Slashdot Mirror
Security / Privacy Advice?
James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"
Closing the basement shades will do wonders on the privacy front.
No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.
You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.
that and tell them to be paranoid "if it seems dodgy, it probably is!"
A Tale of 2 idle hands
Well, for one thing, that Nigerian Prince who emailed you really isn't sending you any money.
Too busy leaking private info on my crackberry.
When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.
And only Clippy.
Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.
I'm not really a web designer, I just play one on the Internet.
"I'm going to have the mandatory attention of every employee and ..."
Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.
HermesPod: Free Podcast Download Manager for Windows
"If you wouldn't expose your wang to your co-workers at the water cooler, don't do it online"
Monstar L
on the security and privacy concerns relating to social networking
I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites? /. at work
Note to myself: don't use
Slashdot ya no es que lo era!
Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.
I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.
IT needs to be responsive to user needs for security to work right in an organization.
explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!
Farkin' lunch thieves...
Tell them how to look out for individuals within the company that may be involved in corporate espionage and point out key characteristics of suspects:
Unexplained Affluence - they have more money than you would expect from their job/life.
Undue Interest - they show up in your department asking questions but have no work-related purpose.
Affiliation - they express low affiliation with the company, or high affiliation with other interests.
Work Issues - they are not happy with their work or feel that they have not been treated fairly.
Questionable Contacts - they associate with or are in contact with persons of competing firms or interests.
Note that depending on your specific industry and company, security discussion of this level may require more than a few minutes.
My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.
Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.
If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.
These posts express my own personal views, not those of my employer
I'd go with a reminder that nothing you do at work is private, rather than just e-mail.
or at least mind-numbing forgetfulness.
Use of the Internet should generally be remembered to be nonsecure and suspect.
Lots of people will forget, because they are tired, pushed, harangued, or pissed off at their boss or coworkers.
Trying to instill constant vigilant attitudes will be REAL tough.
Maybe Browser pop-ups reminding employees of the latest intrusion or hazard of the day is not so bad as a reminder. (Please no bricks) If I was to design a popup, it would be a one liner with a link for more info. and the popup would disappear after 5 seconds on its own.
Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)
Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.
Really get their attention with some specifics like that.
The previous comments are only true, if no-one says they're wrong.
If you are going to cover Ass To Mouth, why bother skimming it?
With Closed Source software, it has been shown time and again that you don't always know what it will do beyond its stated and obvious functions. Windows Genuine Advantage, for example, has been shown to store and send out more information than Microsoft has stated. Other closed source software has been shown to do similar things as well. Ultimately, the software for which source code is not openly available (and which is often encrypted to avoid disassembly or other analysis) simply cannot be checked or verified the way Open Source software can. And while the vast majority of apps do actually behave, you still have to understand that each program is a "black box" and you simply have to "trust" it. With Open Source software, this is much less the case.
The lesson here isn't necessarily that everyone should use only Open Source software either. The lesson is that adequate suspicion and caution should be exercised when installing software onto a computer keeping in mind various factors. Such factors might include how much it is needed versus how good its reputation may be. People tend to put more trust into strange software than they would a stranger asking to have access into their computer system and this is rather strange. When installing strange software into a computer system, it is actually worse in many ways to having someone personally and directly have free access into your computer system. It is important to remind everyone what it is they are granting access to when they install strange software that is, in the end, "a black box."
Like the animal kingdom, if it looks interesting and has lots of bright colors, it is probably deadly. Stay away.
Don't post anything online that you wouldn't want your grandmother, pastor and organized criminals to see. Or, don't post anything that shows anything you wouldn't want your pre-teen daughter to be doing.
Terms of service change on a whim. There is no such thing as online privacy. The internet never forgets. Don't trust the delete key. Don't say in e-mail what you wouldn't be willing to say to someone's face -- in public.
Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.
Learning HOW to think is more important than learning WHAT to think.
And where that trails off and the gray area begins, go back to that same rules and regulations compendium and glean appropriate behavior and confidentiality employee agreements to remind people what is acceptable and what is not.
It's a rare situation that has employees actively working and conducting business in various locations and stages of production where they are exempt from the rules and regulations that govern safety, access and distribution of proprietary information, asset security and liability. When in doubt, employees are encouraged to seek out their immediate supervisor or manager and share case-by case situations that fall outside of established guidelines.
