Security Risks in Social Media Technologies: Safe Practices in Public Service Applications
By Alan Oxley
()
About this ebook
- Focuses on the security issues of social media, specifically in the public sector
- Written by a leading researcher and practitioner
- Shows best practices for mitigating risk in the use of social media
Alan Oxley
Alan Oxley is Professor of Computer and Information Sciences at Universiti Teknologi PETRONAS in Malaysia. Alan is an all-rounder in Computer Science and has written numerous academic articles and chapters. Recently he was awarded a research stipend by the IBM Center for the Business of Government. The research led to the publication of the report entitled A Best Practices Guide for Mitigating Risk in the Use of Social Media. A considerably more expansive exposition of the topic is presented in this book.
Related to Security Risks in Social Media Technologies
Internet & Web For You
Coding For Dummies Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsHow to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Get Rich or Lie Trying: Ambition and Deceit in the New Influencer Economy Rating: 0 out of 5 stars0 ratingsNo Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5The Gothic Novel Collection Rating: 5 out of 5 stars5/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5The $1,000,000 Web Designer Guide: A Practical Guide for Wealth and Freedom as an Online Freelancer Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5The Designer's Web Handbook: What You Need to Know to Create for the Web Rating: 0 out of 5 stars0 ratingsLearn JavaScript in 24 Hours Rating: 3 out of 5 stars3/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5How To Start A Profitable Authority Blog In Under One Hour Rating: 5 out of 5 stars5/5C++ Learn in 24 Hours Rating: 0 out of 5 stars0 ratingsWeb Designer's Idea Book, Volume 4: Inspiration from the Best Web Design Trends, Themes and Styles Rating: 4 out of 5 stars4/5Stop Asking Questions: How to Lead High-Impact Interviews and Learn Anything from Anyone Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5
Related categories
Reviews for Security Risks in Social Media Technologies
0 ratings0 reviews
Book preview
Security Risks in Social Media Technologies - Alan Oxley
CHANDOS PUBLISHING SOCIAL MEDIA SERIES
Security Risks in Social Media Technologies
Safe practices in public service applications
Alan Oxley
Table of Contents
Cover image
Title page
Copyright
List of figures and tables
List of abbreviations
Acknowledgements
Preface
About the author
Introduction
Chapter 1: Web 2.0 and social media
Abstract:
Background
Web 2.0
The future of the web
The future of social media
Chapter 2: Non-frivolous uses of social media in the public sector
Abstract:
The potential of Web 2.0
The potential of social media
The potential of wikis
Example Web 2.0 applications
Teaching and learning
The use of social media in emergencies
Sentiment analysis: finding out opinions
Uses of Twitter in public service departments
Discovering applications
Chapter 3: Security threats to social media technologies
Abstract:
Security
Threats to information systems in the public sector
The impacts of social media malpractice
Specific threats: examples and applications
Chapter 4: Security controls applied to the participation-collaboration pattern
Abstract:
Types of security control
Management security controls
Technical controls
Operational security controls
Governance
Deciding what security controls are appropriate
Who is involved in security?
