Group items tagged

If you can't measure it, you can't manage it. If you don't even know what it is...

Even IT professionals are confused about what constitutes Web 2.0, according to a survey released Wednesday by web security vendor Websense and research firm Dynamic Markets. According to the survey, of 1,300 information technology managers across 10 countries, 17 percent of respondents correctly identified all the items on the survey that can be considered Web 2.0. IT administrators commonly identified the "obvious" Web 2.0 sites -- such as the social networking sites Facebook and LinkedIn, Dave Meizlik, director of product marketing at Websense, told SCMagazineUS.com on Tuesday. They also commonly identified blogs and micro blogs, such as Twitter, as Web 2.0. But, respondents less frequently identified other sites as Web 2.0, including iGoogle and Wikipedia, Meizlik said. Only half of respondents identified video uploading sites, such as YouTube, as part of Web 2.0, the survey found. David Lavenda, vice president of marketing and product strategy at security vendor Worklight, told SCMagazineUS.com on Wednesday that IT administrators know they need to secure the enterprise from Web 2.0 threats, but are not always sure what those threats are. "When you go to organizations where security is really important -- financial and government organizations -- and ask, 'What's your fear of Web 2.0?,' they say, 'I really don't know, but we hear enough stories of people being compromised that we don't want to take a chance.' That's the most common answer." Lavenda said.

Enterprise employees frequently use social networking tools, most notably Web-based applications. It's no surprise more organizations are wondering what happens if social networking data becomes relevant to an e-discovery investigation. How does an enterprise go about discovering and assessing Web 2.0 data? How responsible is an organization, legally speaking, for the information that's out there in the Web 2.0 world? What risks arise from e-discovery as it relates to Web 2.0 data, and how can you mitigate them? In this tip, we will look at e-discovery as it relates to Web 2.0 and consider the strongest options for minimizing risks to the organization. E-discovery basics We begin with a quick look at what e-discovery is and how it can create risk. Essentially, e-discovery is the electronic extension of the legal process of discovery, which Wikipedia defines as "the pre-trial phase in a lawsuit in which each party through the law of civil procedure can request documents and other evidence from other parties or can compel the production of evidence by using a subpoena or through other discovery devices, such as requests for production and depositions." If you're an IT person, not a lawyer, it's important to note that the rules governing the discovery process now require plaintiffs to address all electronically stored information or ESI. In other words, if your organization faces litigation, it will have to deal with the issue of e-discovery, which will entail a whole lot more than turning over some old emails. Depending upon your role in the organization, the first you may hear of this is a "notice of litigation" with perhaps a "litigation hold directive" containing a "preservation directive." Here is a generic e-discovery request below. Apart from a few limiting factors, such as subject matter, named persons and a specified time period, the scope of such a notice is likely to be broad; blame standard procedure, not some high-powered attorney pushing his or her lu

You can't ignore the presence and usage of all the myriad forms of instant messaging, social networking and blogging. The millennial generation won't thrive in companies where Facebook is banned or texting is frowned upon. They think and work so differently from their baby boomer managers that generational clashes are inevitable. The Security Executive Council and CXO Media, producer of CSO Perspectives and CSO magazine, are partnering to probe attitudes toward collaborative technologies like IM and social networking. By participating you will receive a research report based on this survey. Definition of web 2.0 apps: The term "Web 2.0" describes the changing trends in the use of World Wide Web technology and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web. Web 2.0 concepts have led to the development and evolution of web culture communities and hosted services, such as social-networking sites, video sharing sites, wikis, blogs, and folksonomies. (Wikipedia)

In this expert videocast, you will learn about Web 2.0 software, the threats they pose, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs. Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward. Speaker David Sherry CISSP, CISM - CISO, Brown University As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. He had also served as Citizens' vice president for enterprise information security, overseeing the company's security operations and controls. He has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at industry conferences. He holds undergraduate and graduate degrees in business management.

Free, vendor-neutral online Data and Privacy in Web 2.0 Summit on August 13th. Thought leaders will present a series of webcasts discussing best practices and case studies on legal issues in online social communities, implications of the smart grid and the Cloud, privacy policies and more: http://www.brighttalk.com/summit/dataprivacy2 Web 2.0 services have been rapidly growing because of the value they offer to businesses and individuals alike. However, with so much information at stake and so little control of employees and customer activities online, how do companies ensure consumer and businesses' data are secure and safe from misuse and malware-related data breach? This summit will focus on minimizing leakage from people, devices and data on the move, keeping consumer and businesses' data secure and safe from misuse and malware-related data breach.