While this puts more burdin on the rules to list what is appropriate and what isn't, the "employee handbook" can become a living document that grows as procedures change and situations require ammended courses of action.
I'd also suggest incorporating a a policy revision or review process, where the common employee can affect change through communication to an individual or department that can highlight a policy or procedure that is incomplete or inaccurate.
In the end, the Company is seen as less infallible and more adaptive, the management that executive or owners rely on to get things done are better empowered to merge effort with Company expectations.
If your company has branches in all of those regions, chances are there are quite a few people in the crowds that feel their time is worth far more than yours. I would create a supplemental handout / electronic document rather than discussing points that aren't in the exact scope of what you've been asked to discuss. Speak specifically about social networks. Provide literature about your other concerns.
Keep it short, keep it simple. And don't stray off the topic. And you might want to have a handout of the key points.
#fuckbeta #iamslashdot #dicemustdie
Nothing says Commitment to Quality like deciding that 40 minutes is the right length of time for an important lesson, then assigning someone else to creating the lesson content.
As others have noted, people are already going to be surly about a mandatory meeting. For those people who actually use social networks, they're going to be surly about whatever restrictions your company has decided on. You can buy a bit of forgiveness by letting them out early. It might seem like you're passing on a golden opportunity, but trying to cram in additional content is doomed. They start surly. You'll be 30 minutes in and they'll be zoning out. It's a hostile audience, and little, if anything, you say will stick with them. If it's obvious you've jumped to seemingly optional topics, (which is what "While I have you" says), you'll lose the rest.
You've been ordered to push a boulder half-way up a hill. It's doomed to roll back down the moment you're done. Don't make extra work for yourself by uselessly pushing it all the way to the top.
Search 2010 Gen Con events
If you do it naked no matter how dull the content it will be an event they shall all long remember!
Quack, quack.
It would save some of us the trouble of putting similar material together if you could post the presentation somewhere.
One thing that a lot of people don't think about when discussing privacy, especially in social networking, is the topic of who the customer truly is. With free services online, the true customer is almost always the advertisers, and the product being sold is usually user information. http://www.weourfamily.com/blog/who_is_the_customer.jsp
What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.
In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee friendly") it may not be in your best interest to do the announcement. If it was a committee decision, then yes you should do it even if you don't agree with it. If it's the lawyers or the CEO or VP etc. cramming it down your throat, then consider, respectfully, asking him, her or them to do the announcement.
As to something you might say / do: consider suggesting that they get a nettop to use for personal business (if you allow such things on your network) and/or perhaps set-up or a secondary "guest" network that they might use for this purpose. Beyond that, the usual, use non-IE browser.... make sure you run some sort of virus scanner at home, run Spybot S&D every once in a while... don't ignore https warnings... The ATM thing may be a bit outside the scope of the talk.
Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.
Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?
Not that it's happened to me - I'm just sayin'...
see subject
This is an excellent time - since I have your captive attention - to point out that you were asked to present on a specific topic. What you are proposing is that you will provide a rose garden when all you were asked to deliver was a shrubbery. Don't make the mistake of thinking that these others topics, no matter how tertiarily related, will endear you to your audience of your manager. That said, I would find ways of incorporating some of them in the "effect of..." being a victim of social networking scams, schemes, malware, etc., etc.. Much better than dropping more info in their laps at the end and they probably won't be able to put two and two together and see how they are related. By the way, once you learn to deliver what has been asked for not only your manager but you will be much happier. Find other ways to get what you want. It's a skill; so learn it. See what I did and didn't do there?
I always tell our new starters not to share or write down passwords. Of course some of them will - generally the higher paid ones. At least this way we have tried and they can't claim that they didn't know because nobody ever reads the policy documents!
I'll see your Constitution and raise you a Queen.
There is some free security awareness content available at http://go.microsoft.com/?linkid=9685199 that includes a complete presentation you could use.
I'm curious to know more:
Are your employers interested in changing/developing a policy for use of social network sites whilst at work, or are they interested in developing a policy regarding use of social network sites to discuss any matters related to the company?
I find it a terribly disappointing trend that companies are leaning more towards controlling their employees both inside and outside of the workplace.If it's the latter surely it amounts to censorship and is very disturbing.
I would hope that your company is an excellent place to work and are confident enough to allow their employees to sound off about any practices. I would hope that there are enough effective avenues within the company to allow employees to be able to point out issues and to have them resolved such that if an employee does sound off on a social network then others will be able to point out in public that the individual is wrong.