Chapter 5: Acceptable use practices
Abstract:
Reasons for acceptable use policies
The content of acceptable use policies
Acceptable use policies for citizens
Acceptable use policies for public service employees
Advice for K-12 schools
Chapter 6: Participation and collaboration in K-12 schools
Abstract:
Introduction
Threats to participation–collaboration in K-12 schools
Security controls for online media in schools
Parental participation–collaboration in K-12 schools
Past research and possible research
Chapter 7: Mitigating the risks of identity theft and malware
Abstract:
Introduction
Social media sites
Unsolicited messages, files, and hyperlinks sent by email
Other threats: thumb drives
Chapter 8: Conclusion
Abstract:
References
Further reading
Appendix 1: SharePoint
Appendix 2: Twitter application programming interfaces
Appendix 3: Examples of general threats and a control
Appendix 4: Examples of rogue unsolicited email messages
Appendix 5: Key terms in secure computing
Appendix 6: Acceptable use policies for citizens
Appendix 7: Acceptable use policies for public service employees
Appendix 8: Products to facilitate parental involvement and engagement in K-12 schools
Index
copyright
Chandos Publishing
Hexagon House Avenue 4 Station Lane Witney Oxford OX28 4BN UK
Tel: + 44 (0) 1993 848726 Fax: + 44 (0) 1865 884448
Email: info@chandospublishing.com
www.chandospublishing.com
www.chandospublishingonline.com
Chandos Publishing is an imprint of Woodhead Publishing Limited
Woodhead Publishing Limited 80 High Street Sawston Cambridge CB22 3HJ UK
Tel: + 44 (0) 1223 499140 Fax: + 44 (0) 1223 832819
www.woodheadpublishing.com
First published in Great Britain in 2013
ISBN: 978-1-84334-714-9 (print)
ISBN: 978-1-78063-380-0 (online)
Chandos Social Media Series ISSN: 2050–6813 (print) and ISSN: 2050–6821 (online)
Library of Congress Control Number: 2013939101
© A. Oxley, 2013
British Library Cataloguing-in-Publication Data.
A catalogue record for this book is available from the British Library.
All rights reserved. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form, or by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written permission of the Publishers. This publication may not be lent, resold, hired out or otherwise disposed of by way of trade in any form of binding or cover other than that in which it is published without the prior consent of the Publishers. Any person who does any unauthorised act in relation to this publication may be liable to criminal prosecution and civil claims for damages.
The Publishers make no representation, express or implied, with regard to the accuracy of the information contained in this publication and cannot accept any legal responsibility or liability for any errors or omissions.
The material contained in this publication constitutes general guidelines only and does not represent to be advice on any particular matter. No reader or purchaser should act on the basis of material contained in this publication without first taking professional advice appropriate to their particular circumstances. All screenshots in this publication are the copyright of the website owner(s), unless indicated otherwise.
Typeset by Domex e-Data Pvt. Ltd., India
Printed in the UK and USA.
List of figures and tables
List of abbreviations
Acknowledgements
The author wishes to thank the IBM Center for the Business of Government for providing funding for a project directly related to Security Risks in Social Media Technologies.
Preface
Security measures can be used by management, IT staff, and users in participatory or collaborative service provision within the public sector. Security Risks in Social Media Technologies explores this issue. Topics are targeted, and issues raised and lessons learned are analyzed. This book helps readers understand the risks posed by Web 2.0 applications and gives clear guidance on how to mitigate those risks. The body of the book is concerned with social media, the dominant Web 2.0 technology associated with security in the public sector. The scope, however, includes more than social networking. Among other things there are wikis, and these are being used in the public service. As an example, the military use wikis. The body of the book comprises three topics, each of which is presented from an international perspective. In particular, reference is made to activities in the USA, Australia, and the UK, where Web 2.0 adoption in public services is receiving a great deal of attention. The first one concerns security controls. The second topic concerns acceptable use policies (AUPs). The third topic concerns the use of social media in schools, where parents are liaising with the school, for example. This book:
focuses on the security issues of social media, specifically in the public sector
shows the best practices for mitigating risk in the use of social media.
At the time of writing (early 2013), the author is not aware of any book that focuses on the security issues of social media usage in the public sector.
Security Risks in Social Media Technologies is written for all those interested in social media technologies, especially in public service applications, including those who are managers, IT staff, social media users, or e-government researchers. The major benefit of these groups reading it is as follows:
managers – the explanation of the security issues relevant to usage of social media
IT staff – the advice given on how to mitigate risk
social media users – the explanation of steps to take to stay safe online
e-government researchers – the demonstration with numerous references of current best practice.
Industry sectors for which Security Risks in Social Media Technologies is intended include government, administrative public sector bodies, schools, and universities.
