Security Risks in Social Media Technologies: Safe Practices in Public Service Applications

By Alan Oxley

Security measures can be used by management, IT staff, and users in participatory/collaborative service provision within the public sector. Security Risks in Social Media Technologies explores this use. Topics are targeted, and issues raised and lessons learnt are analyzed. The book helps the reader understand the risks posed by relevant Web 2.0 applications and gives clear guidance on how to mitigate those risks. The body of the book is concerned with social media, the dominant Web 2.0 technology associated with security in the public sector, and is structured into eight chapters. The first chapter introduces the background for the work; the second covers uses of social media; the third covers relevant security threats; the fourth chapter concerns the security controls applied to the participation-collaboration pattern; the fifth chapter then considers acceptable use practices; the sixth chapter covers participation-collaboration in the context of schools; the seventh chapter shows an alternative way of classifying controls to that given in the fourth chapter; and the final chapter offers a conclusion.

• Focuses on the security issues of social media, specifically in the public sector
• Written by a leading researcher and practitioner
• Shows best practices for mitigating risk in the use of social media

• Language: English
• Publisher: Elsevier Science
• Release date: Jul 31, 2013
• ISBN: 9781780633800

Alan Oxley

Alan Oxley is Professor of Computer and Information Sciences at Universiti Teknologi PETRONAS in Malaysia. Alan is an all-rounder in Computer Science and has written numerous academic articles and chapters. Recently he was awarded a research stipend by the IBM Center for the Business of Government. The research led to the publication of the report entitled A Best Practices Guide for Mitigating Risk in the Use of Social Media. A considerably more expansive exposition of the topic is presented in this book.

Book preview

CHANDOS PUBLISHING SOCIAL MEDIA SERIES

Security Risks in Social Media Technologies

Safe practices in public service applications

Alan Oxley

Table of Contents

Cover image

Title page

Copyright

List of figures and tables

List of abbreviations

Acknowledgements

Preface

About the author

Introduction

Chapter 1: Web 2.0 and social media

Abstract:

Background

Web 2.0

The future of the web

The future of social media

Chapter 2: Non-frivolous uses of social media in the public sector

Abstract:

The potential of Web 2.0

The potential of social media

The potential of wikis

Example Web 2.0 applications

Teaching and learning

The use of social media in emergencies

Sentiment analysis: finding out opinions

Uses of Twitter in public service departments

Discovering applications

Chapter 3: Security threats to social media technologies

Abstract:

Security

Threats to information systems in the public sector

The impacts of social media malpractice

Specific threats: examples and applications

Chapter 4: Security controls applied to the participation-collaboration pattern

Abstract:

Types of security control

Management security controls

Technical controls

Operational security controls

Governance

Deciding what security controls are appropriate

Who is involved in security?

Chapter 5: Acceptable use practices

Abstract:

Reasons for acceptable use policies

The content of acceptable use policies

Acceptable use policies for citizens

Acceptable use policies for public service employees

Advice for K-12 schools

Chapter 6: Participation and collaboration in K-12 schools

Abstract:

Introduction

Threats to participation–collaboration in K-12 schools

Security controls for online media in schools

Parental participation–collaboration in K-12 schools

Past research and possible research

Chapter 7: Mitigating the risks of identity theft and malware

Abstract:

Introduction

Social media sites

Unsolicited messages, files, and hyperlinks sent by email

Other threats: thumb drives

Chapter 8: Conclusion

Abstract:

References

Further reading

Appendix 1: SharePoint

Appendix 2: Twitter application programming interfaces

Appendix 3: Examples of general threats and a control

Appendix 4: Examples of rogue unsolicited email messages

Appendix 5: Key terms in secure computing

Appendix 6: Acceptable use policies for citizens

Appendix 7: Acceptable use policies for public service employees

Appendix 8: Products to facilitate parental involvement and engagement in K-12 schools

