Slashdot Mirror
Security / Privacy Advice?
James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"
No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.
You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.
that and tell them to be paranoid "if it seems dodgy, it probably is!"
A Tale of 2 idle hands
Too busy leaking private info on my crackberry.
When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.
Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.
I'm not really a web designer, I just play one on the Internet.
"I'm going to have the mandatory attention of every employee and ..."
Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.
HermesPod: Free Podcast Download Manager for Windows
"If you wouldn't expose your wang to your co-workers at the water cooler, don't do it online"
Monstar L
on the security and privacy concerns relating to social networking
I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites? /. at work
Note to myself: don't use
Slashdot ya no es que lo era!
Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.
I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.
IT needs to be responsive to user needs for security to work right in an organization.
explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!
Farkin' lunch thieves...
Tell them how to look out for individuals within the company that may be involved in corporate espionage and point out key characteristics of suspects:
Unexplained Affluence - they have more money than you would expect from their job/life.
Undue Interest - they show up in your department asking questions but have no work-related purpose.
Affiliation - they express low affiliation with the company, or high affiliation with other interests.
Work Issues - they are not happy with their work or feel that they have not been treated fairly.
Questionable Contacts - they associate with or are in contact with persons of competing firms or interests.
Note that depending on your specific industry and company, security discussion of this level may require more than a few minutes.
My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.
Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.
If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.
These posts express my own personal views, not those of my employer
Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)
Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.
Really get their attention with some specifics like that.
The previous comments are only true, if no-one says they're wrong.
If your company has branches in all of those regions, chances are there are quite a few people in the crowds that feel their time is worth far more than yours. I would create a supplemental handout / electronic document rather than discussing points that aren't in the exact scope of what you've been asked to discuss. Speak specifically about social networks. Provide literature about your other concerns.
If you do it naked no matter how dull the content it will be an event they shall all long remember!
Quack, quack.
It would save some of us the trouble of putting similar material together if you could post the presentation somewhere.
What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.
In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee friendly") it may not be in your best interest to do the announcement. If it was a committee decision, then yes you should do it even if you don't agree with it. If it's the lawyers or the CEO or VP etc. cramming it down your throat, then consider, respectfully, asking him, her or them to do the announcement.
As to something you might say / do: consider suggesting that they get a nettop to use for personal business (if you allow such things on your network) and/or perhaps set-up or a secondary "guest" network that they might use for this purpose. Beyond that, the usual, use non-IE browser.... make sure you run some sort of virus scanner at home, run Spybot S&D every once in a while... don't ignore https warnings... The ATM thing may be a bit outside the scope of the talk.
Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.
Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?
Not that it's happened to me - I'm just sayin'...
Don't use your internal password for anything external, like your hotmail account.
If you need to share your data with co-workers don't give them your password so they can log in and do it.
If in doubt, don't.
http://michaelsmith.id.au
I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.
I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.
Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.
I hope this helps out a little. Good luck!
"If you had the attention of an entire company...."
I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.
The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.
In other words, don't just give it, use it.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Translated into /. language: Either operate exclusively through a watertight alias (use a proxy, don't share photos of you groping the office slapper at the Christmas party, don't engage in identifying talk), or just assume that everything you say and do on social networks will be cc'ed to your boss(es), appended to your CVs for the next 50 years and plastered all over your cubicle walls.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
If it's not *specific* company policy, then don't say a word.
1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.
I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Put nothing on-line you wouldn't yell on a street corner.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Yes, I'm serious.. you forgot the biggest one.. the whole "porn name" meme.
You know these ones - they're very popular on social sites.. they ask you to post your mother's maiden name with the street you lived on, or your favourite pet with your first crush's last name, etc..
Think about the "lost password" questions most websites use... what do they ask?
Most people will remember only the first 2-3 minutes and the last 2-3 minutes. The 35 minutes in the middle will become a muddled blur. So make sure you put your most important tips at either end.
There's two kinds of people in the world: Carnies and Rubes. Carnies are the people that are skeptical and always looking for the angle. The rubes are the people who see everything at face value.
Privacy and security really aren't a lot more than trying to not be a rube. The carnies try to trick the rubes into giving away information, or taking over their computer by installing some piece of software. We all know about the "virus scanner" sites that pop up now and again. Tricker are the "open the file in this email and follow instructions" email.
Sadly, people aren't trained much beyond the level of "don't click on the wrong link!!" form of security. You're never going to be able to tell people all the latest scams, since there's a new one every day. The best you can do is try to get them to look for the angle. People will respond to this because they can relate to it (a friend of mine calls it "the down home cynicism".
AccountKiller
Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.
I can't count the number of people in or out of work that I've told to use BCC. They just don't get the concept. even after explaining it. If you have more than, let's say, about 5 address on an email, they really should all go in the BCC field. (Many emails with more than 2 should BCC as well. Depends on context.) If you put more than one address in the "To" field, you should stop and consider for a brief moment.
Sorry. End rant. (preaching... choir... yup...)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
An all-too-quick 40 minutes? At a user/usage level? There's a LOT to choose from, but as a great start, try RFC2504. http://www.ietf.org/rfc/rfc2504.txt?number=2504 Pick and choose as appropriate to your needs. We tried to make it very useful as a reference for the generic user. You can even hand out copies if you like. For a bit more detail, and as a good read in case you get asked some lower-level questions, try RFC 2196, more specifically targeted for IT folks, and "Middle Managers" who have to at least be exposed to the concepts. http://www.ietf.org/rfc/rfc2196.txt?number=2196 Cheers, Steve PS(don't let the fact that these are TEN years old fool you, most of these concerns are still quite current, most companies (read: those of popular OSes) don't exactly *want* people to understand the why's because they start to question the why-not (yet)s. If you found any of this useful, or not, just reply here, Most if not all those email addresses are defunct at this point -- we've moved onto and into other things).
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
Hello,
.
In the United Kingdom, the Cabinet Office published a short strategy paper on using Twitter. I found it to be quite good, and while it obviously is Twitter-centric, the ideas are applicable to a other social networking sites. The document can be downloaded from http://blogs.cabinetoffice.gov.uk/digitalengagement/post/2009/07/21/Template-Twitter-strategy-for-Government-Departments.aspx
Regards,
Aryeh Goretsky
Dexter is a good dog.
People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."
politicians are like babies' nappies: they should both be changed regularly and for the same reasons