The first half of the book explains what Web 2.0 is and how social media can be used for non-frivolous activities in the public sector. The introduction gives a brief description of the background against which the book is set. There has been a call by Barack Obama and leaders of other countries for more transparent participatory public services. This is followed in Chapter 1, Web 2.0 and social media,
by a comprehensive discussion of Web 2.0, for which there is no simple definition. A number of architectural patterns have been identified as making up Web 2.0; a key one in the context of this book is the participation–collaboration pattern
or harnessing collective intelligence.
Social media is a part of Web 2.0 and the various topics that constitute social media are described in turn, including:
self-organizing communities of people or social networks
wikis, which have much potential; they may be accessible to all or be restricted to certain groups, such as the military
file-sharing, such as the sharing of videos on YouTube
peer-to-peer architecture, in which a network of home users is formed for copying files.
After summarizing the meaning and extent of social media, the book then turns to the potential for use of social media in public service applications, giving numerous examples of how social networking can be applied.
Public sector computer systems are in a constant state of attack, and the second half of the book describes security issues, starting with Chapter 3, Relevant security threats.
It looks at a number of issues, including:
how secure social media sites are – ordinary users may have difficulty in knowing how vulnerable a particular site is to security breaches
social engineering, when an attempt is made to acquire personal information from users fraudulently; making users aware of social engineering is of key importance to maintaining a secure environment
the problems and potential dangers of receiving unsolicited messages by email or via a social media site as they might have the purpose of phishing,
or might have a hyperlink or a file attached to them that if opened and clicked could cause a malicious web page to be displayed, which may install malware
befriending people online – making new friends online increases privacy and security risks
problems associated with web applications within social media sites – third-party applications, which include games or tools to provide additional functionality to personalize one’s page.
Chapter 4 is on security controls. Social media usage may have preceded any risk assessment process as it requires no new technology. The chapter looks at the security controls to be used within an organization, a topic sometimes referred to as operations security.
It begins by looking at types of controls, following one standard US classification of controls. The main categories are management controls, technical controls, and operational controls. An example sub-category of management controls is risk assessment, where the risks in using social media are analyzed. Another sub-category is planning. A fundamental requirement of planning is to have a plan that documents the security controls, and to review this plan regularly. The technical controls for social media usage build on those that the public service department already has in place for online usage, to combat malicious email and rogue websites. Example sub-categories of technical controls are system and communications protection, access control, identification and authentication, and audit and accountability. An example sub-category of operational controls is awareness and training. Following this listing of controls, the chapter describes the stages that a public service department should take in prioritizing security controls. Finally the chapter lists some of the main government departments, organizations, bodies, and legal instruments responsible for giving advice, setting guidelines, formulating legislation, and so on. It is not feasible to have a listing for each country, worldwide. Instead a few countries, such as the USA and Australia, have been selected as examples.
Chapter 5, Acceptable use practices,
starts by looking at the reasons for having acceptable use policies (AUPs) for social media usage. Next follows a description of the topics that should be covered in an AUP, including the choice of a social media site, account settings, personal information, building up a relationship, passwords, hyperlinks, web applications within social media sites, opening received files, and screen names. There are two audiences for AUPs in public service applications – citizens and public service employees. Example policies are shown for each audience, coming from a small number of countries, including Australia, the USA, and Canada.
Chapter 6, Participation–collaboration in K-12 schools,
looks at an example public service application – how parents, teachers, and students interact online in K-12 schools. This demonstrates the security issues which teachers and students must contend with, building on the education topics mentioned earlier in the book (for example, threats that are particularly pertinent to schools are described in Chapter 3, Relevant security threats
). Many commercial products exist for this example application. Some of those available in the USA and elsewhere are listed. Then there is a discussion of whether or not adequate security controls of these products are in place, or are claimed to be in place.
Finally, Chapter 7, Mitigating the risks of identity theft and malware,
provides an alternative classification of security controls to that given in Chapter 4. In that chapter, the controls are broken down into management, technical, and operational controls; Chapter 7 specifies each threat and then describes the controls applicable to them.