Index

copyright

Chandos Publishing

Hexagon House Avenue 4 Station Lane Witney Oxford OX28 4BN UK

Tel: + 44 (0) 1993 848726 Fax: + 44 (0) 1865 884448

Email: info@chandospublishing.com

www.chandospublishing.com

www.chandospublishingonline.com

Chandos Publishing is an imprint of Woodhead Publishing Limited

Woodhead Publishing Limited 80 High Street Sawston Cambridge CB22 3HJ UK

Tel: + 44 (0) 1223 499140 Fax: + 44 (0) 1223 832819

www.woodheadpublishing.com

First published in Great Britain in 2013

ISBN: 978-1-84334-714-9 (print)

ISBN: 978-1-78063-380-0 (online)

Chandos Social Media Series ISSN: 2050–6813 (print) and ISSN: 2050–6821 (online)

Library of Congress Control Number: 2013939101

© A. Oxley, 2013

British Library Cataloguing-in-Publication Data.

A catalogue record for this book is available from the British Library.

All rights reserved. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form, or by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written permission of the Publishers. This publication may not be lent, resold, hired out or otherwise disposed of by way of trade in any form of binding or cover other than that in which it is published without the prior consent of the Publishers. Any person who does any unauthorised act in relation to this publication may be liable to criminal prosecution and civil claims for damages.

The Publishers make no representation, express or implied, with regard to the accuracy of the information contained in this publication and cannot accept any legal responsibility or liability for any errors or omissions.

The material contained in this publication constitutes general guidelines only and does not represent to be advice on any particular matter. No reader or purchaser should act on the basis of material contained in this publication without first taking professional advice appropriate to their particular circumstances. All screenshots in this publication are the copyright of the website owner(s), unless indicated otherwise.

Typeset by Domex e-Data Pvt. Ltd., India

Printed in the UK and USA.

List of figures and tables

List of abbreviations

Acknowledgements

The author wishes to thank the IBM Center for the Business of Government for providing funding for a project directly related to Security Risks in Social Media Technologies.

Preface

Security measures can be used by management, IT staff, and users in participatory or collaborative service provision within the public sector. Security Risks in Social Media Technologies explores this issue. Topics are targeted, and issues raised and lessons learned are analyzed. This book helps readers understand the risks posed by Web 2.0 applications and gives clear guidance on how to mitigate those risks. The body of the book is concerned with social media, the dominant Web 2.0 technology associated with security in the public sector. The scope, however, includes more than social networking. Among other things there are wikis, and these are being used in the public service. As an example, the military use wikis. The body of the book comprises three topics, each of which is presented from an international perspective. In particular, reference is made to activities in the USA, Australia, and the UK, where Web 2.0 adoption in public services is receiving a great deal of attention. The first one concerns security controls. The second topic concerns acceptable use policies (AUPs). The third topic concerns the use of social media in schools, where parents are liaising with the school, for example. This book:

 focuses on the security issues of social media, specifically in the public sector

 shows the best practices for mitigating risk in the use of social media.

At the time of writing (early 2013), the author is not aware of any book that focuses on the security issues of social media usage in the public sector.

Security Risks in Social Media Technologies is written for all those interested in social media technologies, especially in public service applications, including those who are managers, IT staff, social media users, or e-government researchers. The major benefit of these groups reading it is as follows:

 managers – the explanation of the security issues relevant to usage of social media

 IT staff – the advice given on how to mitigate risk

 social media users – the explanation of steps to take to stay safe online

 e-government researchers – the demonstration with numerous references of current best practice.

Industry sectors for which Security Risks in Social Media Technologies is intended include government, administrative public sector bodies, schools, and universities.

