SlideShare una empresa de Scribd logo

Social networking-website-security-mitigation

Descargar como DOC, PDF
B
bipinsunar
Tecnología
1 de 4
Social Networking Website Security Mitigation The use of social networking site at CDC, such as Facebook and MySpace, increases risk to CDC systems and data via three main mechanisms: 1) Web mail communication, which by-passes enterprise mail filtering, and 2) public comments on blog posts, which are often vulnerable to cross-site scripting (XSS) or blog-phishing attacks, and 3) malicious ‘friends’, whereby those who are accepted as ‘friends’, may change their profiles after being approved to purposely include malicious code, spurious, offensive, inappropriate or political content. Social networking sites and other Web 2.0 technologies offer health communicators powerful new channels to deliver relevant and targeted health messages, often through trusted sources, when, where and how users want information. Since these technologies are newly emerging and are unfortunately prone to security vulnerabilities and attack vectors, mitigating these risks to protect the CDC network remains paramount to OCISO and the programs alike. This document aims to outline the steps of risk assessment for individual sites and recommendations for mitigating these known risks when they are present. OCISO makes two general recommendations1 regarding social networking sites and the first two main vulnerability classes: Do not use the Web mail portion of these sites. Disable comments on blogs and other public commenting sections. OCISO does not offer recommendations regarding the third vulnerability, malicious ‘friends’. Web Mail: Most functions of social networking sites are usually available even when Web mail is not used or blocked by Websense. When possible, this is the recommended route, not only in terms of security, but also convenience. If possible, have incoming mail automatically redirected to a specific, group CDC account, since it would allow the regular enterprise mail filters to scan the incoming mail traffic. If Web mail is required to effectively use the site, then a computer off the CDC network will have to be used to manage and maintain the site. This requires separate hardware and connection to the Internet. Public Comments: OCISO recommends that comments be disabled. Even moderated comments pose a risk to the CDC network, since each of the comments have to be opened and evaluated by someone on a CDC network computer. There is no way to moderate the comments without the moderator’s system being in jeopardy. However, not allowing comments on blog posts and other content not only is contrary to the very nature of these peer-to-peer communications platforms and thereby reducing the site’s effectiveness, often a
negative backlash is encountered, which undermines the effectiveness of our communications efforts. From a communications perspective, we recommend allowing comments, but having all comments moderated. A special computer off the CDC network will be required to manage and maintain the site. This necessitates the purchase of separate hardware and connection to the Internet. Malicious ‘Friends’: Once friends are approved on a social networking profile, vigilance is required to make sure that the friend’s profile hasn’t changed to include inappropriate content, an inappropriate profile image or malicious code. The simple act of reviewing proposed friends may make the administrator’s system vulnerable to attack. Although most users of such social networking site already understand this, disclaimers about friends and content on their profiles should be posted. Clear policies about accepting friends should be posted as well. Some sites such as MySpace allow you to control which friends get listed on your main profile page, whereas others such as Facebook randomly place any of your friends on the main page, in which case, care must be taken in approving friends. This vulnerability is the same as attacks whereby developers work to get a site high in Google or other search engine results, and then changing the content of their pages to purposely introduce attacks. Again, the main recommendation is to use computer resources off the CDC network to manage and maintain the profile. This requires separate hardware and connection to the Internet. Primary recommendations: Since most Web 2.0 technologies are still emerging and secure coding practices are not industry-wide, it is recommended to do a risk assessment for each social networking, Web 2.0 community you wish to use for official CDC communications to determine whether Web mail and public comments are allowed and are necessary. Most times they are either required or greatly preferred, and in those cases the only way to currently protect the CDC network is to manage and maintain these sites on hardware off the CDC network. Programs must work with OCISO to develop appropriate Rules of Behavior (ROB) for those who will use the special hardware to manage these profiles. These ROB will include provisions of not connecting the hardware to the CDC network, trying to reenable ports if OCISO has blocked them, or moving files from the system to the network directly in any way. Special connections to the Internet must be acquired, which is usually a wireless Internet card. If DSL, cable or T1 connections are required, then the program must also include ITSO in on the discussions at an early stage. Programs should develop a system to regularly and systematically review the URLs in any comment for XSS on the destination. Those who do the scanning and review should be trained on how to look for suspicious XSS type of code in a page. The use of automated tools are generally restricted by license agreements.
Programs should also develop a system to regularly and systematically review the profile pages of friends as well, to ensure that content has not changed since initial acceptance and that those profiles have not been compromised. Programs should also routinely scan the security environment and vulnerabilities databases to stay breast of the changing security landscape associated with these sites. System Definition and Boundaries: Until these sites can be made more secure across the board, it is not recommended at this time to treat the information published to these systems as information of record or official. Disclaimers should be made on the profiles of each of these sites to state that official CDC information can be found at CDC.gov and that in the case of any discrepancies that the content on CDC.gov be considered correct. Even though clear system boundaries are established, programs participating in the spaces must assume the risk that content may be subject to attack and change, since ITSO and OCISO do not maintain these systems. It is not recommended to use these social networks to gather personal information or to be used for private or secure communications. Social Networks Site Analyses: MySpace: Since this site relies on Web mail to solicit and accept friends and the blog moderating functions have been known to have XSS vulnerabilities in the past, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Facebook: Since this site allows blog posts and there is limited or no control over which of your friends appear on your home page, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Twitter: An interesting site in terms of social networking in that comments and posts are allowed, but are limited to 140 characters with no HTML or JS allowed. Hyperlinks are allowed and are automatically converted to the actual HTML code by the system. Eg – http://www.cdc.gov becomes <a href=http://www.cdc.gov>http://www.cdc.gov</a> automatically. Comments are designed to be sent by SMS messaging, which is text based. Requests for followers come through email and can be accepted without Web mail. Whereas it does seem to be secure against XSS exploits, the site does rely on AJAX technologies and can be used to post links to malicious sites. In order to vet these links, they must be followed, which would put the system at risk. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. DailyStrength: This site relies on Web mail to solicit and accept friends, allows blog comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be
done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. YouTube: This site allows comments on videos and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Flickr: This site allows comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