About the author
Alan Oxley is a Professor of Computer and Information Sciences at Universiti Teknologi PETRONAS in Malaysia. Alan is an all-rounder in computer science and has written numerous academic articles and chapters. He has expertise in understanding the risks associated with the use of social media and in formulating guidelines to mitigate them. Recently he was awarded a research stipend by the IBM Center for the Business of Government. (The basis for all of the work undertaken by the IBM Center for the Business of Government is to improve the effectiveness of government work. Their reports draw attention to current research and practice and make it generally available. The Center has a Social Media Director, who is currently Gadi Ben-Yehuda.) The author’s research led to the publication of the report A Best Practices Guide for Mitigating Risk in the Use of Social Media (Oxley, 2011). Readers have found the guidelines to be extremely valuable and have incorporated much of the advice into their literature on IT security, including confidentiality. The guidelines have been cited, and Alan’s role as the sole author has been acknowledged. Hyperlinks point to the guidelines and a web page describing his work. Because of his leadership role in the development of guidelines detailing social media risks and controls to mitigate them Alan is well placed to act in the role of advisor on these matters. A considerably more expansive exposition of the topic is presented in Security Risks in Social Media Technologies. Alan currently supervises two PhD students researching into Web 2.0 – one on mash-ups and one on social networking.
Universiti Teknologi PETRONAS’ Computer and Information Sciences Department has been conducting research into e-government for the last few years. The topics covered include government website quality, measuring e-government service quality, knowledge management in government, and the secure use of social media for citizen participation. The Computer and Information Sciences Department has several staff and graduate students undertaking research in e-government, and Alan supervises a number of graduate students. Alan is a chartered member of the British Computer Society. He has written a number of articles for the society’s publications.
Alan received his Ph.D. in Engineering (thesis title: Computer Assisted Learning of Structural Analysis
) from Lancaster University, UK. He has recently taught courses on computer vision and image processing, software agents, and software architecture and patterns. He recently revamped the software architecture course to make it more relevant to Web 2.0. Alan produced the acceptable use policy for the previous university at which he was employed (Oxley, 2005). He has obtained grant funds for computer science research.
Alan has a number of research interests, a key one of which is IT service management. He has written articles and conducted presentations on a variety of topics.
The author can be contacted at:
Dr. Alan Oxley, MBCS, CITP, CEng
Professor
Computer and Information Sciences Department
Universiti Teknologi PETRONAS
Bandar Seri Iskandar
31750 Tronoh
Perak Darul Ridzuan
Malaysia
605–368 7517
email: alanoxley@petronas.com.my
Universiti Teknologi PETRONAS website: http://www.utp.edu.my/
Author’s website: http://www.utp.edu.my/staff/ex.php?mod=ex&sn=132723
Introduction
The increased pervasiveness of information and communications technology in our lives has led to a fundamental transformation of how people communicate, and the popularity of social media platforms has contributed to this phenomenon significantly.
Security Risks in Social Media Technologies explores how security controls (or security measures) can be used by information technology service managers and users in participatory or collaborative service provision within the public sector. A small number of topics are discussed and the issues raised and lessons learned are analyzed. The book describes the risks posed by certain Web 2.0 applications and gives clear guidance on how to mitigate them.
The term government
is used to describe central, state, and local government. The public sector includes government as well as other bodies.
Several Web 2.0 architectural patterns have been described, for example by Governor, Hinchcliffe, and Nickull (2009). One of them is participation–collaboration
or harnessing collective intelligence,
which is concerned with self-organizing communities of people and social interactions. It should be noted that the participation–collaboration pattern is not restricted to social media; for example, wikis make use of this pattern. (It is worth pointing out that it is possible to restrict access to a wiki to a certain group of individuals.)
Many of the web applications that characterize Web 2.0 use this pattern, among others. The online encyclopedia Wikipedia and the video-sharing website YouTube are examples. An alternative title for this book might have been Securing the Participation–Collaboration Pattern in Web 2.0 Public Service Applications.
The use of social media