security threats of web 2.0 and social networking sites
TRANSCRIPT
Security Threats of Web 2.0 and Social Networking Sites Research Report for ACC 626
Prepared by Violet Vanheuangdy
2010
Prepared for Professor Malick Datardina
6/13/2010
2
Table of Contents Introduction .................................................................................................................................................. 3
Web 2.0 ......................................................................................................................................................... 3
AJAX....................................................................................................................................................... 3
Mash-Ups .............................................................................................................................................. 3
Emerging Risks ...................................................................................................................................... 4
Social Networking Sites (SNS) ................................................................................................................... 4
Security Risks of Web 2.0 and SNS ............................................................................................................ 5
Malware ................................................................................................................................................ 5
Spam ..................................................................................................................................................... 6
Cross-Site Request Forgery (CSFR) and Cross-Site Scripting (XSS) ........................................................ 6
SQL Injections ........................................................................................................................................ 7
Identity Theft and Impostors ................................................................................................................ 8
Phishing and Spoofing ........................................................................................................................... 9
Leaked Corporate Data ....................................................................................................................... 10
Third-Parties Collecting Private Data .................................................................................................. 11
Mobile Phone Attacks ......................................................................................................................... 11
Implications for C-Suite Executives ......................................................................................................... 12
Implications for Chartered Accountants ................................................................................................. 14
Conclusion ............................................................................................................................................... 15
Appendix A .............................................................................................................................................. 16
Bibliography ............................................................................................................................................ 17
Annotated Bibliography .......................................................................................................................... 23
3
Introduction The Web.20 has brought on new collaborative tools such as wikis, video sharing, podcasting, and
collaborative online software and services that help the workplace in becoming more productive. The
increase in Web 2.0 tools has made it harder for IT managers to secure the information sharing from new
security risks.1 This report will discuss what Web 2.0 is, the security threats of Social Networking Sites
(SNS) and how this impacts both C-suite executives and Chartered Accountants (CA).
Web 2.0 Web 2.0 has evolved from Web 1.0. In Web 1.0, information was provided by a small number of large
corporations, the “Web pages were rarely updated, and only the tech-savvy could contribute to the
development of the World Wide Web.” Web 2.0 sites on the other hand are automatically updated by end
users. Web 2.0 sites are focused on having people become more interactive and bringing the experience
from the desktop into the browser. A key component of the Web 2.0 is the social web, also known as
Social Networking Sites (SNS). Web 2.0 applications such as Facebook, Twitter, YouTube and MySpace
are highly dependent on the end users to update the web page. The end user is not only the user of the
Web 2.0 applications but also the producers of the application. Users can post information by tagging
content, contributing to wiki, creating blogs or podcasts. 2
AJAX Another key component of the Web 2.0 is Rich Internet Applications (RIA). AJAX is an application that
“allows pages to respond to user‟s input without processing or reloading the page.” With the Web 1.0,
when a user clicks on a link an hourglass or blank page will appear indicating that the user must wait as
the page is being processed. This creates a lag in time. With AJAX, when a user performs an action, the
result is immediate with little or no lag in time. One example of AJAX-application capabilities is Google
Maps, where a user “can drag the map around on the screen seamlessly and add and remove flags
without having to wait for Google's server to send an updated Web page.”3 This key technology creates a
rich user experience and works in any browser, making it a clear distinguisher of Web 1.0.
Mash-Ups Service oriented architectures allows for online functionality and creates an integration of offerings online,
also known as mash-ups. Mash-ups combine third-party data and uses content of the third-party to
present a new form of data. One example is the ChicagoCrime.org Web site. The Web site mashes crime
1 Jander, Mary. "The Web 2.0 Balancing Act." Information Week 1120 (2009): 42-45. ABI Inform. Web. 7 Jan. 2010.
<http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1668135091&SrchMode=2&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862594&clientId=16746>. 2 What Is Web 2.0? YouTube - Broadcast Yourself. 10 Sept. 2006. Web. 03 July 2010.
<http://www.youtube.com/watch?v=0LzQIUANnHc>. 3 Krasne, Alexandra. "What Is Web 2.0 Anyway?" TechSoup - The Technology Place For Nonprofits . 22 Dec. 2005. Web. 03 July
2010. <http://www.techsoup.org/learningcenter/webbuilding/archives/page9344.cfm>.
4
data from the Chicago Police Department's online database with cartography from Google Maps. “Users
can interact with the mash-up site, such as instructing it to graphically display a map containing pushpins
that reveal the details of all recent burglary crimes in South Chicago.”4
Emerging Risks The business potential of Web 2.0 is enormous. But the success of Web 2.0 comes at a cost. New
security risks emerge as the websites lack security and data management features. The presence of
AJAX application allows attackers to join the interactions with innocent users increasing the security risk
of users and business. Because Web 2.0 is all about user-supplied content, the site operators lose a
portion of control over what their site is delivering to users. The sites are not monitored which increases
security risks.
Social Networking Sites (SNS)
SNS are an alternate form of communication among individuals. It replaces the face-to-face interactions
and moves communication onto the web. Individuals come together to share similar interests such as
yoga, sports or political interests. Sites including Facebook, MySpace, LinkedIn, Bebo, Friendster, Twitter
and LiveJournal have become a popular way for people to interact with each other online.5 SNS have
become so popular that a Neilson statistic shows Facebook, YouTube and Wikipedia as “three of the
world‟s most popular brands online.” In Canada over 40 percent of Canadians are on Facebook.6 SNS
are easy to use and allow users to share links, videos and news articles with their friends. “The world now
spends over 110 billion minutes on social networks and blog sites… [as the] average visitor spends 66%
more time on these sites than a year ago, almost 6 hours in April 2010 versus 3 hours, 31 minutes last
year.”7
Businesses have caught on to the SNS as they have recognized it as a powerful tool. “A 2010 Burson-
Marsteller study showed that, “of the Fortune Global 100 companies, 65 percent have active Twitter
accounts, 54 percent have Facebook fan pages, 50 percent have YouTube video channels and 33
percent have corporate blogs.‟”8 These enterprises are enjoying benefits such as increased brand
recognition, web traffic, customer satisfaction and revenue. SNS have become a powerful tool for
business to reach, and engage with their customers, employees and other stakeholders.
4 Merrill, Duane. "Mashups: The New Breed of Web App." IBM - United States. 24 July 2009. Web. 03 July 2010.
<http://www.ibm.com/developerworks/xml/library/x-mashups.html>. 5 Denham, Elizabeth. "Work and Play in the Age of Social Networking." Office of the Privacy Commissioner of Canada. 12 May
2010. Web. 5 July 2010. <http://www.priv.gc.ca/speech/2010/sp-d_20100512_ed_e.cfm>. 6 Ibid
7 Owyang, Jeremiah. "A Collection of Social Network Stats for 2010 « Web Strategy by Jeremiah Owyang | Social Media, Web
Marketing." Web Strategy. 9 Jan. 2010. Web. 03 July 2010. <http://www.web-strategist.com/blog/2010/01/19/a-collection-of-social-network-stats-for-2010/>. 88
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA – Journal (2010): 1-10. ISACA.or. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>.