I would hope that your company and all companies realise that their best assett and advertisement is the employees that work there. If they are happy people will want to work there or buy their products.
If not then surely the company is (a) cutting its own throat (b) deserves the public ridicule.
I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.
I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.
Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.
I hope this helps out a little. Good luck!
"If you had the attention of an entire company...."
I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.
The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.
In other words, don't just give it, use it.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
ccleaner is pretty 31337 for clearing up. Oh and do not forget the option to wipe free space.
All cows eat grass!
People tend not to listen to things that they're not interested in, so you need to make them interested. Come up with a real world example of how a normal person (like them) fell into one of the many traps on the internet (malware, phishing, you name it), got their info stolen, and wound up with a nightmare on their hands. You don't want to make it too intimidating, but give them a sense that it *CAN* happen to them. That way, they'll be interested in what you have to say, for their own good, as well as that of the company.
Resist the temptation. It's always a bad idea. That's why you seldom get the opportunity.
Put a lot of stuff from failblog on there. It keeps the attention of the idiots.
Do not do that. Stay on topic.
You are supposed to cover a topic. Cover it. If you have a hobby horse to ride, you should give a good presentation on what you've been asked to present on, and nothing else. If the issues you want to ride come up in Q/A, you can address them very briefly, but stay on topic.
If you ever want to get asked to talk in depth about your hobby horse(s), you will do a good job on the topic you have been told to present on, and not look like some schmuck who can't keep on point in presentations by having the thing wander all over the map.
Also, anything you add at the end will tend to push the information you were intended to communicate out of their heads entirely, and trivialize it for your audience, so you should think twice about that. If your management is there (you said everyone would be), it will do the same for them, and they aren't going to think you've covered what they told you to at all well, and that your whole talk wandered, even if it only wandered at the end.
-- Terry
I have given this some thought. I would tell your employees to have a wonderful social life. Engage in Twitter, TPB, politics. Normal slander rules apply such as in Germany, England or wherever you are located.
HR should be don't ask, don't tell policy. If they do porn at night and end up on CNN, that could happen to anyone, its not a companies business other than normal company-image / chance-for-promotion type stuff.
The internet is just a bigger megaphone, not a new type of megaphone...
One thing about security is that people always take shortcuts, and one of the main outcomes of this is that data gets lost when it should never have been copied in the first place. A key example of this is when consultants take a copy of a database so that they can create a program to access the data. They don't need the data, they just need the schema. Get this into people's heads (think 'least necessary information' rather then 'easiest command') and it wouldn't matter how poorly your consultant handles your data, because they can't lose any of it.
Sounds like they are going for a more nuanced approach (and should be applauded for doing so). If they were going to cut it off a simple email would be explanation enough.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I used to work for a Fortune 10 company. They did surveys to see where we could improve internally. When the results were released, management would create (or pay to have made) an 8 hour training session. At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.
They would solicit for people to help drive the training sessions because they "had to be at an off site meeting", no doubt a golf course or Hooters or something.
Management got off free, and got bonuses for having the training handled, the employees were beaten into not complaining again.
My mom says I'm cool.
Focus on your assignment. The Security department can use the other material for newsletters.
You'll ... never ... have ... me!
(a la Lost Highway when the blonde version of Patricia Arquette enters the mysterious man's shack after it imploded back to a standing structure)
Many free websites, including social networking websites, use Ruby On Rails as a backend, which has been shown to facilitate the spread of viruses.
According to Symantec, there has been skyrocketing rates of virus infections ever since websites like MySpace became popular.
Other than that? Well, tell lots of good stories.
http://www.geoffreylandis.com
If it's not *specific* company policy, then don't say a word.
1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.
I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Put nothing on-line you wouldn't yell on a street corner.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Never write anything on any media. Ever.
Keep it short and simple, something like "You are going to get denied. If you find you are able to circumvent our security or see a problem with our security, let us know, otherwise, we'll eventually find out what's going on and you'll be held responsible."
Namaste
Yes, I'm serious.. you forgot the biggest one.. the whole "porn name" meme.
You know these ones - they're very popular on social sites.. they ask you to post your mother's maiden name with the street you lived on, or your favourite pet with your first crush's last name, etc..
Think about the "lost password" questions most websites use... what do they ask?