The first half of the book explains what Web 2.0 is and how social media can be used for non-frivolous activities in the public sector. The introduction gives a brief description of the background against which the book is set. There has been a call by Barack Obama and leaders of other countries for more transparent participatory public services. This is followed in Chapter 1, Web 2.0 and social media, by a comprehensive discussion of Web 2.0, for which there is no simple definition. A number of architectural patterns have been identified as making up Web 2.0; a key one in the context of this book is the participation–collaboration pattern or harnessing collective intelligence. Social media is a part of Web 2.0 and the various topics that constitute social media are described in turn, including:

 self-organizing communities of people or social networks

 wikis, which have much potential; they may be accessible to all or be restricted to certain groups, such as the military

 file-sharing, such as the sharing of videos on YouTube

 peer-to-peer architecture, in which a network of home users is formed for copying files.

After summarizing the meaning and extent of social media, the book then turns to the potential for use of social media in public service applications, giving numerous examples of how social networking can be applied.

Public sector computer systems are in a constant state of attack, and the second half of the book describes security issues, starting with Chapter 3, Relevant security threats. It looks at a number of issues, including:

 how secure social media sites are – ordinary users may have difficulty in knowing how vulnerable a particular site is to security breaches

 social engineering, when an attempt is made to acquire personal information from users fraudulently; making users aware of social engineering is of key importance to maintaining a secure environment

 the problems and potential dangers of receiving unsolicited messages by email or via a social media site as they might have the purpose of phishing, or might have a hyperlink or a file attached to them that if opened and clicked could cause a malicious web page to be displayed, which may install malware

 befriending people online – making new friends online increases privacy and security risks

 problems associated with web applications within social media sites – third-party applications, which include games or tools to provide additional functionality to personalize one’s page.

Chapter 4 is on security controls. Social media usage may have preceded any risk assessment process as it requires no new technology. The chapter looks at the security controls to be used within an organization, a topic sometimes referred to as operations security. It begins by looking at types of controls, following one standard US classification of controls. The main categories are management controls, technical controls, and operational controls. An example sub-category of management controls is risk assessment, where the risks in using social media are analyzed. Another sub-category is planning. A fundamental requirement of planning is to have a plan that documents the security controls, and to review this plan regularly. The technical controls for social media usage build on those that the public service department already has in place for online usage, to combat malicious email and rogue websites. Example sub-categories of technical controls are system and communications protection, access control, identification and authentication, and audit and accountability. An example sub-category of operational controls is awareness and training. Following this listing of controls, the chapter describes the stages that a public service department should take in prioritizing security controls. Finally the chapter lists some of the main government departments, organizations, bodies, and legal instruments responsible for giving advice, setting guidelines, formulating legislation, and so on. It is not feasible to have a listing for each country, worldwide. Instead a few countries, such as the USA and Australia, have been selected as examples.

Chapter 5, Acceptable use practices, starts by looking at the reasons for having acceptable use policies (AUPs) for social media usage. Next follows a description of the topics that should be covered in an AUP, including the choice of a social media site, account settings, personal information, building up a relationship, passwords, hyperlinks, web applications within social media sites, opening received files, and screen names. There are two audiences for AUPs in public service applications – citizens and public service employees. Example policies are shown for each audience, coming from a small number of countries, including Australia, the USA, and Canada.

Chapter 6, Participation–collaboration in K-12 schools, looks at an example public service application – how parents, teachers, and students interact online in K-12 schools. This demonstrates the security issues which teachers and students must contend with, building on the education topics mentioned earlier in the book (for example, threats that are particularly pertinent to schools are described in Chapter 3, Relevant security threats). Many commercial products exist for this example application. Some of those available in the USA and elsewhere are listed. Then there is a discussion of whether or not adequate security controls of these products are in place, or are claimed to be in place.

Finally, Chapter 7, Mitigating the risks of identity theft and malware, provides an alternative classification of security controls to that given in Chapter 4. In that chapter, the controls are broken down into management, technical, and operational controls; Chapter 7 specifies each threat and then describes the controls applicable to them.