5
With the creation of new social media tools, new security risks emerge. Business need to be aware of the
risks being placed on their corporations. Employees are already including Facebook, LinkedIn and
MySpace as part of their lives. SNS is “one of the greatest tools for hackers to gain entry into the
corporate enterprise.”9 Twenty percent of online attacks are targeted at SNS as cybercriminal are
consistently finding ways to attack victims.10
More than half of IT security decision makers (51%) indicate
SNS as one of the biggest IT risk to their organization.11
Security Risks of Web 2.0 and SNS
Malware Malware is short for malicious software designed to gain access to a computer system without the
awareness of the owner. These software‟s can include viruses, worms and Trojans that can cause
undesirable activities on a users computers system i.e. destroying data. A survey by Sophos reported
36% of companies have been sent malware via social networking sites in 2009, an increase of 70% when
compared to last year.12
The increased use of SNS has become the main vehicle for malicious attacks to
spread malware. The most common method is known as „drive-by-download,‟ which directs visitors to
infected servers or hijacks legitimate Web sites. There are also social network infections where a victims
“friends list” have received Spam that included links to illegitimate and infected servers. Twitter was
infected by a worm that created fake invitations links. Theses links directed Twitter users to a malicious
attachment that “gathers e-mail addresses from compromised computers and spreads by copying itself
into removable drives and shared folders.” 13
Social networkers have become too trusting of messages received from their friends. 14
The Koobface
virus was created to steal sensitive data. Koobface was capable of registering a fake Facebook and
MySpace account and making friends with random strangers. It tricked its new friends into downloading a
Trojan from a malicious Web site by posting a message onto users‟ walls that included a link to a video
infected with malware.15
The increase use of SS by employees at work will put the company‟s computer system at risk. Corporate
computers that are already infected may end up posting links that distribute “malware on their corporate
9 Sperling, Ed. "Social Networks' Security Risk." Forbes.com. 16 May 2009. Web. 03 July 2010.
<http://www.forbes.com/2009/03/13/social-network-security-technology-cio-network-social-network.html>. 10
Qing, Liau Yun. "Identity Theft 'almost Effortless' in Social Networks." ZDNet Asia - Where Technology Means Business. 27 Apr. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/identity-theft-almost-effortless-in-social-networks-62062905.htm>. 11
"Cisco Systems Bi-Annual Security Research." CISCO. June 2010. Web. 3 July 2010. <http://newsroom.cisco.com//dlls/2010/ekits/Full_Survey_Results_062410.pdf>. 12
"Sophos Security Threat Report: 2010." Sophos. 2010. Web. 03 July 2010. <http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf>. 13
Qing, Liau Yun. "Top 5 Social Networking Business Threats - Security - News." ZDNet Asia. 1 Feb. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/top-5-social-networking-business-threats-62060912.htm>. 14
Ibid 15
"Sophos Security Threat Report: 2010." Sophos. 2010. Web. 03 July 2010. <http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf>.
6
accounts, putting customers at risk of being infected.” 16
This in turn may give the company a bad
reputation and loose the customers trust in the safety of the website.
Spam Spam sends unsolicited messages to hijacked systems in the homes and offices of victims. Frequent use
of SNS makes these sites a target for cyber-criminals to attack users with spam and has become
common on SNS. On SNS this can be done by posting messages on user‟s sites often containing a link
to the spammer‟s website or posting videos that are unrelated to the description of the video. Such
Spam‟s can include 419 traditional scams that aim at making users send money to foreign destinations
under the assumption that their friend is in trouble. 17
Cloudmark Inc. released a list of commonly
employed spams by spammers on social networking user. The list named the “seven deadly sins of social
networking spam” ranges from dating spams to fake job spams (Appendix A). “The number of
businesses that were targets for Spam has increased dramatically, with Spam showing the sharpest rise
from 33.4% in April to 57% in December.” 18
Users on SNS such as YouTube, Twitter, and Facebook
regularly receive spam messaging either on their „wall‟ or through the sites e-mail. Spam can be
prevented by having users report them but does not necessarily stop spammers from bombarding a users
page. If an acknowledgeable individual is un-aware of the risks of spam they could click on the attached
link that contains a virus, spyware or Trojan horse and infect the business computer, spreading
throughout the entire business network.19
Cross-Site Request Forgery (CSFR) and Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSFR)
CSFR is a technique used to force an end user into automatically executing an action that the hacker may
prefer. The actions may include having the victim change their password, home address or purchase
something. The user may be forced into clicking on a link that can compromise the user‟s database
and/or compromise the entire business database.20
A CSFR can be exploited on SNS where it forces a
user to add an attacker as a friend.
16
Qing, Liau Yun. "Top 5 Social Networking Business Threats - Security - News." ZDNet Asia. 1 Feb. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/top-5-social-networking-business-threats-62060912.htm>. 17
"Two Thirds of Businesses Fear That Social Networking Endangers Corporate Security, Sophos Research Reveals." Sophos. 28 Apr. 2009. Web. 03 July 2010. <http://www.sophos.com/pressoffice/news/articles/2009/04/social-networking.html>. 18
""Sophos Security Threat Report: 2010." Sophos. 2010. Web. 03 July 2010. <http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf>. 19
"High Cost Effects of Spam on Businesses." Email Talk. 30 Dec. 2008. Web. 03 July 2010. <http://www.emailtalk.org/blog/high-cost-effects-spam-businesses/>. 20
"Cross-Site Request Forgery (CSRF)." OWASP. Web. 03 July 2010. <http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)>.
7
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is a computer security vulnerability that allows for malicious attackers to
execute infected codes onto Web pages. This malicious code bypasses access controls and
compromises content information. Once infected codes are successfully injected onto the users Web
page, the attacker can gain access to the victim‟s cookies, hijack a user‟s session, or redirect them to
other websites. Web 2.0 applications, including SNS, allow users to upload content themselves which can
include uploading malicious scripts. This feature makes Web 2.0 applications more susceptible to XSS
attacks. An example of this is the XSS attack on MySpace, a SNS. Over one-million MySpace users were
attacked by the “Samy worm” which forced users to become friends with the creator of the worm, Samy21
.
Public exposure to such vulnerability, such as the MySpace could cause customers of the site to lose
their trust in the security of the application which results in a loss of business.22
Detecting an XSS in Web
2.0 applications are difficult due to AJAX request.
Combination of XXS and CSRF on Social Networking Sites
“While CSRF exploits the server's trust for a client's browser, XSS exploits a client's browser for the
server.”23
SNS provide the perfect setting for attacks to occur as it provides a hacker a large amount of
exposures for distribution and victims blindly trust SNS by performing simple actions such as clicking on
links. Hackers are then able to gather sensitive information on victims and continue attacking the victims
friends.24
SQL Injections Structured Query Language (SQL) is a technique that exploits database security vulnerabilities.
25 This
occurs when a command or query receives un-trusted data. The data can trick the encoder into accessing
unauthorized data or executing unintended commands.26
In 2009 a social networking application
development site, Rockyou.com, had a serious SQL injection flaw. This flaw allowed hackers to access
the database containing 32 million entries of user names and passwords which are by default the same
as the users email accounts such as Hotmail, Gmail and Yahoo. The user names and passwords could
also be the same for SNS as many users use the same user name and passwords for their e-mail and
21
Mook, Nate. "Cross-Site Scripting Worm Hits MySpace | Betanews." Betanews. 13 Oct. 2005. Web. 03 July 2010. <http://www.betanews.com/article/CrossSite-Scripting-Worm-Hits-MySpace/1129232391>. 22
"XSS: Cross Site Scripting." Acunetix Web Security Scanner. Web. 03 July 2010. <http://www.acunetix.com/websitesecurity/xss.htm>. 23
Wang, Edward. "Social Network Security: A Brief Overview of Risks and Solutions." Web. 03 July 2010. <http://www.cse.wustl.edu/~jain/cse571-09/ftp/social/index.html>. 24
Ibid 25
"Web 2.0 Injection Infection Vulnerability Class." Information Security Journal: A Global Perspective 18.5 (2009): 213-23. ABI Inform. Web. 7 June 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?did=1947019161&sid=1&Fmt=2&clientId=16746&RQT=309&VName=PQD>. 26
"OWASP Top Ten - 2010." OWASP. 2010. Web. 03 July 2010. <http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>.
8
SNS. The hacker can obtain passwords to SNS, enter into the SNS and send out malicious messages
and spam to the victims friends.
Identity Theft and Impostors
The use of SNS are making it easy for cybercriminals to steal identities for financial gains. Users are
willingly posting personal information on their social networking profiles such as their “full names, birth
dates, addresses, phone numbers and names of relatives.”27
Placing all the information together makes it
easy for cybercriminals to create a fake profile. A study by consumer reports found that “52% of adults
who use Facebook, MySpace and other social networks have posted information which could be used by
identity thieves.”28
For example a thief can create a fake profile and pose as a friend of a friend, making
the victim assume this fake profile is part of their circle of friends. Although the victim does not personally
know this fake profile they assume everyone else knows the thief and accepts the invitation to become
friends. The thief can then gain inside access on the victim daily life.
