Blog

Can You Tweet Securely?

eric March 1st, 2010 Comments

The cynical 140 character or less response to the question is simple: “You don’t need to lock the outhouse door.” 

That’s the unfortunate position taken by many who ignore threats posed from data leakage, inappropriate content, lack of centralized IT control, loss of intellectual property, privacy concerns, regulation, and the general lack of confidentiality, integrity and accessibility controls.  If past (and present) is any indication of the future, the changes needed to transform Twitter into viable platform for use in the enterprise may be on the horizon, but they’re a long way off.  These core issues are compounded by both the explosive growth of the service and far too frequent attacks over the past year.  To Twitter’s credit, they responded the most recent events by initiating password changes for users following suspicious accounts that were determined to be threats.  While that is a valid reaction, it’s still just that, a reaction.

To better secure Twitter, you would need to address three fundamental aspects of information security: Identity, Authorization and Authentication

One of the most immediate issues that became known as Twitter gained acceptance was that followers didn’t have a way to verify the identity of a user they were following.  Anyone can create a Twitter account under any available name.  Just for fun follow abevigoda for a few days.  It’s a great gag: someone created a profile that impersonates the actor Abe Vigoda and posts a tweet daily proclaiming that he is alive.  While that is fun, it illustrates how easy it has been for people with malicious intent can impersonate you or your company and spread false information.  As I write this, Twitter has begun beta testing “verified accounts.”  That’s definitely a step in the right direction, but is still concerning in the few accounts Twitter is taking the steps to verify.  From their website, they state that they are “starting with well-known accounts that have had problems with impersonation or identity confusion. (For example, well-known artists, athletes, actors, public officials, and public agencies). We may verify more accounts in the future, but because of the cost and time required, we’re only testing this feature with a small set of folks for the time being. As the test progresses we may be able to expand this test to more accounts over the next several months.” They also state that currently they “are not accepting new business verification requests.” So what to do as a business and as a user of Twitter until this feature is ready for primetime?  The simplest way to address this as a user is to be wary of who you follow, seek out Twitter accounts in “out of band” ways, i.e. from a company’s website or blog that you are sure is managed by the entity you want to follow or just ask them directly.  As a business, be vigilant of your brand and identity. Search Twitter, use lists and monitor trending topics to see who is saying what about you (or as you) and notify Twitter support of accounts with a clear intent to confuse or mislead your customers so they can be permanently suspended.

Authorization is closely linked to identity and is a risk especially for organizations and businesses.  Begin with the basics and decide what your policy for using Twitter should be, document it and make sure your employees and contractors are aware of the policy.  The best recommendation I have is simply to restrict the business usage of Twitter to specific identified accounts that are authorized to speak on behalf of the organization.  If you want to use Twitter to share information such as rate changes or information that requires oversight from compliance, make sure that approval of all messages go through the same publication processes that would be followed for print or website changes.  As part of the education process with employees and contractors, ensure that they are aware of threats from data and information leakage posed by posting seemingly innocent tweets.  What is considered acceptable behavior covers a wide range, there’s nothing wrong with your employees tweeting from their personal accounts that it’s cold in the office, but tweeting that the network has crashed and they’re waiting on someone to come fix it could provide information for a social engineer to use to gain knowledge of the inner workings of your environment.

It should go without saying that securing your Twitter profile relies on basic rules of strong authentication.  Use a long, complex passphrase including alphanumeric and special characters, and change that passphrase as often as your password policy dictates.  Although the temptation of convenience of linking Twitter to other services and applications, don’t entrust username and passwords to any third-party application.

While these three steps are the ways for you to securely use Twitter, there are numerous flaws and threats that Twitter must address before it is truly a platform that is secured and appropriate for enterprise use.  Twitter’s largest security breaches over the past year were the result of a lax security posture within its own organization.  An internal account used to manage their DNS records was compromised as well as documents used by Twitter corporate users were pilfered from a compromised Google Doc’s account.  Cross-site scripting vulnerabilities have been identified that allow a malicious user to inject code into a tweet that would allow for the code to be executed on followers machines.  These are all definite and real concerns that should be weighed while deciding on your organizations Twitter policy.