Social networks are dangerous to secure organizations because they facilitate the very old and effective practice of social engineering. For example, one could use social networking sites to identify a person who works for a target organization, and then case or befriend that person to manipulate them, steal their identity, access rights, or even their entire computer. The most effective security is when people can't ascertain your employee's professional and personal associations. A skilled social engineer can do significant damage with basic information found on twitter, facebook, etc. Also, in my experience, low-tech threats like physical access, dumpster diving, bugging, and social engineering are far more effective and damaging than purely software and network-related security problems. Imagine how much trouble a disgruntled employee could cause with a bug in the boardroom.
Don't post anything on the internet anywhere on the internet if you think it is a risk to you or if you don't want anyone to see it.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
Most people will remember only the first 2-3 minutes and the last 2-3 minutes. The 35 minutes in the middle will become a muddled blur. So make sure you put your most important tips at either end.
Come to the dark side -- we have chocolate chip.
Build a bunker, surround it with honeypots, behind a firewall, in a demilitarized zone, using duct tape to keep it all together.
There's two kinds of people in the world: Carnies and Rubes. Carnies are the people that are skeptical and always looking for the angle. The rubes are the people who see everything at face value.
Privacy and security really aren't a lot more than trying to not be a rube. The carnies try to trick the rubes into giving away information, or taking over their computer by installing some piece of software. We all know about the "virus scanner" sites that pop up now and again. Tricker are the "open the file in this email and follow instructions" email.
Sadly, people aren't trained much beyond the level of "don't click on the wrong link!!" form of security. You're never going to be able to tell people all the latest scams, since there's a new one every day. The best you can do is try to get them to look for the angle. People will respond to this because they can relate to it (a friend of mine calls it "the down home cynicism".
AccountKiller
Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.
I can't count the number of people in or out of work that I've told to use BCC. They just don't get the concept. even after explaining it. If you have more than, let's say, about 5 address on an email, they really should all go in the BCC field. (Many emails with more than 2 should BCC as well. Depends on context.) If you put more than one address in the "To" field, you should stop and consider for a brief moment.
Sorry. End rant. (preaching... choir... yup...)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I like the idea of a general education on security. I'm not sure what the motivation was for your corporate overlords, but educating users for their own sake is more likely to get them to be compliant at the workplace. Showing them how easy it is to get bugs from social networking sites and how to avoid them is a great idea. It lets them know how to develop good habits at home and thus they are better behaved at work, making your life easier.
prohibits asking advice about social networks, security and privacy on slashdot.
An all-too-quick 40 minutes? At a user/usage level? There's a LOT to choose from, but as a great start, try RFC2504. http://www.ietf.org/rfc/rfc2504.txt?number=2504 Pick and choose as appropriate to your needs. We tried to make it very useful as a reference for the generic user. You can even hand out copies if you like. For a bit more detail, and as a good read in case you get asked some lower-level questions, try RFC 2196, more specifically targeted for IT folks, and "Middle Managers" who have to at least be exposed to the concepts. http://www.ietf.org/rfc/rfc2196.txt?number=2196 Cheers, Steve PS(don't let the fact that these are TEN years old fool you, most of these concerns are still quite current, most companies (read: those of popular OSes) don't exactly *want* people to understand the why's because they start to question the why-not (yet)s. If you found any of this useful, or not, just reply here, Most if not all those email addresses are defunct at this point -- we've moved onto and into other things).
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
"Use Condoms....seriously."
Motorcycles, Robots, Space Gossip and More!
"My employer is changing its policy towards employee use of social networks."
Spreading company fears of social networking makes you a tool and passing it off as "security awareness" is a joke. Social engineering is a real security threat. Social networking is not.
And stick to the topic! If you can present the company material in 30 min be a hero and give your coworkers their 10 minutes back. Wasting 10 minutes on another topic will make your coworkers resent you and the company wonder why you didn't use the full time to discuss the topic they are paying everyone to hear and paying you to present. It is a no-win scenario.
Many free websites, including social networking websites, use Ruby On Rails as a backend, which has been shown to facilitate the spread of viruses.
Link please. (not that I use Ruby)
If true, people deserve to know. If you're just spouting off libel (as AC), stop now. There is no true anonymity online. You'll run out of it sooner or later.
In other words: put up, or shut up.