A victim can also install a game to play with their Facebook friend. The software programs may install not
just the game but also malicious programs that collect personal information and use it in identity theft
scams. Another safety issue is a user indicating their home address on SNS. The identity thief could start
to stalk the individual or cause physical harm29
. The problem is that social network users think of
themselves as individuals not as group, and hence have a false belief that no one would bother attacking
them. Most individuals do not bother creating different user names and passwords. If a hacker can figure
out what the username and passwords are, then there is a chance that it will be the same for banking
login or their work-login.30
Identity thieves can also pose as a family member or famous celebrities. Some impostors will try to scam
victims and cause harm to others or for a financial gain. Corporations and business could also face the
risk of being impersonated. A scammer could create a false Facebook profile advertising the companies
brand and directing customers to a false site or a link that spreads malware onto the victim. Creation of
the false profile could damage the companies reputation and/or divert traffic away from the companies
legitimate site.31
Facebook claims that it has a sophisticated system that detects fake accounts and also
27
Qing, Liau Yun. "Identity Theft 'almost Effortless' in Social Networks." ZDNet Asia - Where Technology Means Business. 27 Apr. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/identity-theft-almost-effortless-in-social-networks-62062905.htm>. 28
Callow, Rhonda. "Social Networking, Identity Theft & Online Safety: Are You Your Own Worst Enemy?" Sync - the Tech and Gadgets Blog. 10 May 2010. Web. 03 July 2010. <http://www.sync-blog.com/sync/2010/05/social-networking-are-you-your-own-worst-enemy.html>. 29
"Facebook Identity Theft." Identity Theft Scenarios. Web. 03 July 2010. <http://www.identity-theft-scenarios.com/facebook-identity-theft.html>. 30
Mansfield-Devine, Steve. "Anti-social Networking: Exploiting the Trusting Environment of Web 2.0." Network Security 2008.11 (2008): 4-7. ABI Inform. Web. 7 June 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1596969541&SrchMode=2&sid=3&Fmt=2&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862726&clientId=16746>. 31
"The Dangers of Social Networking Sites." Identity Theft Scenarios. Web. 03 July 2010. <http://www.identity-theft-scenarios.com/dangers-of-social-networking-sites.html>.
9
provides users with tools to flag them. As well Facebook monitors any unusual activity associated with
fake accounts such as making many friend requests in a short period of time.32
Although this does not
prevent scammers from moving onto another victim and creating another fake account.
Phishing and Spoofing
SNS are being used as a platform for launching „phishing‟ attacks. Phishing attacks occur when
cybercriminals try to trick innocent surfers into entering their passwords and other sensitive data on fake
websites designed to look like legitimate sites.33
Sophos estimates that 30% of businesses have been
exposed to phishing attack as a direct result of employee‟s use of SNS.34
The first quarter of 2010 was
the first time Kaparsky Lab saw a SNS, Facebook, appear in the top five corporations as the most
attractive target for phishers. Facebook is one of the most popular SNS as 400 million users, and
counting, have profiles. 35
With Facebook‟s large network a hacker can use a stolen account to leave
messages on their friend‟s wall that contains a link of an exact replica of the login page.
One example is a hacker sending fake messages supposedly from friends (in Facebook) or followers (in
Twitter). Once a user opens the message there is a risk that they will be directed to a malicious site or
trigger automated viruses, giving the hacker control of a user‟s browsing session. In a worst-case
scenario, there could be a release of a worm onto the user‟s system and sends the malicious messages
to all contacts. Another example was on Facebook where a message named a “video of you” was
received by unsuspecting users. If the link was clicked on an error message appeared making the user
think they have been logged out of their SNS and required them to log-in with their username and
passwords.36
Once the user logged-in the hacker will have full access to the profile and will start sending
out fake messages with bad on their friends accounts.37
Having a profile hacked can cause
embarrassment to the individual and create risks of their reputation being damaged
32
"Stolen Facebook Accounts for Sale." The New York Times. 3 May 2010. Web. 03 July 2010. <http://dealbook.blogs.nytimes.com/2010/05/03/stolen-facebook-accounts-for-sale/?src=busln>. 33
Jaques, Robert. "Anti Social." 10.12 (2010): 25. ABI Inform. Web. 8 June 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1861803071&SrchMode=1&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278548921&clientId=16746>. 34
""Sophos Security Threat Report: 2010." Sophos. 2010. Web. 03 July 2010. <http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf>. 35
"Spam Evolution: January-March 2010 - Securelist." Securelist. 12 May 2010. Web. 03 July 2010. <http://www.securelist.com/en/analysis/204792117/Spam_evolution_January_March_2010>. 36
Diana, Alison. "Workplace Social Network, Personal Device Use Gaining." InformationWeek. 24 June 2010. Web. 03 July 2010. <http://www.informationweek.com/news/windows/microsoft_news/showArticle.jhtml?articleID=225701319&queryText=social network>. 37
Shoemaker, Rachael. "Phishing Scams On Facebook: Bad Login Screens By Areps.at and Brunga.at Steal User Information." Suite101.com. 25 May 2009. Web. 03 July 2010. <http://internet-security.suite101.com/article.cfm/phishing_scams_on_facebook>.
10
Leaked Corporate Data
Companies are aware of the potential risks of SNS as over 72% of firms believe their employees‟
behaviour on SNS could endanger their business‟s security 38
In addition employees accessing SNS
costs the corporation 1.5% in lost productivity.39
To mitigate these risks, more than half of small and
medium sized businesses have Internet use policies against visiting SNS in the office.40
By restricting
access to SNS, the organization can still be susceptible to leaked data through its employee‟s personal
profiles on SNS. Some employees are posting confidential information about their job and company on
SNS, believing this information is safe. “Posting information about current projects, financial situation and
future plans can prove to be invaluable for competitors.”41
If the employee‟s account is compromised by a
hacker the sensitive information on the company will still be present on the SNS profile. Any actions done
by the hacker though the profile could be looked badly on the employee and make a connection to the
company damaging the image and reputation of the organization.
The hack of Twitter is an example. In December of 2009, Twitter was hacked by a group called “Iranian
Cyber Army.”42
This group was successfully able to gain access to a Twitter employee‟s confidential
document. The hacker guessed the staff‟s personal email password and accessed the employees Google
Apps account containing stored documents of business plans, financial projections and other sensitive
information. The confidential document was published by technology blog TechCrunch which received
the information from the hacker.43
A study by Deloitte LLP‟s in 2009 “shows that there is a great reputation risk associated with social
networking as 74% of employed American believe it‟s easy to damage a brand‟s reputation via sites such
as Facebook, Twitter, and YouTube.”44
For example if an employee is having a bad day at work they may
post on their wall negative comments about how horrible their company treats employees. In addition,
“27% of employees do not consider ethical consequences of posting comments, photos, or video‟s online
and more than one-third don‟t consider their boss, their colleagues, or their clients,”45
indicating there is a
large risk of having the corporate reputation ruined by their own employees. Even if individuals are not
38
"Sophos Security Threat Report: 2010." Sophos. 2010. Web. 03 July 2010. <http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf>. 39
Jaques, Robert. "Anti Social." 10.12 (2010): 25. ABI Inform. Web. 8 June 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1861803071&SrchMode=1&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278548921&clientId=16746>. 40
Boulder. "New Webroot Survey Shows Web 2.0 Is Top Security Threat to SMBs in 2010." Web. 03 July 2010. <http://www.printthis.clickability.com/pt/cpt?action=cpt&title=New Webroot Survey Shows Web 2.0 Is Top Security Threat to SMBs in... -- BOULDER, Colo., Feb. 17 /PRNewswire/ --&expire=&urlID=420983250&fb=Y&url=http://www.prnewswire.com/news-releases/new-webroot-survey-shows-web-20-is-top-security-threat-to-smbs-in-2010-84582662.html&partnerID=506122&cid=84582662>. 41
Qing, Liau Yun. "Top 5 Social Networking Business Threats - Security - News." ZDNet Asia. 1 Feb. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/top-5-social-networking-business-threats-62060912.htm>. 42
http://www.wired.com/threatlevel/2009/12/twitter-hacked-redirected/ 43
Qing, Liau Yun. "Top 5 Social Networking Business Threats - Security - News." ZDNet Asia. 1 Feb. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/top-5-social-networking-business-threats-62060912.htm>. 44
"Social Networking And Reputational Risk In The Workplace - Deloitte Survey (July 09)." Slide Share. Web. 03 July 2010. <http://www.slideshare.net/opinionwatch/social-networking-and-reputational-risk-in-the-workplace-deloitte-survey-july-09>. 45
Ibid
11
sharing confidential information on the company they are working for, small “non-sensitive” data can be
gathered by competitors to gain intelligence about what is being worked on at the company.46
Third-Parties Collecting Private Data
Facebook users can add applications such as games and quizzes onto their profile. By downloading
applications, the user is giving permission for developers unrestricted access to their private data.47
The
office of Privacy Commisioner of Canada raised concerns around the sharing of users‟ personal
information. Their investigation found that “Facebook lacks adequate safeguards to effectively restrict
these outside developers from accessing profile information.”48
Facebook does not make it clear to users
what kinds of private information are being collected. In addition the information provided to third parties
were beyond what was necessary for the purpose of the application. If a user has decided to delete their
account, the third-party application developers were allowed to retain the user‟s personal information.
