Security / Privacy Advice? 260
Posted
by
kdawson
from the all-ears dept.
from the all-ears dept.
James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"
Back it up with a little detail helps. (Score:5, Interesting)
Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)
Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.
Really get their attention with some specifics like that.
Will you share a copy of the presentation? (Score:2, Interesting)
What's the change in policy ? (Score:2, Interesting)
What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.
In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee friendly") it may not be in your best interest to do the announcement. If it was a committee decision, then yes you should do it even if you don't agree with it. If it's the lawyers or the CEO or VP etc. cramming it down your throat, then consider, respectfully, asking him, her or them to do the announcement.
As to something you might say / do: consider suggesting that they get a nettop to use for personal business (if you allow such things on your network) and/or perhaps set-up or a secondary "guest" network that they might use for this purpose. Beyond that, the usual, use non-IE browser.... make sure you run some sort of virus scanner at home, run Spybot S&D every once in a while... don't ignore https warnings... The ATM thing may be a bit outside the scope of the talk.
Will you tell them the truth? (Score:3, Interesting)
Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?
Not that it's happened to me - I'm just sayin'...
Re:IT people get security wrong (Score:3, Interesting)
>>>The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.
Yeah there is.
- "Hello IT."
- "Yes I forgot my password." (i.e. lie)
- "Again? You forgot your password last week too!"
- "Yeah I know but I use three different servers, and your policy makes me have to reset my password about every 10 days. I can't possibly remember all of them when the word keeps changing all the time."
After a couple times of these calls, IT will eventually get the message that their password policy is ridiculous and unworkable for the average worker.
Advice (Score:5, Interesting)
I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.
I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.
Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.
I hope this helps out a little. Good luck!
None And Then Some (Score:3, Interesting)
"If you had the attention of an entire company...."
I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.
The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.
In other words, don't just give it, use it.
Briefly... (Score:3, Interesting)
Put nothing on-line you wouldn't yell on a street corner.
Re:Mandatory? (Score:2, Interesting)
This is the worst possible advice. It's a presentation, not a seminar. There's nothing more annoying than some blowhard trying desparately to get the audience involved. Present what needs to be presented and be receptive to questions if, when, and as they come. But don't block by trying to dig for responses.
Re:Using social networks in the job? (Score:3, Interesting)
I agree with you to some extent. The place I work is small (somewhere in the 80-100 desktop/laptop range) and did not have any security/internet policies in place whatsoever. We are a subsidiary of a much larger foreign company and they asked us to draft something up. The job fell to me. I considered internet filtering and decided that we should block sites that could possibly cause liability issues for the company. My list? Porn sites, for a few reasons. I figure if someone sees there is the possibility of harassment charges. I figure if someone is into kiddie porn there is the potential for all types of problems. A lot of porn sites are malware havens. Hate/Racism/Homophobic sites. Again, as there are people of different ethnic backgrounds at the company and if people are browsing these sites they may feel that the workplace is hostile, possibility of investigations if the person is coordinating the crime at the workplace or something. That is about it. I did cut off streaming video for awhile because it was being used a lot and a T1 line for 90 people isn't a heck of a lot of bandwidth, especially when we have guys from offsite transferring files to our network and stuff.
Blocking anything that can be considered non-work related is obnoxious, but there are some things that I feel the company is better off without in the workplace.