According to Symantec, there has been skyrocketing rates of virus infections ever since websites like MySpace became popular.
This I'll believe (due to cross site scripting, etc). Many sites are guilty of such, but was this meant as a non-sequitur attack on Rails? (It sounds like it... despicable.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
"are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?"
You can't block access to these sites for employees that work out of the office.
If the wifi signal from the coffeehouse next door is leaking through your walls, you can't even block access to employees in the office, unless you firewall inside every box, lock down every box, and forbid employees from using their own gear on the premises. Good luck with that.
Unless mind-control techniques have improved significantly. there is no firewall that will prevent people from carrying information out of the building inside their own heads, to be later uploaded using equipment totally beyond your control.
I'm afraid you are describing an ideal world.
I'm a TA at a University and I think all teachers and trainers worldwide would drool at the possibility of entering their class just to tell them: "Hi, I have prepared a presentation of today's lesson, anyone interested ask me for it by email, now go play soccer!".
If security is really critical to your situation you have to a) evaluate whether they grasped the concepts b) establish a punishment mechanism for the 'bad' employees c) establish a rewarding mechanism for the 'good' employees. I know this looks like fascism or military training, but if your company wants to survive, it will have to take such drastic measures.
If your company just wants to scare them, even a a 'three strike' policy is not enough - Facebook is more potent than heroine.
Humanity has always spent decades teaching citizens what is good and what is evil, but still a significant percentage of them will commit a felony or a even crime if the motive is good enough.
Hello,
.
In the United Kingdom, the Cabinet Office published a short strategy paper on using Twitter. I found it to be quite good, and while it obviously is Twitter-centric, the ideas are applicable to a other social networking sites. The document can be downloaded from http://blogs.cabinetoffice.gov.uk/digitalengagement/post/2009/07/21/Template-Twitter-strategy-for-Government-Departments.aspx
Regards,
Aryeh Goretsky
Dexter is a good dog.
I'm studying IT Security at University and what the author is describing is practically the same as one of the topics you can choose to do for your assignment.... the same assignment which is due in 3 days.
When talking about privacy, you should probably be aware that very many people can now connect your IRL identity with your online identity. There aren't that many companies, where somebody's holding a presentation about social networking security. Speaking about social networking, you seem to have a Myspace page..
The main reason people do blatantly stupid things online is because their desire for their privacy has been eroded by both governments (terrorist! look out! be scared! Don't think about us filling our pockets and let economies crash!) and online merchants that mine your data, like Google. On top of that, the consequences have been played down - find a good story of someone who had their identity stolen and their life ruined.
It is clearly illustrated by the volume of people that think the Swiss are too uptight asking Google to do what it promised or face being taken to court - 10 years ago Google would not find it possible to make it possible to zoom in on someone's window from across the planet without getting shot by Data Protection people (in that context I find it intriguing that all the "other" EU Data Protection people have been silent - are Switzerland and Japan the last places on earth where privacy counts?).
Oh, note to idiots: before you start talking about "nazi gold" and "tax evaders" I suggest you do some research.
You could also highlight the Google Terms of Service, clause 11: it more or less states that they can take the pictures of your kids and use them, for free, anywhere, forever, and altered in whatever form they see fit. Think about that one..
Insert
People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I remember a debating session at school. The motion was "This House believes that privacy is a thing of the past", and my team was defending it. During half an hour, the Opposition called us paranoid, technophobic, because thinking that social networking is a threat to your privacy was clearly a dumb opinion. ;-)
Our last speaker came on stage, and simply exposed to the audience delicious details of the Opposition members' life he found on the internet, from childhood dancing class to current living place. Each time the Opposition tried to counter him, he answered casually, talking like he knew them deeply (which he actually did, even if he never met them and only knew their names). It was a hell of a good debate, and we (obviously) won
I thought you could use some of this to make your point.
The party van won't come to you.
Nothing is totally harmless to everyone:
http://en.wikipedia.org/wiki/Methylene_blue#Adverse_reactions
The most important thing to hammer into everybody is: "You have to learn how to recognize and avoid security threats; technology only goes so far, but it is often surprisingly easy to spot security threats."
Other than that, there are a few rules:
1. Turn off all HTML and scripting in your email reader; if that is not possible, get one that can.
2. Use AdBlock Plus and NoScript (for Firefox) or similar.
It is a tiny bit inconvenient to have to explicitly allow scripting every time, but it has saved me no end of grief. In my workplace I am just about the only one that has never had any malware attack, and I get next to no SPAM either; the company filter captures about 5 per week, and sometimes one or two slip through to my inbox.