Recomendados

Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risksosuhaibany
 
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam MethodsToward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam MethodsPedram Hayati
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
2011 Social Media Malware Trends
2011 Social Media Malware Trends2011 Social Media Malware Trends
2011 Social Media Malware TrendsLumension
 
Understanding SaaS Concepts
Understanding SaaS ConceptsUnderstanding SaaS Concepts
Understanding SaaS Conceptsguest0e7119
 
Facebook and Security Settings Report
Facebook and Security Settings ReportFacebook and Security Settings Report
Facebook and Security Settings ReportAbhishek Gupta
 
Facebook and security settings settings
Facebook and security settings settingsFacebook and security settings settings
Facebook and security settings settingsAbhishek Gupta
 
social-networking sites
social-networking sites social-networking sites
social-networking sites puffyarson5604
 

Recomendados

Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risksosuhaibany
 
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam MethodsToward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam Methods
Toward Spam 2.0: An Evaluation of Web 2.0 Anti-Spam MethodsPedram Hayati
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
2011 Social Media Malware Trends
2011 Social Media Malware Trends2011 Social Media Malware Trends
2011 Social Media Malware TrendsLumension
 
Understanding SaaS Concepts
Understanding SaaS ConceptsUnderstanding SaaS Concepts
Understanding SaaS Conceptsguest0e7119
 
Facebook and Security Settings Report
Facebook and Security Settings ReportFacebook and Security Settings Report
Facebook and Security Settings ReportAbhishek Gupta
 
Facebook and security settings settings
Facebook and security settings settingsFacebook and security settings settings
Facebook and security settings settingsAbhishek Gupta
 
social-networking sites
social-networking sites social-networking sites
social-networking sites puffyarson5604
 
Facebook Security
Facebook SecurityFacebook Security
Facebook Securitythaash95
 
Social Media Safety
Social Media SafetySocial Media Safety
Social Media SafetyJoint Base Myer-Henderson Hall
 
social-networking sites
social-networking sites social-networking sites
social-networking sites offbeatnominee633
 
Impact on social networks
Impact on social networksImpact on social networks
Impact on social networksBhargava Ganti
 
Mark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam TechniquesTin180 VietNam
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Capilano University Personal Branding Online
Capilano University Personal Branding OnlineCapilano University Personal Branding Online
Capilano University Personal Branding OnlineMhairi Petrovic
 
facebook secrets by SHASHI
facebook secrets by SHASHIfacebook secrets by SHASHI
facebook secrets by SHASHIshashi patel
 
Google plus 10 mar15
Google plus 10 mar15Google plus 10 mar15
Google plus 10 mar15Naval OPSEC
 
Social Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSocial Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSandra Masters
 
Facebook
FacebookFacebook
FacebookSTOBARTEVANS
 
Social networks threats
Social networks threatsSocial networks threats
Social networks threatsCatalin Cosoi
 
Social Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieSocial Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieBitDefender GmbH
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012rohitsinsan
 
โพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนโพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนPiyatida Prayoonprom
 
ครูผู้ช่วย
ครูผู้ช่วยครูผู้ช่วย
ครูผู้ช่วยPiyatida Prayoonprom
 
La contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament iLa contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament imagdalena serra
 
