1. Web 2.0/Social Networks and Security By: Sherry Gu For: ACC626

2. Agenda Definition of Web 2.0 Magnitude on use of Web 2.0/social networking applications Impacts of Web 2.0/social networks have on security and security risks Types of security attacks Triggers/motivations behind security attacks Remedies/solutions to security vulnerabilities Implications for accountants

3. What is Web 2.0? Web 2.0 Conference “Network as Platform” – Web 2.0 “managing, understanding, responding…” “…to massive amount of user generated data…” “…in real time”

4. Magnitude of Use For Businesses: 2008 Survey: 18% of companies use blogs 32% of companies use wikis 23% of companies use RSS-feeds Forrester Research: Spending on Web 2.0 application: $4.6 billion in 2013

5. Impacts on Security Risks Control/Detection Risk Add complexity to the current system (multiple platforms, multiple sources) Inherent Risk Interactive nature Increase in likelihood of leaking confidential data Statistics: 40% users attacked by malwares and phishing from social networking sites Ranked as “most serious risk to information security” in 2010 by SMB’s 60% companies believed that employee behaviour on social networks could endanger network security

6. XSS Attack Injecting malicious codes into otherwise trusted websites Gives hackers access to information on browser E.g. “Samy” Attack on MySpace Add Samy as a friend Add “Samy is my hero” on profile pages One million friend requests

7. CSRF Attack Lure users to open/load malicious links Gives hacker access to already - authenticated applications Hacker make undesirable modifications/changes/extractions to applications E.g. Gmail Malicious codes create email filters that that forward emails to another account

8. Malwares/Spywares/Adwares Malware: worms, viruses, trojan Examples: Koobface family malware on Youtube and Facebook Bebloh Trojan: “man-in-the-browser” attack

9. Spear Phishing Target specific organizations Seek unauthorized access to confidential data Appearance of sender: more direct relationship with the victim Social networks: help hackers to build more complete profile about the sender

10. Identity Theft Researchers from Eurecom Profile cloning Cross-site cloning Authentication problems

11. Triggers/Motivations Technical nature: Largely dependent on source codes: e.g. AJAX Open – source Complex scripts and dynamic technology: difficult for protection software to identify malware signatures

12. Triggers/Motivations Financial Gain Hack into bank accounts Sell to buyers in the large underground market Organized crime/bot recruitment Web 2.0 applications are: public, open, scalable, anonymous

13. Remedies/Solutions Employee use policies and education (balance between flexibility and security) Strengthen monitoring and reviewing activities: extensive logs and audit trails Encryption of user data using public and private keys

14. Implications for Accountants Auditors: Assess need for risk assessment Social network/Web 2.0 strategy, policies, and regulatory compliance requirements Risk assessment Identify types of risk Analyze threat potential Validate risk ratings Hire IT specialist ISACA: social media assurance/audit program

15. Conclusion Heightened security risks Risk assessment is critical Policies and procedures