Lastly Facebook does not monitor the quality or legitimacy of third-party applications. This creates a huge
security concern as some program developers may use the private information to create false accounts or
implant a malicious code to infect the user‟s profile and computer. Facebook has made some changes to
the way applications gather private information by installing permission boxes. This new authorization
process, the applications will have access to the public parts of Facebook users' profiles by default. To
access the private parts of profiles, the applications will have to ask for permission.”49
Although this
change makes it more understandable to users, the security risks are still present and users need to be
more cautious of downloading applications on SNS to reduce the risk of also downloading viruses
especially when on the corporate database.
Mobile Phone Attacks Many enterprises need to be aware that employees also use SNS from their corporate issued mobile
devices. There are more than 65 million users who access Facebook over their mobile phones.50
Employees can subscribe to SNS such as Twitter through the mobile phone and have their mobile
numbers transmit to the web, increasing themselves as a target for hackers.51
A study by Worcester
Polytechnic Institute showed that online SNS are giving out data about user‟s physical locations to third-
46
Perez, Sarah. "Top 8 Web 2.0 Security Threats." ReadWriteWeb. 17 Feb. 2009. Web. 03 July 2010. <http://www.readwriteweb.com/enterprise/2009/02/top-8-web-20-security-threats.php>. 47
Barron, Nick. "A Lack of Security on Social Networking Sites Causes Problems for Businesses." SC Magazine UK. 30 June 2010. Web. 03 July 2010. <http://www.scmagazineuk.com/a-lack-of-security-on-social-networking-sites-causes-problems-for-businesses/article/173602/>. 48
Hayden, Anne-Marie. "News Release: Facebook Needs to Improve Privacy Practices, Investigation Finds." Office of the Privacy Commissioner of Canada / Commissariat à La Protection De La Vie Privée Du Canada. 16 July 2009. Web. 07 July 2010. <http://www.priv.gc.ca/media/nr-c/2009/nr-c_090716_e.cfm>. 49
Gross, Grant. "Facebook Revamps Third-party App Privacy." PC Advisor. 1 July 2010. Web. 03 July 2010. <http://www.pcadvisor.co.uk/news/index.cfm?newsid=3228838>. 50
"Safer Surfing Mobile Social Networks." Help Net Security. 8 Feb. 2010. Web. 03 July 2010. <http://www.net-security.org/secworld.php?id=8839>. 51
"Today's 10 Most Common Security Threats on the Net." Bangkok Post. 24 May 2010. Web. 3 July 2010. <http://www.bangkokpost.com/tech/technews/34952/today-10-most-common-security-threats-on-the-net>.
12
party tracking sites. All the 20 SNS that were studied leaked out some private information with some
containing the user's unique social networking identifier. This private data allowed third-party sites to
connect the records they keep of users' browsing behaviour with their profiles on the social networking
sites.”52
Many employees use their mobile phone as “a backup device for business mails, personal data, contacts,
pictures, and access codes.” 53
This poses a large security risk for organizations. The mobile phones
issued by corporations are often not subject to the same controls and monitoring as the corporate
computers.54
This puts the mobile phones at risk for vulnerable attacks as they do not have any anti-virus
or anti-malware programs installed. A hacker can install spyware on the phones and easily collect data of
targets or “trap the phone without the owner‟s knowledge.” 55
A list of contacts from work can also be
archived from a hacker and the hacker can use the work e-mail addresses and phone numbers of
employees to bombard them with spam and malware to gain access to the corporate database.
Implications for C-Suite Executives
A study by Deloitte found that there is a need for business including C-Suite executives to educate
themselves and “address the issues that arise from employee‟s use of online social networking sites,
blogs and other Web 2.0 applications.”56
The ultimate responsibility for security must be accepted by the
business and not just delegated to a chief information security officer (CISO).57
The CISO, executives and
boards need to all work together to tackle the security issues of SNS.
One of the biggest challenges for many companies is to allow access for employees onto SNS knowing
that they will loss control over the flow of information. Open horizontal software platforms means less
control for IT departments58
and increasing the risk of security threats. For many executives, blocking
social networking is not even an option due to its business benefits of enhance collaboration and ease of
connection with customers.59
52
Gaudin, Sharon. "Social Networks Leak Your Information, Study Says." Computerworld. 28 June 2010. Web. 03 July 2010. <http://www.computerworld.com/s/article/9178648/Social_networks_leak_your_information_study_says>. 53
"Safer Surfing Mobile Social Networks." Help Net Security. 8 Feb. 2010. Web. 03 July 2010. <http://www.net-security.org/secworld.php?id=8839>. 54
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA – Journal (2010): 1-10. ISACA.or. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>. 55
"Today's 10 Most Common Security Threats on the Net." Bangkok Post. 24 May 2010. Web. 3 July 2010. <http://www.bangkokpost.com/tech/technews/34952/today-10-most-common-security-threats-on-the-net>. 56
"Managing the Web 2.0: Social Networking Policies." EHS Today 2.12 (2009): 18. Business Source Complete. Web. 03 July 2010. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/bsi/detail?vid=3&hid=12&sid=2bd75d42-24e1-49ce-ad3e-30d271af9c32%40sessionmgr14&bdata=JnNpdGU9YnNpLWxpdmU%3d#db=bth&AN=46738057>. 57
Williams, Paul. "Executive and Board Roles in Information Security." ISACA Journal Past 6 (2007): 1-4. ISACA. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>. 58
Fraser, Matthew, and Soumitra Dutta. "Web 2.0: Security Threat to Your Company?" IT Security News and Security Product Reviews - SC Magazine US. 17 Feb. 2009. Web. 3 July 2010. <http://www.scmagazineus.com/web-20-security-threat-to-your-company/printarticle/127417/>. 59
Brenner, Bill. "Social Networking Security Concerns Top of Mind for Businesses." IT Business. 19 Oct. 2009. Web. 05 July 2010. <http://www.itbusiness.ca/it/client/en/home/News.asp?id=54933>.
13
Executives need to ensure they have the basics for good governance, which include goals and policies
that guide people in the best practices for using Web 2.0 tools such as SNS.60
“Only 23 percent [of
companies] said their security efforts now include provisions to defend Web 2.0 technologies and control
what can be posted on social networking sites.”61
Frameworks such as COBIT should be considered by
executives as it provides a clear processes and control to help create a social network governance.62
IT
managers must ensure that the company‟s data is secure and accessible. Executives should ensure
there is a CISO responsible for keeping the information assets safe. The role of the CISO should be to
examine the security and risk across the enterprise and make sure information is protected consistently.
“If the CISO doing job well, security and risk is me back both at business and technology strategy.”63
Executives should ensure the safety of the enterprises information by creating a clear mission and goal.