GovLoop (http://govloop.com), an online community created for and by government employees, announced today it has signed up its 10,000th member less than a year after launching. Dubbed by some as a "Facebook for Feds," GovLoop brings together government employees from the U.S. and other nations to discuss ideas, share best practices and create a community dedicated to the betterment of government. A revolution is happening in government as the result of a new generation of government employees, the rise of Web 2.0 technologies, and the Obama administration's focus on transparency, participation, and collaboration. This revolution is often called "Government 2.0" and GovLoop is at the center of this movement. The social network was developed by Steve Ressler, a 28-year old federal employee from Tampa, Fla. who is also a co-founder of Young Government Leaders (http://youngovernmentleaders.org). Fed up with the silos that existed across government agencies, including artificial barriers between levels of government, rank and age, Ressler believed there had to be a better way to share information, so he launched GovLoop.com in June 2008.

The Homeland Security Department's privacy office will hold a conference to explore the use of social media as if affects security and privacy. The "Government 2.0: Privacy and Best Practices" conference will be held June 22 to June 23 in Washington and is open to the public. The workshop is meant to help agencies use Web 2.0 technologies in ways to protect privacy and security, and to explore the best practices for implementing President Barack Obama's memo on open government that was released in January, according to a notice published in the federal register April 17. Panelists will discuss topics such as transparency and participation in government, privacy and legal concerns brought by the government's use of social media, and how the government can best use the technologies while protecting privacy rights during the conference, DHS officials said. DHS is asking for comments by June 1 on topics such as: * How the government is using social media. * The risks, benefits and operational concerns that come from government use of the technologies. * Privacy, security and legal issues raised by the government's use of social media. * Recommendations on best practices for government use of the technologies.

The Obama administration is trying to take the lead on a number of technology issues, including cybersecurity, network neutrality and broadband availability. But one prominent omission is privacy, a topic about which the administration has said very little. At the Computers, Freedom and Privacy conference in Washington on Tuesday, one administration official did address privacy somewhat. Susan Crawford, a member of the National Economic Council looking after science and technology policy, listed some of the efforts by the Federal Trade Commission to press for new rules for behavioral advertising. But she didn't mention that all of those rules were written under the Bush administration. Peter Swire, an Ohio State law professor who served on the Obama transition team, offered one reason it might be difficult for the administration to find its voice on privacy. There is a split, he told the conference, between the typical view of privacy among technology experts and the emerging view of people brought up in the social networking, Web 2.0 world.

Social networkig may seed malware spread. Education is still one of the most successful computer security tools

Websense CTO Dan Hubbard outlines four ways companies can protect their information from threats and compromise on the social Web. 1) Most Web Posts on Blogs and Forums are Actually Unwanted Content (Spam and Malware) As more and more people interact with each other on sites allowing user-generated content, such as blogs, forums and chat rooms, spammers and cybercriminals have taken note and abuse this ability to spread spam, post links back to their wares and direct users to malicious sites. Websense research shows that 85 percent of all Web posts on blogs and forums are unwanted content - spam and malware - and five percent are actually malware, fraud and phishing attacks. An average active blog gets between 8,000 and 10,000 links posted per month; so users must be wary of clicking on links in these sites. Click here to find out more! Additionally, just because a site is reputable, doesn't mean its safe. Blogs and message boards belonging to Sony Pictures, Digg, Google, YouTube and Washington State University have all hosted malicious comment spam recently, and My.BarackObama.com was infected with malicious comment spam.

"Craig Newmark, founder of Craigslist and a customer-service guru, was riding on a public train in San Francisco, California, recently when something common but annoying occurred: The railcar filled with people and became uncomfortably hot. If the inconvenience had happened a few years ago, Newmark said he would have just gone on with his day -- maybe complaining about the temperature to a friend. But this was 2009, the age of mobile technology, so Newmark pulled out his iPhone, snapped a photo of the train car and, using an app called "SeeClickFix," zapped an on-the-go complaint, complete with GPS coordinates, straight to City Hall. "A week or so later I got an e-mail back saying, 'Hey, we know about the problem and we're going to be taking some measures to address it,' " he said. Welcome to a movement the tech crowd is calling "Gov 2.0" -- where mobile technology and GPS apps are helping give citizens like Newmark more of a say in how their local tax money is spent. It's public service for the digital age."

Maybe Craig of Craigslist has finally found something to do with technology besides making it easier to find a prostitute in Los Angeles?

