Security / Privacy Advice?

James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"

Mandatory?

[DoofusOfDeath]

I'm going to have the mandatory attention of every employee

No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.

Re:Mandatory?

[CannonballHead]

I have found that food helps everyone like you more; perhaps he should provide lunch. Or at least cookies.

Re:Mandatory?

[PylonHead]

This is correct.

Present just the information you've been tasked to convey.

Present it in at least 2 different ways.

Take questions.

Summarize once more and let them out early.

Honestly, the more you try to cram in there the less they're going to take away.

Re:Mandatory?

[theeddie55]

But cookies can cause security problems if not handled properly.

Re:Mandatory?

3) you will be fired.

Re:Mandatory?

[commodore64_love]

>>>every seconds of unnecessary content will make them despise you more.

I love mandatory meetings.

It's a great opportunity to get paid $50 for doing absolutely nothing for an hour. Score!

Re:Mandatory?

[BadAnalogyGuy]

Have you ever tried growing tomatoes? It's very difficult because there are lots of things that can go wrong. Bugs, bad soil, wind, even the tomatoes themselves can be too heavy and break off the vine. It's not a matter of planting the seed and then letting it grow. You've got to be involved almost every day to make sure the growth is under control, that the vine is tied where it needs to be, that the plant is properly pruned so that you don't end up with a scraggly set of leaves and scrawny tomatoes. It's a very difficult, but very rewarding activity.

So when you say:
Take questions.

You are wrong.

Ask questions. If you want your audience involved, you need to solicit feedback. You can't expect them to come with any questions, so you need to frame your speech to include questions *to* your audience so that they become part of the program, not just spectators.

Re:Mandatory?

[spinkham]

Good idea, but you'd have to dial it back a notch for most corporations.
Try these:

MI6 head outed on facebook by his wife, with many details. Viewable by all of the "London" network.
http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html

Bank intern fired for lying about a family emergency, then pasting party pics of him dressed up as a fairy on facebook:
http://valleywag.gawker.com/tech/your-privacy-is-an-illusion/bank-intern-busted-by-facebook-321802.php

Another example of being fired for putting dumb stuff on facebook:
http://www.liquidmatrix.org/blog/2009/08/13/social-networking-fail-fail-fail/

Plenty of fail, Safe for work.

krsmav

[krsmav]

When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.

Secure Your Presentation PC/software

[sfled]

Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.

One line

[antifoidulus]

"If you wouldn't expose your wang to your co-workers at the water cooler, don't do it online"

IT people get security wrong

[Kohath]

Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.

I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.

IT needs to be responsive to user needs for security to work right in an organization.

Re:IT people get security wrong

[element-o.p.]

Wrong.

It's not the poor stiff at the helpdesk who sets policy; it's the extraneous middle manager five levels up who doesn't give ${rodent}'s ${anatomical feature} about how difficult it is for the working-class saps, so long as he can tell his SoX auditor that they are abiding by a secure policy. BTDT, got the T-shirt.

Re:IT people get security wrong

[Alpha830RulZ]

and they expire the account if you don't log in every 30 days. Which you don't if you did it right the first time. Which happened to me yesterday. And cost us 9 hrs of customer visible downtime until the drone in distributed systems management could reset the account. Who was out on a dental appt. Whose backup didn't have a login on the system. Because of an expired account. No shit.

But I rant...

Re:IT people get security wrong

[rantingkitten]

Tell them not to download and install anything "fun" for Windows.

Alright, the zealot in me just has to step up.

The overwhelming majority of rank-and-file office workers don't even need Windows. Really. They don't.

They need email, web browsing, spreadsheets -- usually nothing particularly demanding -- IM, and not much else. In this day and age of online CRMs and such, most office workers could get away with little more than a browser.

Why are these people even using Windows?

Sure, there are always the accountants who have that Excel macro they wrote eight years ago that absolutely will not translate into Open Office. Fine. And you have those three guys who use specialised CAD software. Great. Those people can use Windows.

But the vast majority of the sales crew, administrative staff, and damn near everyone else, does not need Windows. Why are we pouring such huge amounts of money into this crap?

"But kitten! We have an application written thirty seven billion years ago that only works on IE!"
Great. You can either spend a bit now to rewrite it so it works on any platform, or you can continue to throw thousands of dollars and thousands of manhours, year after year, at the effort of keeping this thing propped up. When are you going to throw in the towel?

"But kitten! The retraining! My team only knows Windows!
No. Your team does not "know" Windows, any more than they "know" engines because they drive a car. They know, by pure memorization, that for email they should click this, for the shared network drive (which they probably call "the office drive") they click that, and for Word they click here. They know how to use a couple of applications but that is not OS-specific. The reality is, if you installed Ubuntu on every one of your sales team's computers, and told them "It's, like, the new Windows Longhorn!", they'd grouse about it for a day and get over it. Your "team" does not "know Winedows". You didn't train them in "Windows", you trained them to know your specific business applications, most of which are online and are therefore OS agnostic.

So you can either throw more and more money and manhours at keeping your staff on Windows because they "know" Windows, but curiously need to be told over and over how not to break Windows by downloading things, and lose hours of time because they effed-up Windows once again and had to wait for IT to re-image the machine...
...or you can have them stop using Windows because they don't need it.

sigh.


I know, yes, I know, there are always those few sitations where Windows is necessary. And some smartass always has to pipe up with "Well, in MY company we haev this GUY who has a Windows only APPLICATIOn and we couldn't SURVIVE..."

Spare me.

The truth is we -- as an IT professional collective -- throw so, so, so much money and time at keeping the Windows lusers safe. Trying to "educate" them, fruitlessly. Tracking licenses. Buying more upgrades. Making sure to roll out new "virus definitions". Admonishing users time and time and time and time again: "Stop downloading that. Don't install that. Quit forwarding that email. Don't click that for god's sake."

When is it time to stop treating the symptoms? Attack and remove the cause, which is Windows. If Windows is not exactly the cause, per se, it is certainly the enabler.

Please note: Using Linux (or any other OS) will not stop idiots from chattering about private company information in public. But that is a managerial problem, not a technical problem.

Note that using Linux will not stop your idiot employees from naming names on Facebook and Myspace and Diggwoot and Farkmeme. But that is a managerial problem, not a technical problem.

Using Linux WILL prevent your employees from contracting viruses that email random -- often confidential -- documents to random

While you're at it..

[3Cats]

explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!

Farkin' lunch thieves...

Cutting off social networking?

[syousef]

My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.

Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.

If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.

Back it up with a little detail helps.

[Kyle]

Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.

Unknown Entries:
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)

Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.

Really get their attention with some specifics like that.

Re:Back it up with a little detail helps.

[s.d.]

You really think that secretaries and accountants and HR reps, who are being forced to sit through a "don't put stupid shit on Facebook because it reflects badly on us" or "don't Twitter about company business or you'll get fired" presentation would understand or care about brute force ssh attacks?

Everyone is being told, "This discussion of social networking and how to protect yourself and the company is mandatory." Don't waste their time with things that they won't understand and are totally off-topic.

Advice

I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.

I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.

Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.

I hope this helps out a little. Good luck!

Don't Give Advice

[mpapet]

If it's not *specific* company policy, then don't say a word.

1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.

I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.

Terrible idea

[petes_PoV]

Don't freelance - stick to the topic assigned to you.

People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."