Security as social media enabler

Social media is a good reality check for most organizations. If you need to block social media sites or update your security policies and guidelines, you know you've missed something before. Social media shouldn't bring anything new that good guidelines and controls wouldn't cover already.

I've security colleagues, who have blocked social media sites in their organizations. Mostly the reason has been that "using social media is wasting valuable working hours". First - social media for many organizations is not wasting time, but learning essential new skills and networking. Second - if employees are wasting their time, it's not CSO/CISO problem. Why not block Internet access or email also?

Security threats of Facebook, LinkedIn, Twitter, et al. are mostly publishing confidential information or getting malware infection. Your security guidelines and training should cover the first and your technical security controls the second. If not, you are in trouble anyway.

How about zero-day targeted attacks - you ask? Well - you are mostly out of luck anyway. You have to trust your awareness program and you employees being Internet-smart. Blocking everything is effective security measure, but it's effectively harming your business and employees also.

Many organizations are busy writing social media polices and security guidelines. Of course it makes sense to give some advice how organization should be visible on social media and teach the principles of collaboration. You shouldn't need too much social media specific security guidelines, though. Just reminder, that all existing guidelines of confidentiality and Internet use are still valid.

As I tweeted a while ago, I think that Mr. T has given us a good advice for social media use: "I pity the fool". As good advice came from sergeant Phil Esterhaus on Hill Street Blues: "Let's be careful out there."

Good advice comes also from F-Secure who have defined the golden rule of social media security: "Links are not your friends." Good advice, but Intel CISO's security law #1 says: "Users want to click on things."

OK - I understand the interest for some organizations to be more verbose on that. I like IBM social media policy - it's short enough, right on the point and can be squeezed to main message: "Be responsible, learn, contribute and don't forget your day job."

So, my point is that access to social media is a must for most organizations. It's up to people management to see that access is used for good and it benefits the organization. CSO/CISO certainly can handle the security advice/controls and if needed, inform the business management about risks. Giving access to social media is business decision, not security decision.

If you want more information, good analysis about social media security threats is published by ENISA: Security issues and recommendations for online social networks. Finnish Ministry of Finance has also published draft of its social media guidelines (in Finnish). Draft is pretty good for background information, but maybe a bit heavy for actual guidelines.

Biking to office

Every summer I try to bike to work for couple of weeks. I have a great route from home to office and back. Here're few photos showing why. You can even follow the route from the map pic-by-pic.

Specialized

It's been great summer at Finland - almost too much sunshine for us Finns. Maybe it was the warm weather that messed my head, but I just *had* to get a new mountain bike. My old Wheeler 5900 is already a few years old and I thought it's time to add some fun to my exercise.

I updated myself with latest technology and terms by buying a bunch of magazines. I wanted a good and trusted brand, maybe something, which is a bit better than I would actually need (that's the fun part). Front suspension and disc brakes were main technical requirements. I don't compete or anything and my biking is not about transportation, but for fun & exercise.

You know, when you get in to the mood for something, you want to act quickly. Local technical magazine had tested nine mountain bikes under 1000 € price. Specialized Rockhopper SL Comp came second and based on the test results it suited best to my needs. Specialized was on my list of trusted brands, so I decided to go with the magazine's test results and act quickly - otherwise I would have to spend weeks studying different brands and options. Of course I did some online research, read bunch of reviews from other magazines and biking forums and found nothing which would have changed my mind. I gave the bike a test drive and it felt good.

In the end I decided to spend a bit more - just for the fun of it - and bought Specialized Rockhopper SL Pro. I made a deal with Sellon Pyörä. They gave me a fair price (small discount + basic accessories like SPD pedals, bar ends, lock and water bottle cage), but mostly I was impressed with their good attitude and promise of full free service after first 200-300 kilometers. I got couple of other offers and there was no meaningful differences with price.

Let's hope that we will have a warm and dry end of summer and autumn also. I'll have some serious biking to do.

Security Threats 2010 (and beyond)

The Net is full of top security threats for new year. Maybe I should create my own list - just for the fun of it? Let's see - I don't have any products to sell, so that won't narrow it down. Safe bets would be social media and cloud computing. It's always good to remind that it's not just criminals, but internal users are a threat also. Oh - and malware situation is getting worse every year of course.

Let's try something else for Top (of my head) Five Security Threats of 2010.

1. Organizations prefer quick-and-dirty product-based security solutions
   
   Building secure environment and behaviour is a tough long-term effort. In most cases security issues would be tackled best by studying and enhancing processes or educating users. Good, strategically chosen products help, of course. Unfortunately it's too easy to fall under product vendors spell. I wish it would be possible to buy security, but security is mostly hard work of changing the way how people think and behave.
   
   
2. Projects skip security issues because of unrealistic budget/schedule/resource planning
   
   The road to hell is paved with good intentions. The saying is sadly true in so many IT- and software-projects. At first security is top priority, but as the project runs out of money and time, priorities change. It's amazing to still see projects, where deadline and resources are set before the requirements are clear.
   
   
3. Concentration on media-hyped security issues
   
   Media - often spun by product vendors - tend to report issues, which security professionals are not so interested in. Reporters write about the tip-of-the-iceberg and we poor security profs try concentrate on real issues. I once read a great quote from somewhere saying, that nowadays media doesn't report about normal state of the world, but it reports the exceptions. Problem is that users - and sometimes even management - want to see actions targeted to those very visible issues. Organizations waste money and effort to soothe media "educated" users. Former politicians could make a great CSO/CISO?
   
   
4. Blocking use of new, innovative products/services for security reasons
   
   Facebook? Bad. Cloud computing? Bad. Mobile access? Bad. Twitter? Don't get me started. Many security experts get a primitive reaction when anything new comes on the sight. This new thingy makes all our old (and expensive) security products useless, hence it must be forbidden. I wonder how many business opportunities are delayed while security people think about threats.
   
   
5. Planning security projects based on different Top Security Threats lists
   
   In short. If your security programme is based on gathering top threats from different lists, you are doomed. Think about business requirements and risks. It's useful to add consensus of threats in the equation, but don't let them be the driving force.

There. If we are unlucky, I can reuse this post next year.

Book reviews online

Back in 1996 I decided to put the list of books I've read on the web. I just wanted to have some regular updates on my site. I rate the books using simple color coding. Have about 400 titles listed now.

When LinkedIn got Amazon Reading List application, I started to add my readings and short reviews in LinkedIn. Well - LinkedIn Reading List is available only for my LinkedIn connections. It doesn't make sense to hide the reviews inside one application only, does it?

I looked for smashable bookshelf application. Shelfari looked most promising and I gave it a test drive. It's a nice app and smashable, but didn't quite fit to my needs. What I want to is to show my list with my ratings and my reviews only. Shelfari was a bit ambiguous when showing my reviews vs. collective reviews.

In the end it was easy to add new book reviews page on my site and create a Blogger gadget with simple HTML-code to show the latest books with rating. Not so fancy, but working. Updating list and reviews should be easy enough. Write the review once and then copy & paste to Amazon Reading List and latest books -gadget.

Author name is linked to quote from the book - I try to find something which describes the book well or some security related. Book title is linked to review, if available.

If I find a good, smashable bookshelf/reading list application on the Web, I'll probably switch to it. Having Amazon Reading List as a publicly available smashable application could be optimal solution for me.