This ensures that the people in the organization are focused on what‟s important. Executives should
ensure the IT department is securing sensitive information by having SNS and Web 2.0 apps behind a
firewall. Employees should also be assigned a single-sign-on password corresponding to their employee
ID numbers giving them access to all Web 2.0 applications.64
This will allow the company to track social
networking activities. It is estimated that “65 percent of companies use Web content filters to keep data
behind the firewall, and 62 percent make sure they are using the most secure version of whichever
browser they choose. Forty percent said that when they evaluate security products, support and
compatibility for Web 2.0 is essential.”65
Information sent over the internet should be encrypted as
encryption technologies are easy, fast and inexpensive. In addition, maintenance and updates of security
application should be done on a timely basis and testing and evaluation application for weaknesses are
important.66
The use of SNS creates new methods of communicational channels and must be monitored
and managed.67
Although, Mark Lobel, a partner in the security practice at PricewaterhouseCoopers states that
technology cannot fix all the social networking security issues. Trainning employees are essential in
tackling the security issues and reducing the risk of employees ruining the company‟s reputation and
brand. Employees need to be trained on acceptable information use and the acceptable behaviours
60
Jander, Mary. "The Web 2.0 Balancing Act." Information Week 1120 (2009): 42-45. ABI Inform. Web. 7 Jan. 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1668135091&SrchMode=2&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862594&clientId=16746>. 61
Brenner, Bill. "Social Networking Security Concerns Top of Mind for Businesses." IT Business. 19 Oct. 2009. Web. 05 July 2010. <http://www.itbusiness.ca/it/client/en/home/News.asp?id=54933>. 62
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA – Journal (2010): 1-10. ISACA.or. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>. 63
"C-Suite Security." Forbes.com Video Network. Web. 05 July 2010. <http://video.forbes.com/fvn/cio/c-suite-security>. 64
Jander, Mary. "The Web 2.0 Balancing Act." Information Week 1120 (2009): 42-45. ABI Inform. Web. 7 Jan. 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1668135091&SrchMode=2&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862594&clientId=16746>. 65
Brenner, Bill. "Social Networking Security Concerns Top of Mind for Businesses." IT Business. 19 Oct. 2009. Web. 05 July 2010. <http://www.itbusiness.ca/it/client/en/home/News.asp?id=54933>. 66
Edwards, John. "Best Practices for Web 2.0 Security." IT Security. Web. 05 July 2010. <http://www.itsecurity.com/features/web-2-security-021208/>. 67
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA – Journal (2010): 1-10. ISACA.or. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>.
14
regarding transmitting content across SNS.68
If the enterprise can educate their employees, then the
company will be able to minimize and prevent the loss of data and other security threats.
Implications for Chartered Accountants
The role of Chartered Accountants (CA) is to provide assurance that the financial statements present
fairly and comply with generally accepted accounting principles as well as rules and regulations so
shareholders and other stakeholders can make well informed decisions. Due to advances in information
technology (IT), IT auditing is needed to evaluate the adequacy of information systems, to evaluate the
adequacy of internal controls and ensure that assets are adequately safeguarded.69
The financial
statements needs to be
The CA must ensure that there are proper IT controls in place to mitigate the risks of SNS. A documented
strategy should be available to ensure the integration of emerging IT changes are included as it “ensures
the risks are being considered in the context of broader business goals and objectives.” 70
The use of SNS provides an additional entry point into the corporation. CA‟s should ensure there is a
documentation of policies and procedures which supports the training of employees. Training should
include the benefits and dangers of SNS, and acceptable behaviour when on SNS.71
When auditing, CA‟s
should ensure there are proper security procedures to protect the company‟s data. Educated IT
employees should be regularly testing the controls and continuously updating and testing anti-virus
programs and firewall. Updated technology will assist in the enforcement of blocking, preventing and
identifying and SNS risks and threats. The technology “should utilize a combination of web content
filtering, which can block all access or allow limited access, and… provide protection against malware
downloads, and end-user system antivirus and operating system security to counter attacks.”72
In order for the CA to properly evaluate the effectiveness of the company‟s policies, procedures and IT
controls, the CA must have the necessary IT skills. The auditor must understand the corporation‟s
complex system and mush have the technical skills to understand how SNS can penetrate the system.
The use of SNS introduces new risks to the business and auditors must understand and recommend new
controls.
68
McClure, Marji. "Creating Safe, Collaborative Cultures in a Web 2.0 World." EContent 32.5 (2009): 22-26. ABI Inform. Web. 7 June 2010. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1768338941&SrchMode=1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278551439&clientId=16746>. 69
"Chapter 2 Audit and Review: Its Role in Information Technology." 24 Feb. 2004. Web. 5 July 2010. <http://searchsecurity.techtarget.com/searchSecurity/downloads/Gallegos_AU2032_C02_fm.pdf>. 70
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA – Journal (2010): 1-10. ISACA.or. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>. 71
Ibid 72
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA – Journal (2010): 1-10. ISACA.or. Web. 7 June 2010. <http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>.
15
Conclusion
This report has discussed the security threats and implications of SNS and Web 2.0 on an enterprise.
Malware, Spam, SSX, identity theft, leakage of corporate data, third party access and mobile attacks are
the major security concerns. C-suite executives and Chartered Accountants are both impacted by the
emergence of SNS. Proper education on the risks and how to mitigate the risks are important for both
groups to learn. CA‟s must ensure there are proper controls in place to ensure the reliability of the
reporting and presentation of the financial statements.
16
Appendix A
The Seven Deadly Sins of Social Networking Spam
73 “ 1. Dating spam – a personal message, often from a woman, to a male social network user inviting them to start a romantic relationship. Once contact is secured, this attack proceeds in much the same way as bride email scams; 2. Profile and IM lures – spammers act as legitimate friends or potential new friends interested in getting to know the user in order to lure them to a fake profile page or Instant Messenger conversation; 3. Redirection to inappropriate or dangerous websites – a message is sent to a user, warning them that photographs or rumours about them have been posted on an external site and urging them to go to the site to view; 4. Nigerian attacks – similarly to Nigerian 419 spam traditionally seen over email, social networking users are targeted with messages alerting them to a fake inheritance or access to a rich stranger’s fortune; 5. Fake jobs – sending personal messages or wall posts, spammers, posing as an employer, offer social network users fantastic job opportunities in order to spark conversation that will allow an avenue for further spam, phishing, malware or scams; 6. Competitor social network lure – invitations that seem to be from legitimate friends are sent to users via wall posts or personal messages urging them to visit virtually unknown social networking sites; 7. Religious based spam – spammers use social networking sites to preach to, and attempt to proselytise, users for various religions.”
73
"Do Not Falling Victim of Social Networking Spam." Computer Crime Research Center. 27 Feb. 2009. Web. 05 July 2010. <http://www.crime-research.org/news/27.02.2009/3720/>.
17
Bibliography
Barron, Nick. "A Lack of Security on Social Networking Sites Causes Problems for Businesses." SC
Magazine UK. 30 June 2010. Web. 03 July 2010. <http://www.scmagazineuk.com/a-lack-of-
security-on-social-networking-sites-causes-problems-for-businesses/article/173602/>.
Boulder. "New Webroot Survey Shows Web 2.0 Is Top Security Threat to SMBs in 2010." Web. 03 July
2010. <http://www.printthis.clickability.com/pt/cpt?action=cpt&title=New Webroot Survey Shows
Web 2.0 Is Top Security Threat to SMBs in... -- BOULDER, Colo., Feb. 17 /PRNewswire/ --
&expire=&urlID=420983250&fb=Y&url=http://www.prnewswire.com/news-releases/new-webroot-
survey-shows-web-20-is-top-security-threat-to-smbs-in-2010-
84582662.html&partnerID=506122&cid=84582662>.
Brenner, Bill. "Social Networking Security Concerns Top of Mind for Businesses." IT Business. 19 Oct.
2009. Web. 05 July 2010. <http://www.itbusiness.ca/it/client/en/home/News.asp?id=54933>.
Callow, Rhonda. "Social Networking, Identity Theft & Online Safety: Are You Your Own Worst Enemy?"
Sync - the Tech and Gadgets Blog. 10 May 2010. Web. 03 July 2010. <http://www.sync-
blog.com/sync/2010/05/social-networking-are-you-your-own-worst-enemy.html>.
"Chapter 2 Audit and Review: Its Role in Information Technology." 24 Feb. 2004. Web. 5 July 2010.
<http://searchsecurity.techtarget.com/searchSecurity/downloads/Gallegos_AU2032_C02_fm.pdf>
.
"Cisco Systems Bi-Annual Security Research." CISCO. June 2010. Web. 3 July 2010.
<http://newsroom.cisco.com//dlls/2010/ekits/Full_Survey_Results_062410.pdf>.
"Cross-Site Request Forgery (CSRF)." OWASP. Web. 03 July 2010.
<http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)>.
"C-Suite Security." Forbes.com Video Network. Web. 05 July 2010. <http://video.forbes.com/fvn/cio/c-
suite-security>.
18
"The Dangers of Social Networking Sites." Identity Theft Scenarios. Web. 03 July 2010.
<http://www.identity-theft-scenarios.com/dangers-of-social-networking-sites.html>.
Denham, Elizabeth. "Work and Play in the Age of Social Networking." Office of the Privacy Commissioner
of Canada. 12 May 2010. Web. 5 July 2010. <http://www.priv.gc.ca/speech/2010/sp-
d_20100512_ed_e.cfm>.