Social engineering is the most important security risk you need to inform them about.
Giving a live example as an introduction, sort of like a case study, will make your presentation more interesting. They should see how they can relate the security / privacy issue to their specific context...even better is to hack something right there and then, before their very eyes! Everyone loves a performance, so, be a performer.
I'd plan my presentation to occupy at most 60% of the time I was given. Ask a couple of friends to attend and give honest feedback on your practice session(s). Your audience's attention span tends to be inversely proportional to its size. In your case, you'll be lucky if they even remember what you were talking about five minutes after you're done.
Most (even those who requested the presentation) will be expecting a yawning session. Surprise them with something short and compelling. Really, trust your audience to be able to fill in the gaps. Even idiots have moments of clarity. Point them to knowledge, don't try and force feed them it.
chances are you are never going to be able to do this again, and in the short term the security threats that your audience will be exposed to will be different, new and completely oblivious to the prophylaxis and methods you describe today.
So just tell 'em to wear sunscreen, 'cause that's always a good idea...
Steve -- If you have to call it a system, you don't know what it is.
Some things worth considering:
Like others are saying, stick to the topic you were asked to present. I have rarerly heard of any presentation were they gave too little information, most of the time it's the opposite. If your audience leave with a good experience, they learn and are more open to similar presentations later. Too much information and they leave learning little and will likely oppose similar presentations in the future.
Give real life examples! It's obvously very easy to dig up highly relevant cases and news articles etc. Create a good but short summary of any articles you include. The summary should highlight the issues and consequences that relates to your topic. And be sure to include various ways in which the company was exposed or individuals embarrassed etc. The most basic human instinct is fear, appeal to it by letting them know that one of them can end up loosing their job and/or embarrassed on the front page of the news as a result of their actions online. Putting the audience in the hot seat so to speak. The point is that I think it needs to directly relate to them individually, if consequences only relates to the company, many will forget/ignore.
Let them know that absolutely anything that get's posted online about them can live online as long as they live and probably longer. As was the case with pictures on Facebook.
I also think that a good opening to the presenation creates attention. Humour is what many choose, but do whatever feels natural, constrained/forced humour rarely works well.
The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security. http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf
The best is to have every employee sign an agreement with the company so that emails and social network (+ instant messaging) communications belong to the employees themselves, and the company cannot be held liable for its content or the view expressed in those messages...
I'm deadly serious, just look at Microsoft or at the USA government claiming to have "lost" or "forgot to archive" emails and they got away with missing evidence in a few trials...
Way to go Jose!
There are folks with far more experience at providing a much more complete set of Security tips tailored to specific audiences than you can possibly come up with in the time you've been alloted to complete this project.
Point them some place where they can learn other important security items in an entertaining environment! (http://exoticliability.libsyn.com)
Show, don't tell.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
(I'm sorry if you already understand BCC. Either you don't, or you didn't understand my post.)
I didn't mention or discuss CC (the gpp did, barely). BCC is "blind carbon copy". In other words, pass this email on to these people, but don't distribute these email addresses along with the email.
For example: if you're sending out a newsletter to 2 dozen people, it's terribly impolite to place these in the TO or CC field, as everyone will now have a list of everyone else's email address (and any spam bots on any of those 2 dozen computers will harvest all of them, how rude). If you place all those addresses in the BCC field, then they will only see the senders email address. This is much more polite in most circumstances.
And for the record, CC can be very useful outside the company (as a preemptive CYOA technique). I have CC'd my boss on emails to clients, and I have CC'd clients on emails regarding 3rd party problems. I use it when I suspect I'm going to be accused of being lazy or incompetent when it's someone else's fault. (usually a customer on both counts; the CC to my boss saves him time and effort in diffusing certain people, since he doesn't need to check with me first.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Per my subject-line above, very well put on your part (I like it).
APK
P.S.=> Those would've been my thoughts exactly, so I am in utter agreement Vellmont - well said on your part, & IF I could do "mod points", I'd have modded yours up as + whatever amount, as "insightful" pushing you into the +4 or better range: However, I post as "A/C" here, so, all I can do is post saying I liked the way you think, & good job etc. et al instead... apk