презентация Fly cam Semey
презентация Fly cam Semeyпрезентация Fly cam Semey
презентация Fly cam SemeyRavil LogOff
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012rohitsinsan
 
Attitude
AttitudeAttitude
Attituderohitsinsan
 
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net and Zelda:Internet Stories and Video Games
 

Más contenido relacionado

La actualidad más candente

Facebook Security
Facebook SecurityFacebook Security
Facebook Securitythaash95
 
Impact on social networks
Impact on social networksImpact on social networks
Impact on social networksBhargava Ganti
 
Mark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Capilano University Personal Branding Online
Capilano University Personal Branding OnlineCapilano University Personal Branding Online
Capilano University Personal Branding OnlineMhairi Petrovic
 
facebook secrets by SHASHI
facebook secrets by SHASHIfacebook secrets by SHASHI
facebook secrets by SHASHIshashi patel
 
Google plus 10 mar15
Google plus 10 mar15Google plus 10 mar15
Google plus 10 mar15Naval OPSEC
 
Social Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSocial Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSandra Masters
 
Social networks threats
Social networks threatsSocial networks threats
Social networks threatsCatalin Cosoi
 
Social Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieSocial Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieBitDefender GmbH
 

La actualidad más candente (14)

Facebook Security
Facebook SecurityFacebook Security
Facebook Security
 
Social Media Safety
Social Media SafetySocial Media Safety
Social Media Safety
 
social-networking sites
social-networking sites social-networking sites
social-networking sites
 
Impact on social networks
Impact on social networksImpact on social networks
Impact on social networks
 
Mark Rogers' Social Network Presentation
Mark Rogers' Social Network PresentationMark Rogers' Social Network Presentation
Mark Rogers' Social Network Presentation
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Capilano University Personal Branding Online
Capilano University Personal Branding OnlineCapilano University Personal Branding Online
Capilano University Personal Branding Online
 
facebook secrets by SHASHI
facebook secrets by SHASHIfacebook secrets by SHASHI
facebook secrets by SHASHI
 
Google plus 10 mar15
Google plus 10 mar15Google plus 10 mar15
Google plus 10 mar15
 
Social Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest ChapterSocial Media Education Workshop for the Plus Southwest Chapter
Social Media Education Workshop for the Plus Southwest Chapter
 
Facebook
FacebookFacebook
Facebook
 
Social networks threats
Social networks threatsSocial networks threats
Social networks threats
 
Social Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvieSocial Networks - Threats and Trends - #bchh10 & #bcvie
Social Networks - Threats and Trends - #bchh10 & #bcvie
 

Destacado

Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012rohitsinsan
 
โพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนโพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนPiyatida Prayoonprom
 
La contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament iLa contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament imagdalena serra
 
презентация Fly cam Semey
презентация Fly cam Semeyпрезентация Fly cam Semey
презентация Fly cam SemeyRavil LogOff
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012rohitsinsan
 
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net and Zelda:Internet Stories and Video Games
 
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...Net and Zelda:Internet Stories and Video Games
 
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...Net and Zelda:Internet Stories and Video Games
 
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα ΡοϊνιώτηZelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα ΡοϊνιώτηNet and Zelda:Internet Stories and Video Games
 
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0Net and Zelda:Internet Stories and Video Games
 
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...Net and Zelda:Internet Stories and Video Games
 
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος ΧιώτηςZelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος ΧιώτηςNet and Zelda:Internet Stories and Video Games
 
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος ΚαζαμίαςZelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος ΚαζαμίαςNet and Zelda:Internet Stories and Video Games
 
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...Net and Zelda:Internet Stories and Video Games
 

Destacado (16)

Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
 
โพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอนโพรโตคอลกิจกรรมการเรียนการสอน
โพรโตคอลกิจกรรมการเรียนการสอน
 
ครูผู้ช่วย
ครูผู้ช่วยครูผู้ช่วย
ครูผู้ช่วย
 
La contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament iLa contribució de les tic a l’ensenyament i
La contribució de les tic a l’ensenyament i
 
презентация Fly cam Semey
презентация Fly cam Semeyпрезентация Fly cam Semey
презентация Fly cam Semey
 
Academic calendar 2012
Academic calendar 2012Academic calendar 2012
Academic calendar 2012
 
Attitude
AttitudeAttitude
Attitude
 
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
Net: Όνειρο και Διαδίκτυο- Πέρα από την αρχή του ονείρου, Ελεάνα Πανδιά- Αμαλ...
 