Diana, Alison. "Workplace Social Network, Personal Device Use Gaining." InformationWeek. 24 June
2010. Web. 03 July 2010.
<http://www.informationweek.com/news/windows/microsoft_news/showArticle.jhtml?articleID=225
701319&queryText=social network>.
"Do Not Falling Victim of Social Networking Spam." Computer Crime Research Center. 27 Feb. 2009.
Web. 05 July 2010. <http://www.crime-research.org/news/27.02.2009/3720/>.
Edwards, John. "Best Practices for Web 2.0 Security." IT Security. Web. 05 July 2010.
<http://www.itsecurity.com/features/web-2-security-021208/>.
"Facebook Identity Theft." Identity Theft Scenarios. Web. 03 July 2010. <http://www.identity-theft-
scenarios.com/facebook-identity-theft.html>.
Fraser, Matthew, and Soumitra Dutta. "Web 2.0: Security Threat to Your Company?" IT Security News
and Security Product Reviews - SC Magazine US. 17 Feb. 2009. Web. 3 July 2010.
<http://www.scmagazineus.com/web-20-security-threat-to-your-company/printarticle/127417/>.
Gaudin, Sharon. "Social Networks Leak Your Information, Study Says." Computerworld. 28 June 2010.
Web. 03 July 2010.
<http://www.computerworld.com/s/article/9178648/Social_networks_leak_your_information_study
_says>.
Gross, Grant. "Facebook Revamps Third-party App Privacy." PC Advisor. 1 July 2010. Web. 03 July
2010. <http://www.pcadvisor.co.uk/news/index.cfm?newsid=3228838>.
19
Hayden, Anne-Marie. "News Release: Facebook Needs to Improve Privacy Practices, Investigation
Finds." Office of the Privacy Commissioner of Canada / Commissariat à La Protection De La Vie
Privée Du Canada. 16 July 2009. Web. 07 July 2010. <http://www.priv.gc.ca/media/nr-c/2009/nr-
c_090716_e.cfm>.
"High Cost Effects of Spam on Businesses." Email Talk. 30 Dec. 2008. Web. 03 July 2010.
<http://www.emailtalk.org/blog/high-cost-effects-spam-businesses/>.
Jander, Mary. "The Web 2.0 Balancing Act." Information Week 1120 (2009): 42-45. ABI Inform. Web. 7
Jan. 2010.
<http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1668135091&SrchMode=
2&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862594&clientI
d=16746>.
Jaques, Robert. "Anti Social." 10.12 (2010): 25. ABI Inform. Web. 8 June 2010.
<http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1861803071&SrchMode=
1&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278548921&clientI
d=16746>.
Krasne, Alexandra. "What Is Web 2.0 Anyway?" TechSoup - The Technology Place For Nonprofits . 22
Dec. 2005. Web. 03 July 2010.
<http://www.techsoup.org/learningcenter/webbuilding/archives/page9344.cfm>.
"Managing the Web 2.0: Social Networking Policies." EHS Today 2.12 (2009): 18. Business Source
Complete. Web. 03 July 2010.
<http://web.ebscohost.com.proxy.lib.uwaterloo.ca/bsi/detail?vid=3&hid=12&sid=2bd75d42-24e1-
49ce-ad3e-
30d271af9c32%40sessionmgr14&bdata=JnNpdGU9YnNpLWxpdmU%3d#db=bth&AN=46738057
>.
Mansfield-Devine, Steve. "Anti-social Networking: Exploiting the Trusting Environment of Web 2.0."
Network Security 2008.11 (2008): 4-7. ABI Inform. Web. 7 June 2010.
20
<http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1596969541&SrchMode=
2&sid=3&Fmt=2&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862726&clientI
d=16746>.
McClure, Marji. "Creating Safe, Collaborative Cultures in a Web 2.0 World." EContent 32.5 (2009): 22-26.
ABI Inform. Web. 7 June 2010.
<http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1768338941&SrchMode=
1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278551439&clientI
d=16746>.
Merrill, Duane. "Mashups: The New Breed of Web App." IBM - United States. 24 July 2009. Web. 03 July
2010. <http://www.ibm.com/developerworks/xml/library/x-mashups.html>.
Mook, Nate. "Cross-Site Scripting Worm Hits MySpace | Betanews." Betanews. 13 Oct. 2005. Web. 03
July 2010. <http://www.betanews.com/article/CrossSite-Scripting-Worm-Hits-
MySpace/1129232391>.
"OWASP Top Ten - 2010." OWASP. 2010. Web. 03 July 2010.
<http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>.
Owyang, Jeremiah. "A Collection of Social Network Stats for 2010 « Web Strategy by Jeremiah Owyang |
Social Media, Web Marketing." Web Strategy. 9 Jan. 2010. Web. 03 July 2010. <http://www.web-
strategist.com/blog/2010/01/19/a-collection-of-social-network-stats-for-2010/>.
Perez, Sarah. "Top 8 Web 2.0 Security Threats." ReadWriteWeb. 17 Feb. 2009. Web. 03 July 2010.
<http://www.readwriteweb.com/enterprise/2009/02/top-8-web-20-security-threats.php>.
Qing, Liau Yun. "Identity Theft 'almost Effortless' in Social Networks." ZDNet Asia - Where Technology
Means Business. 27 Apr. 2010. Web. 03 July 2010. <http://www.zdnetasia.com/identity-theft-
almost-effortless-in-social-networks-62062905.htm>.
21
Qing, Liau Yun. "Top 5 Social Networking Business Threats - Security - News." ZDNet Asia. 1 Feb. 2010.
Web. 03 July 2010. <http://www.zdnetasia.com/top-5-social-networking-business-threats-
62060912.htm>.
"Safer Surfing Mobile Social Networks." Help Net Security. 8 Feb. 2010. Web. 03 July 2010.
<http://www.net-security.org/secworld.php?id=8839>.
Shoemaker, Rachael. "Phishing Scams On Facebook: Bad Login Screens By Areps.at and Brunga.at
Steal User Information." Suite101.com. 25 May 2009. Web. 03 July 2010. <http://internet-
security.suite101.com/article.cfm/phishing_scams_on_facebook>.
"Social Media: Business Benefits and Security, Governance and Assurance Perspectives." ISACA –
Journal (2010): 1-10. ISACA.or. Web. 7 June 2010.
<http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>.
"Social Networking And Reputational Risk In The Workplace - Deloitte Survey (July 09)." Slide Share.
Web. 03 July 2010. <http://www.slideshare.net/opinionwatch/social-networking-and-reputational-
risk-in-the-workplace-deloitte-survey-july-09>.
"Sophos Security Threat Report: 2010." Sophos. 2010. Web. 03 July 2010.
<http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-
wpna.pdf>.
"Spam Evolution: January-March 2010 - Securelist." Securelist. 12 May 2010. Web. 03 July 2010.
<http://www.securelist.com/en/analysis/204792117/Spam_evolution_January_March_2010>.
Sperling, Ed. "Social Networks' Security Risk." Forbes.com. 16 May 2009. Web. 03 July 2010.
<http://www.forbes.com/2009/03/13/social-network-security-technology-cio-network-social-
network.html>.
"Stolen Facebook Accounts for Sale." The New York Times. 3 May 2010. Web. 03 July 2010.
<http://dealbook.blogs.nytimes.com/2010/05/03/stolen-facebook-accounts-for-sale/?src=busln>.
22
"Today's 10 Most Common Security Threats on the Net." Bangkok Post. 24 May 2010. Web. 3 July 2010.
<http://www.bangkokpost.com/tech/technews/34952/today-10-most-common-security-threats-on-
the-net>.
"Two Thirds of Businesses Fear That Social Networking Endangers Corporate Security, Sophos
Research Reveals." Sophos. 28 Apr. 2009. Web. 03 July 2010.
<http://www.sophos.com/pressoffice/news/articles/2009/04/social-networking.html>.
Wang, Edward. "Social Network Security: A Brief Overview of Risks and Solutions." Web. 03 July 2010.
<http://www.cse.wustl.edu/~jain/cse571-09/ftp/social/index.html>.
"Web 2.0 Injection Infection Vulnerability Class." Information Security Journal: A Global Perspective 18.5
(2009): 213-23. ABI Inform. Web. 7 June 2010.
<http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?did=1947019161&sid=1&Fmt=2&clientI
d=16746&RQT=309&VName=PQD>.