Social media is on the rise, and so are the privacy and security risks. Is it time to dial back on the whole Web 2.0 'friend' thing? The social media honeymoon is officially over. While it may not yet be time to fly to Reno for a quickie divorce, you might want to start thinking about sleeping in separate bedrooms for a while. Example du jour: Over the weekend, a rogue application spread across Facebook, warning users about bogus errors in their profiles. Clicking on the "Error Check System" app causes it to send false warnings to your entire FB posse, per the unofficial AllFacebook blog. There doesn't seem to be any payload associated with that app besides driving traffic, but the potential for abuse is obvious. But a bigger problem on social nets is an old familiar one: spam. So far, spam only accounts for about 5 to 25 percent of all e-mail passed on social networks, versus 90 percent of regular e-mail, says Adam O'Donnell, director of emerging tech for Cloudmark, which filters spam for some large social nets (but won't identify which ones). As more people start tweeting about what their cats ate for lunch and share their Facebook profiles with near-total strangers, though, that number will only grow. The type of spam on social networks is different too, says O'Donnell. Think fewer fake Viagra come-ons, more social engineering scams. In other words, the junk you get on social networks is more likely to be aimed at stealing your credentials or your identity -- and thus much more dangerous than garden-variety spam.

This tip is part of Mitigating Web 2.0 threats, a lesson in SearchSecurity.com's Data Protection Security School. Visit the lesson page or our Security School Course Catalog for additional learning resources. Social networking, a term relatively new to the computing vernacular, has already become part of the cultural norm for a great proportion of Internet users. Even more recently, the use of online communities to establish and build connections among those with shared interests has become part of the corporate world as well. As professional social networks such as LinkedIn and Blue Chip Expert continue to grow, and professional groups gain in popularity on once-personal sites like Facebook and MySpace, enterprise security and risk management professionals must face the reality that these sites are emerging conduits for the unauthorized disclosure of confidential corperate information. Add the use of public social networking tools to the list of concerns, and the effectiveness of the traditional corporate security perimeter is further diminished. However, a robust set of policy, process and architecture aids in mitigating the risks of being social. Broadly, social networking is described as software that lets people interact, rendezvous, connect, play or collaborate by use of a computer network. This definition covers the popular social networking sites, including those mentioned above, as well as blogs, wikis, RSS, podcasts, tags, and more recently, search engines. While there are numerous benefits to social network solutions, including reducing costs and increasing collaboration, we'll focus on addressing the risks.

Forrester has a recommendation for CISOs struggling with how to secure corporate data: Stop trying so hard. Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches. Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.

Social networking sites are often used by government ministers as an example of the profound way attitudes to privacy have changed. They argue that the young generation invade their own privacy to a far greater extent than the government ever would. The implication is that the older people who object to government intrusion are living in the past. The response to this is that people who use social networking sites voluntarily reveal things about themselves and have a degree of control of over how long information and photographs stay in the public domain, while the government collects and stores information without permission and allows the subject no access to the data held. There is no obvious comparison between the two activities. But this doesn't let the social networking sites off the hook. Most internet companies claim a kind of morality free status when it comes to such issues as privacy and copyright, and Web 2.0 sites are no different. A study published this week by Cambridge PhD students shows that nearly half of all social networking sites retain copies of photographs after being "deleted" by users. The study examined 16 popular websites that host user-uploaded photos, including social networking sites, blogging sites and dedicated-photo-sharing sites. Seven of the 16 sites surveyed were still maintaining copies of users' photos after they had been deleted by the user. The researchers - Jonathan Anderson, Andrew Lewis, Joseph Bonneau and lecturer Frank Stajano - found that by keeping a note of the URL where the photo is actually stored in a content delivery network, it was possible for them to access the photo even after it had been deleted.

An eBay Inc. effort to broaden communication through the popular Twitter Web-messaging service highlights the hurdles facing corporate users of online social media. The growing Twitter audience also attracted the attention of eBay's lawyers, who last month required Mr. Brewer-Hay to include regulatory disclaimers with certain posts. Some followers think the tougher oversight is squelching Mr. Brewer-Hay's spontaneous, informal style. His experience shows the tension that can arise as more companies tap social media to reach investors, customers and others. Eighty-one Fortune 500 companies sponsor public blogs, including Wal-Mart Stores Inc., Chevron Corp. and General Motors Corp., according to the Society for New Communications Research. Of those blogs, 23 link to corporate Twitter accounts. On Thursday, a Johnson & Johnson executive reported for the first time on the health-care giant's annual meeting via Twitter, which allows users to post "tweets" of as many as 140 characters via text messages and the Web. Such efforts raise thorny questions. Blogs and tweets can run afoul of Securities and Exchange Commission regulations on corporate communications. But sanitizing such posts risks hurting credibility with online audiences. The online auctioneer launched a corporate blog in April 2008. Two months later, blogger Richard Brewer-Hay began "tweeting" -- posting updates on Twitter -- about Silicon Valley technology conferences, eBay's quarterly earnings calls and other topics.