  • Print
  • Digg
  • Twitter
  • Facebook

RiskKey User Spotlight: Mortgagebot

Courtney February 25th, 2010 Comments

As many of you know RiskKey has value beyond Risk Assessments and Controls Reviews… it can also be used for managing certain projects… especially those related to compliance.  Mortgagebot is an industry leader in facilitating online mortgage applications.  They use RiskKey to manage responses to various exams and controls reviews.  All issues that Mortgagebot feels need a response will receive a corresponding recommendation.  This allows them to assign individuals responsible, detail strategic plans and mitigating strategies for identified risks, and manage deadlines.  RiskKey helps them stay on top of this by generating alerts as deadlines come due, and providing a centralized dashboard and snapshot of each project’s progress.

Could you use RiskKey?  Details here!

  • Print
  • Digg
  • Twitter
  • Facebook

The Balancing Act of USB Mass Storage Drives!

Nimal Gunarathna February 25th, 2010 Comments

usb-storage

USB flash drives are a very important part of our day-to-day activities. When a network is down, it provides an alternate method to copy/exchange files between computers.  But in the strange world we live in, there is something dark underneath in any great invention, and there is no difference here. The great USB memory stick can be used by bad guys & gals for abusive practices. Not only is your network security at risk here, but your private or sensitive data can simply vanish out of your well protected private network to the wild world out there; who knows how it is going be used. Look at it this way, even if I am an employee of the institution, I can simply bring a contaminated USB memory stick and plug it into my network connected PC, and soon enough, the potential that the whole network could be infected with virus, worms or other unwanted malware skyrockets.  The funny thing here is that the user may not be aware of what has happened here. Also, if the user is a bad person then on the way home he/she can take a copy of your highly guarded financial data! 

The risks are enormous here, but we need to have a great balancing act between business needs and security, as both go hand-in-hand.  In my opinion, the strategy should be based on one of the basic security principles; users should be given authorizations to services such as USB drives, CD/DVD, registry access etc. based on business needs as well as on the least privilege principle. This way you can minimize the potential security risks and continue to keep your business safe from intrusion!

Here is an article that explains how you could disable devices through Microsoft Active Directory Group Policy. Enjoy!

  • Print
  • Digg
  • Twitter
  • Facebook

The Value of Collaboration

Natasha February 23rd, 2010 Comments

Just recently a news headline screamed “Customers flock to iPhone banking!” I immediately thought the only way a bank could do this is through collaboration and partnering with third parties. Institutions that fail to understand this are leaving money on the table. After a recent chat with a financial institution I fear that many are still missing the new markets, new offerings and new bottom-line that collaboration delivers.

Our customers dictate the way we sell, the way we market, the way we do business. Our Gen Y customers insist on immediate: instant messaging, instant communication, instant customer service and instant banking. So banking as usual is far from the answer. I understand that financial institutions are conservative, not early adopters, and are hesitant in their approach to new product development; however, in today’s economy we cannot say “that’s just the banking industry.” FIs must push past the norm and push the envelope to take their institution to the next level. Collaboration opens this door and provides the vehicle you need to operate more efficiently, make better business decisions, gain business agility, and impact your bottom line.

New Markets
Collaboration gives FIs a wider market reach and access to a customer base that thrives on instant. Embracing social networks, putting banking centers in supermarkets, and mobile applications all help banks and credit unions attract and keep today’s customer. According to ABI Research around 407 million people worldwide will carry out financial transactions with their banks using their mobile phones in 2015.

New Offerings
Financial institutions can gain a competitive edge by bringing new innovative ideas to their product offerings, delivery methods, and customer service. Though research and development and innovation may not be their forte, FIs can partner with innovative third party companies to differentiate their offerings, and faster. In addition, social media and transparent borders allow for a global pool of shared ideas. We can learn a lot from the Asia-Pacific region with their 52.2 million mobile banking subscribers in 2009.

New Bottom-Line
New markets, new offerings and the reduced cost that collaboration brings directly impacts your bottom-line. Research done by Business Week showed that collaboration directly impacts a FI’s bottom line. 49% of FIs surveyed declared that their profitability increased with collaboration while 47% said their revenue growth increased.

So, FIs I urge you to step outside the box. Make collaboration a part of your culture and rub shoulders with cutting edge companies outside your region and even outside your industry. And if you have already taken the bull by the horn, do share with us all your successes and struggles.

To learn more about collaboration and how to incorporate into your culture click here!

  • Print
  • Digg
  • Twitter
  • Facebook
« Older Entries
Newer Entries »