About the author

Alan Oxley is a Professor of Computer and Information Sciences at Universiti Teknologi PETRONAS in Malaysia. Alan is an all-rounder in computer science and has written numerous academic articles and chapters. He has expertise in understanding the risks associated with the use of social media and in formulating guidelines to mitigate them. Recently he was awarded a research stipend by the IBM Center for the Business of Government. (The basis for all of the work undertaken by the IBM Center for the Business of Government is to improve the effectiveness of government work. Their reports draw attention to current research and practice and make it generally available. The Center has a Social Media Director, who is currently Gadi Ben-Yehuda.) The author’s research led to the publication of the report A Best Practices Guide for Mitigating Risk in the Use of Social Media (Oxley, 2011). Readers have found the guidelines to be extremely valuable and have incorporated much of the advice into their literature on IT security, including confidentiality. The guidelines have been cited, and Alan’s role as the sole author has been acknowledged. Hyperlinks point to the guidelines and a web page describing his work. Because of his leadership role in the development of guidelines detailing social media risks and controls to mitigate them Alan is well placed to act in the role of advisor on these matters. A considerably more expansive exposition of the topic is presented in Security Risks in Social Media Technologies. Alan currently supervises two PhD students researching into Web 2.0 – one on mash-ups and one on social networking.

Universiti Teknologi PETRONAS’ Computer and Information Sciences Department has been conducting research into e-government for the last few years. The topics covered include government website quality, measuring e-government service quality, knowledge management in government, and the secure use of social media for citizen participation. The Computer and Information Sciences Department has several staff and graduate students undertaking research in e-government, and Alan supervises a number of graduate students. Alan is a chartered member of the British Computer Society. He has written a number of articles for the society’s publications.

Alan received his Ph.D. in Engineering (thesis title: Computer Assisted Learning of Structural Analysis) from Lancaster University, UK. He has recently taught courses on computer vision and image processing, software agents, and software architecture and patterns. He recently revamped the software architecture course to make it more relevant to Web 2.0. Alan produced the acceptable use policy for the previous university at which he was employed (Oxley, 2005). He has obtained grant funds for computer science research.

Alan has a number of research interests, a key one of which is IT service management. He has written articles and conducted presentations on a variety of topics.

The author can be contacted at:

Dr. Alan Oxley, MBCS, CITP, CEng

Professor

Computer and Information Sciences Department

Universiti Teknologi PETRONAS

Bandar Seri Iskandar

31750 Tronoh

Perak Darul Ridzuan

Malaysia

605–368 7517

email: alanoxley@petronas.com.my

Universiti Teknologi PETRONAS website: http://www.utp.edu.my/

Author’s website: http://www.utp.edu.my/staff/ex.php?mod=ex&sn=132723

Introduction

The increased pervasiveness of information and communications technology in our lives has led to a fundamental transformation of how people communicate, and the popularity of social media platforms has contributed to this phenomenon significantly.

Security Risks in Social Media Technologies explores how security controls (or security measures) can be used by information technology service managers and users in participatory or collaborative service provision within the public sector. A small number of topics are discussed and the issues raised and lessons learned are analyzed. The book describes the risks posed by certain Web 2.0 applications and gives clear guidance on how to mitigate them.

The term government is used to describe central, state, and local government. The public sector includes government as well as other bodies.

Several Web 2.0 architectural patterns have been described, for example by Governor, Hinchcliffe, and Nickull (2009). One of them is participation–collaboration or harnessing collective intelligence, which is concerned with self-organizing communities of people and social interactions. It should be noted that the participation–collaboration pattern is not restricted to social media; for example, wikis make use of this pattern. (It is worth pointing out that it is possible to restrict access to a wiki to a certain group of individuals.)

Many of the web applications that characterize Web 2.0 use this pattern, among others. The online encyclopedia Wikipedia and the video-sharing website YouTube are examples. An alternative title for this book might have been Securing the Participation–Collaboration Pattern in Web 2.0 Public Service Applications.

The use of social media