposedly dedicated social networks (e.g. LinkedIn)
- Overall, there are minimal differences between the technologies used for corporate and private use.
- Nonetheless, managing security in communication technologies is usually considered mainly a technological issue, as if the employees and other stakeholders had no alternative communication channel.
- Since the “democratization” of technologies in 1990s, in corporate and institutional environments that whenever the old security approach became a burden, users felt authorized to take the risk, and bypass
security using private communication technologies.
- Moreover, there are overlapping international regulations and trends (privacy ,intellectual property protection, etc) that create challenges both for individuals and corporations online presence.
issue: moving forward – or: making it happen
- If you are working in highly specialized and secure environments, you are used to receive training and common sense rules before being issued technology.
- But also in those environments, usually the rules strive to follow technological developments.
- As an example, all across Europe few companies have rules on instant messaging- in most cases, the rule is simple : instant messaging is disabled.
- Seemingly a solution, this is ignores the availability of instant messaging on mobile phone, smartphones, and other tools.
- The general suggested approach is to
- acknowledge that new technologies and channels will appear constantly- creating personal and corporate rules toward social networking can work only if you define general principles
- consider that anything that is distributed via social networking once written has a life of its own- and quite often cannot be removed from all the channels that could have re-used the material
- both for personal and corporate uses, choose the channels where you want to be present, and refer to that channel whenever you intervene in other channels that are open to the public (e.g. online social networks, wikis, blogs) ; it is important that you keep the chosen channels updated
- depending on your requirements, identify which channels are more critical, and monitor periodically if information about you is posted on those channels ; this can be done now in corporate environments using automated software agents, but in the future these will be available
online following a Lego ™ brick approach, becoming usable and affordable
- assume that any information provided by these channels has to be cross-checked with multiple sources before being used (see Section B for further implications in a corporate environment)
- Social networking is not simply another tool- it is the integration of easy to use technologies in everyday life.
- Thanks to the technological advances of the last 20 years, anybody has access to the communication channels.
- The pervasive distribution of these technologies will severely affect the viability of security policies based on the distinction between personal and corporate uses.
- Soon, easy-to-use technologies will allow to connect information across multiple channels (“semantic”).
- A minimal unintended exposure of information will be immediately give access to resources that, under the old security policies, would have been controlled and filtered.
- Therefore, securing social networking requires a re-thinking of the traditional approaches