Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Cyber Security Awareness Month - Day 12 - Protecting and Managing Your Digital Identity On Social Media Sites - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 12 - Protecting and Managing Your Digital Identity On Social Media Sites

As we all know, social media sites are designed to share information such as who and where you are and what you are doing. This can be a great way to connect to close friends and family, or even re-connect with old classmates and old co-workers.  And it can be a great way to find and connect to new groups with interests common to your own.  

However, there is a fine line with what and how much information to share with these different subsections of your life.  Think about this.  Every public message you post on your Twitter account can be spread around the world in a matter of seconds and possibly will be indexed and found in real-time searches 24/7.  These messages have the power to compromise your safety or your identity, jeopardize your future employment, or just embarrass yourself to the world.  

First, review and use privacy settings.  Most every major social media site such as Facebook, Twitter, and LinkedIn have the ability to control how visible your information and pictures are on the site as well as any search engines who parses that data.  You need to decide how visible you want your contact and profile information, videos, photos, and other posts need to be, and take the time to set the appropriate controls within the media site in question.

Second, don't share information that can help people steal your identity or locate you. It is quite possible for someone to look up your name in a phone book (digital or dead tree version) and find your address.  The combination of that publicly available information and your public post about hanging out with friends watching Monday Night Football across town could be enough for someone to take advantage of the situation and break into your house. 

Third, in most social media sites, you have the ability to limit who can see photos or video tagged with your name.  It is probably best that you do not upload photos or video showing you or your friends doing illegal or inappropriate things in the first place.  But you need to take advantage of any settings that allow you to control how visible this content could be if your friends not exercise good common sense.  Is it really all that smart to post an x-ray image of your broken arm while you are in high school, if your dream is to play baseball professionally?

Fourth, no matter if it is a tweet, a Facebook status update, or something else,  it is recommended that you restrict the delivery of this information to your circle of friends only

Fifth,  online interactions between coaches and potential student athletes must be managed cautiously. Coaches are under even heavier scrutiny than many other people due to NCAA regulations.  Wishing a recruit "Happy Birthday" on their public wall may be considered inappropriate in some circles. It is even possible that re-tweeting a media post by the coaching staff about a recruit visitation could be construed into something that could be a minor violation.

Sixth, be especially careful of malicious links sent via social media accounts.  There are many URL shortening services on the Internet that help when you only have 140 characters in a particular tweet.  Some third party clients to social media sites have the ability to show you the full URL which was masked in the update.  Enabling this will give you some confidence that you are actually going to a known and more-trusted site. In general resist the urge to click on items sent to you no matter the source.

Seventh,  like all computer accounts, you must protect social media accounts from being hijacked.  Using strong passwords on your social media accounts is a must.  And you must be careful to not disclose your credentials to would-be attackers.  Using your credentials, attackers could use your account to lure your circle of friends into clicking a malicious link sent from your account.

Last but not least, think twice before posting or even clicking on a post.  Consider what could happen if a post becomes widely known and how that may reflect both on you (as the poster) or your school or workplace.

There are likely other ideas of how to better protect and manage your digital identity when it comes to social media.  Share these with us via the contact form or comment on this article. 

--
Scott Fendley
co-ISC Handler on Duty

 

ScottF

188 Posts
ISC Handler
"Second, don't share information that can help people steal your identity or locate you. It is quite possible for someone to look up your name in a phone book (digital or dead tree version) and find your address. The combination of that publicly available information and your public post about hanging out with friends watching Monday Night Football across town could be enough for someone to take advantage of the situation and break into your house."

Seriously? Your attack scenario is plausible, but not practical.

Professional thieves are smart, they do what will give them the most gain for the least amount effort put into it. They drive around neighborhoods looking for a place to break in to.

Opportunist thieves don't plan that far in advance. They steal along the path that they already are traveling.

The only attacker that your scenario fits is one that is specifically targeting you. If you have an ex that is vindictive, and you have a restraining order against them so they can't stake out your house, this might be a very probable attack scenario.
Nathan Christiansen

20 Posts
Actually, as infeasible as it sounds, point #2 has been done. I've told my friends and family for quite some time that it's a bad idea to broadcast an empty house especially while on vacation.

http://www.theregister.co.uk/2010/09/13/social_network_burglary_gang/
Nathan Christiansen
1 Posts
pretty nice information in my opinion. thank you.

and Nathan... thats very much like saying "well, i live in the pacific northwest...it rains ALL the time and my house has never been on fire...i dont need fire insurance"

Blagarswinth

23 Posts
I believe we have all good points here to both personal and corporate practise.

I believe we need to enforce the awareness by creating a website/intranet that is very accessible that you will put all advise in a month or weekly basis. the site should be advertise by all IT like putting the site in their email signature.
this way, people will get a chance to browse it.

Note: Just dont be strict to much becuase if people will notice that its all about policy and blahhhh, they will not visit it.. try to make it more interesting like helping them how the will protect their banking, chatting, social media accounts, etc.

Blagarswinth
10 Posts
husaragi I did not say anything of the sort, I would recommend adequate locks and an alarm system (which is the equivalent of fire insurance). I only commented on the unlikely situation of using social networking sites as a way to case out a robbery mark.

There have been cases, as pointed out by Heath, where this is has been the case. But as a percentage larceny crimes, I suspect this would be classified rare (P < .05).

If you focus about being robbed in general and take security measures (adequate locks, an alarm system, reinforced windows, etc.), then it does not matter the method the thief uses to decide rob your house. (Yes I have had an attempted break-in at my house before.)

I don't place my address or vacation notices online, but for reasons other than larceny.
Nathan Christiansen

20 Posts
That's hilarious...and sad.
JoeChierotti

2 Posts

Sign Up for Free or Log In to start participating in the conversation!