What Is Web 2.0? YouTube - Broadcast Yourself. 10 Sept. 2006. Web. 03 July 2010.
<http://www.youtube.com/watch?v=0LzQIUANnHc>.
Williams, Paul. "Executive and Board Roles in Information Security." ISACA Journal Past 6 (2007): 1-4.
ISACA. Web. 7 June 2010.
<http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241>.
"XSS: Cross Site Scripting." Acunetix Web Security Scanner. Web. 03 July 2010.
<http://www.acunetix.com/websitesecurity/xss.htm>.
Annotated Bibliography
The following chart includes a reference of the most valuable readings. It is organized by authors last name and article title.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Barron, Nick Lack of Security on Social Networking Sites Causes Problems for Businesses
SC Magazine UK n/a 2010 1 July 3, 2010 http://www.scmagazineuk.com/a-lack-of-security-on-social-networking-sites-causes-problems-for-businesses/article/173602/
Annotation
The article explains the some of the risks of social networking sites. Facebook is a prime example of how easy it is for cybercriminals to hack into Facebook, users willingness to let others view their information, and Facebook allowing third-party application developers to access users private information.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Boulder New Webroot Survey Shows Web 2.0 Is Top Security Threat to SMBs in 2010
n/a n/a 2010 1 July 3, 2010 http://www.printthis.clickability.com/pt/cpt?action=cpt&title=New%20Webroot%20Survey%20Shows%20Web%202.0%20Is%20Top%20Security%20Threat%20to%20SMBs%20in...%20--%20BOULDER,%20Colo.,%20Feb.%2017%20/PRNewswire/%20--&expire=&urlID=420983250&fb=Y&url=http://www.prnewswire.com/news-releases/new-webroot-survey-shows-web-20-is-top-security-threat-to-smbs-in-2010-84582662.html&partnerID=506122&cid=84582662
Annotation
Webroots commissioned a survey to determine the most anticipated 2010 threats to security professions. Web 2.0 application such as Facebook, Twitter, Google Docs represented 23% of professionals concerns over vulnerability
24
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Brenner, Bill Social Networking Security Concerns Top of Mind for Businesses
IT Business n/a 2009 1 July 5, 2010 http://www.itbusiness.ca/it/client/en/home/News.asp?id=54933
The article identifies that there is a trend of people using the Internet and mobile devices to connect and work with each other. With this comes a risk of phishing scams and social engineering attacks.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Callow, Rhonda
Social Networking, Identity Theft & Online Safety: Are You Your Own Worst Enemy?
Sync - the Tech and Gadgets Blog
n/a 2010 1 July 3, 2010 http://www.sync-blog.com/sync/2010/05/social-networking-are-you-your-own-worst-enemy.html
The most relevant information from this site, that was used in the article is “52% of adults who use Facebook, MySpace and other social networks have posted information which could be used by identity thieves.
9% of social networkers have experienced a problem – from identity theft to malware infections – as a direct result of their social networking.
7% of people post their address.
42% post their complete birth date.”
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Chapter 2 Audit and Review: Its Role in Information Technology
n/a n/a 2004 1-30 July 5, 2010 http://searchsecurity.techtarget.com/searchSecurity/downloads/Gallegos_AU2032_C02_fm.pdf
The document discusses the implications of information technology for auditors. There are audit concerns over information technologies, what auditors should look out for. Only a small part of the document was used in the research report.
25
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Cisco Systems Bi-Annual Security Research
CISCO n/a 2010 1-57 July 3, 2o1o http://newsroom.cisco.com//dlls/2010/ekits/Full_Survey_Results_062410.pdf
Only a section of the document was used. More than half of IT‟s perceived social networking sites to be an IT threat.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Cross-Site Request Forgery (CSRF)
OWASP n/a 2010 1 July 3, 2010 http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
This website describes what CSRF is, provides preventative measures that do not work and examples of how the attack works.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a C-Suite Security Forbes.com Video Network
n/a 2010 n/a July 2, 2010 http://video.forbes.com/fvn/cio/c-suite-security
The video helps viewers understand the difference between a Corporate security officer and a corporate information officer
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a The Dangers of Social Networking Sites
Identity Theft
Scenarios n/a n/a 1 July 3, 2010 http://www.identity-theft-
scenarios.com/dangers-of-social-networking-sites.html
The site indicates that identity theft if one of the dangers of social networking. It provides various examples such as Twitter, and MySpace identity thefts. The article states its up to the user to protect oneself from this type of threat.
26
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Denham, Elizabeth
Work and Play in the Age of Social Networking
Office of the Privacy Commissioner of Canada
n/a 2010 1 July 5, 2010 http://www.priv.gc.ca/speech/2010/sp-d_20100512_ed_e.cfm
A speech by Elizabeth talks about the issues with social networking in the workplace. She noticed that there were differences with employees ideas on privacy and social networking. She offers suggestions on how to fix this gap. She also provides a follow up to the Facebook investigations and updates the changes that Facebook as agreed to undertake.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Diana, Alison Workplace Social Network, Personal Device Use Gaining
InformationWee n/a 2010 1 July 5, 2010 http://www.informationweek.com/news/windows/microsoft_news/showArticle.jhtml?articleID=225701319&queryText=social network
The article states that business have let their employees use social networking sites on their networks. This creates a risk for business. It was stated that “40% reported their company had lost data due to the use of unsupported network devices.” Other threats are unsupported mobile devices, application and cloud applications.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Do Not Falling Victim of Social Networking Spam
Computer Crime Research Center
n/a 2009 1 July 5, 2010 http://www.crime-research.org/news/27.02.2009/3720/
The use of social networking sties increases the risk of spammers. “spammers can either creating fake accounts or directly hacking into legitimate users' accounts.”
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Edwards, John
Best Practices for Web 2.0 Security
IT Security n/a n/a 1 July 5, 2010 http://www.itsecurity.com/features/web-2-security-021208/
The author suggests best practices to mitigate the threat of Web 2.0. The suggestions include, encryption, weak validation, dangerous configurations, data storage and maintenance.
27
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Facebook Identity Theft
Identity Theft Scenarios
n/a n/a 1 July 3, 2010 http://www.identity-theft-scenarios.com/facebook-identity-theft.html
The article discusses how Facebook provides little protection over identity theft. It provides three safety rules to protect oneself from identity theft.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Fraser, Matthew, and Soumitra Dutta
Web 2.0: Security Threat to Your Company?
IT Security News and Security Product Reviews - SC Magazine US
n/a 2009 1 July 3, 2010 http://www.scmagazineus.com/web-20-security-threat-to-your-company/printarticle/127417/
The article discusses the different perspectives that companies have towards Web 2.0. there are fears about the data security of social networking sites.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Gaudin, Sharon
Social Networks Leak Your Information, Study Says
Computerworld n/a 2010 1 July 3, 2010 http://www.computerworld.com/s/article/9178648/Social_networks_leak_your_information_study_says
There is risk created through mobile devices. The article states “A study out this week from Worcester Polytechnic Institute (WPI) in Massachusetts shows that mobile social networks are giving data about users' physical locations to tracking sites and other social networking services. Researchers reported that all 20 sites that were studied leaked some kind of private information to third-party tracking sites.”
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Gross, Grant Facebook Revamps Third-party App Privacy
PC Advisor n/a 2010 1 July 3, 2010 http://www.pcadvisor.co.uk/news/index.cfm?newsid=3228838
Facebook has made to the way users can download third party applications. There are now permission boxes that makes the user aware of the personal information third parties are collecting from them.
28
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Hayden, Anne-Marie
News Release: Facebook Needs to Improve Privacy Practices, Investigation Finds
Office of the Privacy Commissioner of Canada
n/a 2009 1 July 7, 2010 http://www.priv.gc.ca/media/nr-c/2009/nr-c_090716_e.cfm
There was investigation done by the office of the privacy commissioner of Canada. The investigation found that Facebook needs to improve their privacy practices.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a High Cost Effects of Spam on Businesses
Email Talk n/a 2008 1 July 3, 2010 http://www.emailtalk.org/blog/high-cost-effects-spam-businesses/
The article explains to users what spam is, and the effects it has on businesses
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Hyatt, Derrick
Web 2.0 Injection Infection
Vulnerability Class
Information Security Journal: A Global Perspective
Vol. 18/ Iss.5
2009 213-223
June 7, 2010
ABI Inform
The author has created an illustration of vulnerabilities that come from Web 2.0 known as “vulnerabilities stack.” Such risks are cross-site scripting (XXS), downloading information creates vulnerabilities, search engine attacks etc. I have just stated some of the nine general taxonomies for the injection infection vulnerability class for Web 2.0 applications vulnerabilities.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Jander, Mary The Web 2.0 Balancing Act
Information Week Iss. 1220 2009 42-45 June 7, 2010
ABI Inform
The Web 2.0 is making IT managers find tools to fight against new security risks. The biggest fear of managers is that employees will leak out sensitive information, or turn on the company. In addition Web 2.0 pose technological challenges to good governance such as identity management. The articles states that many companies are not including Web 2.0 applications in their management plans. It is recommended that companies need to have a strong governance to mitigate for such Web 2.0 risks.