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
Zelda- Net Art: Από τους ευφυείς ερασιτέχνες στη διεθνή καθιέρωση, Χριστοφή Μ...
 
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
Zelda: Το Παιχνίδι και ο Παίκτης: Ελεύθερη βούληση και αναδυόμενες συμπεριφορ...
 
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα ΡοϊνιώτηZelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
Zelda : Προς μια κριτική προσέγγιση των MMORPGs: Δομή ή δράση; Ελίνα Ροϊνιώτη
 
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
Net: Θεωρητικές και Μεθοδολογικές Εξελίξεις στο Web 2.0
 
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
Zelda: Παιχνίδια σοβαρού σκοπού για κοινωνικά και μαθησιακά προβλήματα στο σχ...
 
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος ΧιώτηςZelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
Zelda: Τα δομικά στοιχεία ενός video game, Γιώργος Χιώτης
 
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος ΚαζαμίαςZelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
Zelda: Η κατάσταση του game industry στην Ελλάδα σήμερα,HGDA, Γιώργος Καζαμίας
 
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
Net: Ψηφιακός Ακτιβισμός: Οι νέες τεχνολογίες στην υπηρεσία των ανθρωπίνων δι...
 

Similar a Social networking-website-security-mitigation

Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Chandrakanth Narreddy
 
2013 09 liberteks monthly security tips newsletter 518-452-0550
2013 09 liberteks monthly security tips newsletter 518-452-05502013 09 liberteks monthly security tips newsletter 518-452-0550
2013 09 liberteks monthly security tips newsletter 518-452-0550Liberteks
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptxAjaySahre
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
 
IRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET Journal
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistPixel Crayons
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityNelsan Ellis
 
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...IJARIIT
 
Tips for web security
Tips for web securityTips for web security
Tips for web securitykareowebtech
 
Tips for web security
Tips for web securityTips for web security
Tips for web securitykareowebtech
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 

Similar a Social networking-website-security-mitigation (20)

Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009
 
2013 09 liberteks monthly security tips newsletter 518-452-0550
2013 09 liberteks monthly security tips newsletter 518-452-05502013 09 liberteks monthly security tips newsletter 518-452-0550
2013 09 liberteks monthly security tips newsletter 518-452-0550
 
How to Secure your ecommerce website-Threats and tips
How to Secure your ecommerce website-Threats and tipsHow to Secure your ecommerce website-Threats and tips
How to Secure your ecommerce website-Threats and tips
 
Applying web 20 to public health practice
Applying web 20 to public health practiceApplying web 20 to public health practice
Applying web 20 to public health practice
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
 
IRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social NetworkIRJET - Detecting Spiteful Accounts in Social Network
IRJET - Detecting Spiteful Accounts in Social Network
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Website Security: A Guide to Defending Your Website
Website Security: A Guide to Defending Your WebsiteWebsite Security: A Guide to Defending Your Website
Website Security: A Guide to Defending Your Website
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
web security
web securityweb security
web security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
PriGuard: A Semantic Approach to Detect Privacy Violation in Online Social Ne...
 
F018123136
F018123136F018123136
F018123136
 
Web 2 0
Web 2 0Web 2 0
Web 2 0
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 

Último

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Último (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