29
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Jaques, Robert
Anti Social n/a Sep 2009 2009 20-20 June 8, 2010
Business Source Complete
Before a company allows employees to access social networking cites, they must consider the potential security risks. Twitter, Facebook, LinkedIn and My Space are creating security and productivity issues in the workplace. Employees are sharing too much personal information though social networking sites risking sensitive data to fall into the hand of malicious third parties. Distribution on unsolicited Spam email, viruses and other malware are also threats of social networking sites. Web 2.0 sites are also being used as a platform for launching „phishing‟attack. The article gives suggestion on what the company can do to mitigate for some of these risks, stating employee education is key.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Krasne, Alexandra.
What Is Web 2.0 Anyway?
TechSoup - The Technology Place For
n/a 2005 1 July 3, 2010 http://www.techsoup.org/learningcenter/webbuilding/archives/page9344.cfm
The article discusses the key aspects of Web 2.0 including blogging, RSS, tagging and social bookmarking, and ajax applications.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Managing the Web 2.0: Social Networking Policies
Business Source Complete
Vol 12, issue 18
2009 2-12 July 3, 2010 http://web.ebscohost.com.proxy.lib.uwaterloo.ca/bsi/detail?vid=3&hid=12&sid=2bd75d42-24e1-49ce-ad3e-30d271af9c32%40sessionmgr14&bdata=JnNpdGU9YnNpLWxpdmU%3d#db=bth&AN=46738057
The article emphasizes the need for businesses to look over their policies and educate them selves to address is issues with employees using Web 2.0 application as “most employers
share is the potential for the disclosure of sensitive or confidential information and the adverse effect of negative posts by their employees on blogs and social networking sites.”
30
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Mansfield-devine, Steve
Anti-social networking: exploiting the trusting environment of Web 2.0
Network Security Vol. 2008/ iss. 11
2008 1-2 June 7, 2010
ABI Inform http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1596969541&SrchMode=2&sid=3&Fmt=2&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278862726&clientId=16746
The author discusses some of the risks of social networking. There is a lot of trust in the Web 2.0 environment, and with such trust comes risks of: malicious applications, downloading third-party content, fraud with user supplied content, and “bad habits of verification.” Some social networking examples given are Facebook, Linked-In and My Space pages that are heavily loaded with personal information.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
McClure, Marji
Creating Safe, Collaborative Cultures in a Web 2.0 World
EContent Vol. 32/Iss.5
2009 22-26 June 7, 2010
ABI Inform http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=0&did=1768338941&SrchMode=1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1278551439&clientId=16746
The article states that social networking sites and online tools make it easier for employees to collaborate and share their knowledge. Sharing private company information can be dangerous as it can lead to an organization‟s downfall. In addition the use of Goggle calendar is available to everyone, which makes people think that the information given by them belongs to them but in reality it doesn‟t. Organization that allow for Web 2.0 applications to be used by employees need to be aware that there will also be internal and external threats. Data leakage is one of the biggest risks of Web 2.0.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a OWASP Top Ten - 2010
OWASP. n/a 2010 1-22 July 3, 2010 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The document includes the top ten issues of security over the web applications. It discusses the 10 issues, consequences of the security weaknesses, The top 10 risks include: injection, XXS, Broken Authentication and Session Management, Insecure Direct Object References, CSRF, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection , and invalidated redirects and forwards.
31
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Perez, Sarah Top 8 Web 2.0 Security Threats
ReadWriteWeb n/a 2009 1 July 3, 2010 http://www.readwriteweb.com/enterprise/2009/02/top-8-web-20-security-threats.php
The top 8 security threats mentioned in the article are: insufficient authentication controls, Cross Site Scripting (XXS), phishing, information leakage, injection flaws, information integrity, and insufficient anti-automation
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Qing, Liau Yun
Top 5 Social Networking Business Threats - Security - News
ZDNet Asia n/a n/a 1 July 3, 2010 http://www.zdnetasia.com/top-5-social-networking-business-threats-62060912.htm
The top 5 social networking business threats are malware, spam, targeted attack through employees, phishing, and human error.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Social Media: Business Benefits and Security, Governance and Assurance Perspectives
ISACA – Research Deliverables
n/a
2010 1-10 June 7, 2010
ISACA.org
ISACA Journal http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241
Many business units are realizing the benefit of utilizing social media tools to stimulate innovation, create brand recognition, hire and retain employees, generate revenue, and improve customer satisfaction. But there are also risks to using such social media such as liabilities, privacy violations and damage to brand recognition. The article goes on to define what social media is, the benefits and risks of security and privacy concerns. Strategies to mitigating the risks are given such as first focusing on user behaviour through the development of policies and supporting training and awareness programs. There is a very effective table containing: Treats & vulnerabilities, risks and risk mitigation techniques. The article next focuses on governance and change considerations by looking at strategy governance, people, process etc.
32
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Sophos Security Threat Report: 2010
Sophos n/a 2010 July 3, 2010 http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf
The report discusses security threats from social networking, data loss and encryption, web threats, email threats, and spam. The report discloses statistic findings and recommendations on how to mitigate the risks.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Stolen Facebook Accounts for Sale
The New York Times
n/a 2010 1 July 3, 2010 http://dealbook.blogs.nytimes.com/2010/05/03/stolen-facebook-accounts-for-sale/?src=busln
The article states the most common method of stealing ones account is phishing techniques. Once in, the hackers send spam and distribute malicious programs. Facebook has a method to detect fake accounts by having users flag theses accounts.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Today's 10 Most Common Security Threats on the Net
Bangkok Post. n/a 2010 1 July 3, 2010 http://www.bangkokpost.com/tech/technews/34952/today-10-most-common-security-threats-on-the-net
Some of the top ten cyber security threats are social network attacks, mobile attack, next-generation hacking, insider threats or organized crime, insecure infrastructure, and mis understanding about GRC.
33
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a Thirds of Businesses Fear That Social Networking Endangers Corporate Security, Sophos Research Reveals.
Sophos n/a 2010 1 July 3, 2010 http://www.sophos.com/pressoffice/news/articles/2009/04/social-networking.html
“A recent Sophos poll* revealed that 63 per cent of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure.” The article also provides more key highlights from the survey
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Wang, Edward
Social Network Security: A Brief Overview of Risks and Solutions
n/a n/a n/a 1 July 3, 2010 http://www.cse.wustl.edu/~jain/cse571-09/ftp/social/index.html
The article provides an overview of major security topics around social networking sites. Social engineering, physical security, malware are the main topics addressed.
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
Williams, Paul
Executive and Board Roles in Information Security
ISACA Journal Past Issues – Online Exclusive
Vol. 6 / 2007
2007 1-4
June 7, 2010
ISACA.org
ISACA Journal http://subjectguides.uwaterloo.ca/content.php?pid=112379&sid=846241
The article talks about the different roles and responsibilities of executives and boards that help contribute to effective information security. Web 2. has impacted the way the information security operates. The article provides an optimal organizational structure for security which depends on the size, industry and culture of the business. In addition it is important for all roles at different levels to have a security responsibility. In specific, the CEO, CIO, HR director roles for example are discussed in great detail.
34
Author Title of Article Periodical/ website
Vol. / No. / Edition
Year published
Pages Date accessed
Location, data base, website, link
n/a XSS: Cross Site Scripting
Acunetix Web Security Scanner
n/a n/a 1 July 3, 2010 http://www.acunetix.com/websitesecurity/xss.htm
The article explains what SSC is, the repercussions of XSS, provides an example. It also provides readers an opportunity to scan their site for XSS.