Social networking-website-security-mitigation

  • 1. Social Networking Website Security Mitigation The use of social networking site at CDC, such as Facebook and MySpace, increases risk to CDC systems and data via three main mechanisms: 1) Web mail communication, which by-passes enterprise mail filtering, and 2) public comments on blog posts, which are often vulnerable to cross-site scripting (XSS) or blog-phishing attacks, and 3) malicious ‘friends’, whereby those who are accepted as ‘friends’, may change their profiles after being approved to purposely include malicious code, spurious, offensive, inappropriate or political content. Social networking sites and other Web 2.0 technologies offer health communicators powerful new channels to deliver relevant and targeted health messages, often through trusted sources, when, where and how users want information. Since these technologies are newly emerging and are unfortunately prone to security vulnerabilities and attack vectors, mitigating these risks to protect the CDC network remains paramount to OCISO and the programs alike. This document aims to outline the steps of risk assessment for individual sites and recommendations for mitigating these known risks when they are present. OCISO makes two general recommendations1 regarding social networking sites and the first two main vulnerability classes: Do not use the Web mail portion of these sites. Disable comments on blogs and other public commenting sections. OCISO does not offer recommendations regarding the third vulnerability, malicious ‘friends’. Web Mail: Most functions of social networking sites are usually available even when Web mail is not used or blocked by Websense. When possible, this is the recommended route, not only in terms of security, but also convenience. If possible, have incoming mail automatically redirected to a specific, group CDC account, since it would allow the regular enterprise mail filters to scan the incoming mail traffic. If Web mail is required to effectively use the site, then a computer off the CDC network will have to be used to manage and maintain the site. This requires separate hardware and connection to the Internet. Public Comments: OCISO recommends that comments be disabled. Even moderated comments pose a risk to the CDC network, since each of the comments have to be opened and evaluated by someone on a CDC network computer. There is no way to moderate the comments without the moderator’s system being in jeopardy. However, not allowing comments on blog posts and other content not only is contrary to the very nature of these peer-to-peer communications platforms and thereby reducing the site’s effectiveness, often a
  • 2. negative backlash is encountered, which undermines the effectiveness of our communications efforts. From a communications perspective, we recommend allowing comments, but having all comments moderated. A special computer off the CDC network will be required to manage and maintain the site. This necessitates the purchase of separate hardware and connection to the Internet. Malicious ‘Friends’: Once friends are approved on a social networking profile, vigilance is required to make sure that the friend’s profile hasn’t changed to include inappropriate content, an inappropriate profile image or malicious code. The simple act of reviewing proposed friends may make the administrator’s system vulnerable to attack. Although most users of such social networking site already understand this, disclaimers about friends and content on their profiles should be posted. Clear policies about accepting friends should be posted as well. Some sites such as MySpace allow you to control which friends get listed on your main profile page, whereas others such as Facebook randomly place any of your friends on the main page, in which case, care must be taken in approving friends. This vulnerability is the same as attacks whereby developers work to get a site high in Google or other search engine results, and then changing the content of their pages to purposely introduce attacks. Again, the main recommendation is to use computer resources off the CDC network to manage and maintain the profile. This requires separate hardware and connection to the Internet. Primary recommendations: Since most Web 2.0 technologies are still emerging and secure coding practices are not industry-wide, it is recommended to do a risk assessment for each social networking, Web 2.0 community you wish to use for official CDC communications to determine whether Web mail and public comments are allowed and are necessary. Most times they are either required or greatly preferred, and in those cases the only way to currently protect the CDC network is to manage and maintain these sites on hardware off the CDC network. Programs must work with OCISO to develop appropriate Rules of Behavior (ROB) for those who will use the special hardware to manage these profiles. These ROB will include provisions of not connecting the hardware to the CDC network, trying to reenable ports if OCISO has blocked them, or moving files from the system to the network directly in any way. Special connections to the Internet must be acquired, which is usually a wireless Internet card. If DSL, cable or T1 connections are required, then the program must also include ITSO in on the discussions at an early stage. Programs should develop a system to regularly and systematically review the URLs in any comment for XSS on the destination. Those who do the scanning and review should be trained on how to look for suspicious XSS type of code in a page. The use of automated tools are generally restricted by license agreements.
  • 3. Programs should also develop a system to regularly and systematically review the profile pages of friends as well, to ensure that content has not changed since initial acceptance and that those profiles have not been compromised. Programs should also routinely scan the security environment and vulnerabilities databases to stay breast of the changing security landscape associated with these sites. System Definition and Boundaries: Until these sites can be made more secure across the board, it is not recommended at this time to treat the information published to these systems as information of record or official. Disclaimers should be made on the profiles of each of these sites to state that official CDC information can be found at CDC.gov and that in the case of any discrepancies that the content on CDC.gov be considered correct. Even though clear system boundaries are established, programs participating in the spaces must assume the risk that content may be subject to attack and change, since ITSO and OCISO do not maintain these systems. It is not recommended to use these social networks to gather personal information or to be used for private or secure communications. Social Networks Site Analyses: MySpace: Since this site relies on Web mail to solicit and accept friends and the blog moderating functions have been known to have XSS vulnerabilities in the past, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Facebook: Since this site allows blog posts and there is limited or no control over which of your friends appear on your home page, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Twitter: An interesting site in terms of social networking in that comments and posts are allowed, but are limited to 140 characters with no HTML or JS allowed. Hyperlinks are allowed and are automatically converted to the actual HTML code by the system. Eg – http://www.cdc.gov becomes <a href=http://www.cdc.gov>http://www.cdc.gov</a> automatically. Comments are designed to be sent by SMS messaging, which is text based. Requests for followers come through email and can be accepted without Web mail. Whereas it does seem to be secure against XSS exploits, the site does rely on AJAX technologies and can be used to post links to malicious sites. In order to vet these links, they must be followed, which would put the system at risk. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. DailyStrength: This site relies on Web mail to solicit and accept friends, allows blog comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be
  • 4. done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. YouTube: This site allows comments on videos and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO. Flickr: This site allows comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.