Article by David Mundhenk, CISSP, PCI QSA and Ben Rothke CISSP, CISA
Parents - Teach Your Children Well... Children - Teach Your Parents Well
What’s a parent or guardian to do to protect themselves and their loved ones from the security and privacy risk of social networking? Not a day goes by without the media reporting yet another spate of personal privacy and security issues.
Be it hospitals seeing more patient data breaches or ongoing information security gaps at Federal Reserve banks, incidents of identity theft, misuse of personal banking and credit card information, cyber-stalking and compromises involving social networks, new technology exploits including mobile phone focused malware, digital tablet data leakage, etc. are now hourly occurrences.
The list is ever-expanding, and thoroughly emphasizes a seemingly endless wave of security and privacy issues that technology vendors are failing to address prior to unleashing these new technologies on the general public, who are oblivious to the security and privacy risks of these devices.
The threats to the security, privacy and availability of personal information continue to increase in scope and complexity. To maintain their competitive edge, technology vendors and service providers are scrambling to keep up.
But as is the case with all new and especially ground breaking technological improvements, the rush to market new products before properly thinking through all of the security and social implications can overrun even the most forward looking, and proactive efforts to preserve and protect the public good.
The technologies involved, as well as the protections and counter-measures required to adequately ensure privacy and security are non-trivial in nature. They often require highly skilled technical, security, and governance professionals with the proper resources to adequately address all possible scenarios.
In the time frame that it took to conceive and write this article, social networks and their concerted application on a global scale have evolved at a blistering pace. Social networking started out as a convenient mechanism for linking friends and family, having since developed into highly sophisticated, social organizational engines that have changed the way major companies interact with their customers.
The ubiquitous nature of social networking combined with a general public’s willingness to expose the minutiae of their lives has created a twisted Atavachron of sorts. The details that uniquely define individuals and personalities are available for all to peruse and the implications regarding the misuse of such information stagger the imagination.
The notion of the dangers of social networking is such that there has even been an increase in the inappropriate contact between students and teachers via social networks. The situation is such that in last summer, Missouri Governor Jay Nixon signed a bill prohibiting most teacher-student communication on social networking sites like Facebook. According to the proposed Missouri Senate Bill 54, any social networking - not just Facebook; is prohibited between teachers and students. It’s all part of an effort to “more clearly define teacher-student boundaries”.
Cyber-stalking, cyber-bullying and other forms of electronic harassment have also become staggeringly easy to accomplish, and a genuinely serious social challenge. The average individual, and even adult members of families often lack the necessary understanding and where-with-all to protect themselves from such possible risks to life, home, finances, and even their loved ones through directed electronic attacks.
Indeed in some instances, the most technically savvy individuals in the home are actually not parents or other responsible adults, but are actually children and teenagers. Children and teenagers are often very trusting in nature. They tend to focus their eyes and attention span on news technology bells and whistles, and the ability exploit new venues and make new friends and communicate with them.
In some instances their parents are often similarly enthralled. Unless these folks are lucky enough to have IT and/or Information Security professionals in their family tree, they are at the mercy of the prevailing winds blown by the tsunami of rampant technological innovation.
And even that level of information security technology savvy did not stop RSA from being the victim of a wiley attacker. Social and governmental institutions are scrambling as well to keep up with the associated implications and risks. So what’s a parent or guardian to do to protect themselves and their loved ones? This article will help to provide guidance on how to do exactly that.
Web travel smartly
Every year, millions of Berlitz Travel Guides are sold, as smart travelers would never venture into unchartered territory without adequate foreknowledge.
Yet when it comes to social networking, the vast majority of Facebook users fail to implement the most fundamental security and privacy controls. While a 10-day trip to Peru often takes months of planning; creating a Facebook account that can expose a lifetime of personal information takes but a few minutes to create.
Just as an enjoyable vacation takes planning and education, so too does once retreat to the work of social networking require planning and education.
A great place to start is with the Parents’ Guide to Facebook. Don’t let the word parent’s in title scare you. Whether you are parent, teen, educator or novice, the guide has the fundamental information you need to know to work on the net safely.
With that, here are the fundamentals for kids and parents.
Social networking for kids
Teach your children that the Internet is forever, and anything that is posted on the Internet will not likely go away in their lifetime. Teach them personal information is, in some respects, personal and family based intellectual capital. It has genuine value, and in some instances is not appropriate to share some intimate details with persons outside the family unit. When it comes to social networking, operate with the foundation that nothing is private.
Even if you share with friends, expect the world to see it. Teach them to be good cyber citizens and take what they see and read on the Internet is not necessarily completely true. Also teach them to be very wary of individuals who attempt to initiate direct personal contact with them, and most importantly to inform a parent, teacher, or other adult if someone should.
When Scott McNealy made his infamous statement about online privacy in 1999 that "You Have Zero Privacy Anyway - Get Over It", little did he know what people would be sharing on social networks a few years later.
Kids will share huge amounts of highly confidential personal information with people they perceive to be legitimate. Given that kids are poor evaluators of risk, it is quite easy for anyone to convince them that they are legitimate.
Also, today’s BFF is tomorrow’s enemy. These enemies who you shared secrets and photos with, who swore a blood oath that they will never divulge that; will break the oath quicker than you can say Party in the U.S.A.
Teens also need to be wary of the dark side of social networks. Be it from the inappropriate use their parents may be doing that will lead to their divorce; to sexting, cyberbullies, and social media related suicides.
Here are some action items for teens, which also ring true for everyone:
- curb your enthusiasm and set daily time limits on how much time you will spend on social sites
- those with OCD/addictive personalities must ensure they know the addictive nature of social networking
- realize that what is fun or funny today may be embarrassing tomorrow, and may affect your ability to get into your college of choice or a future job.
- don’t post comment that you don’t want the entire world to see
- everything you post may be used against you
- be judicious when posting, especially photos/videos
- camcorders now have Direct Upload to YouTube capabilities. So don’t post that video or photo that you don’t want the world to see
- are you being photographed? watch that pose – the world will see you in that photo when your friend uploads it.
- once confidential data is made public, it can never be made confidential again
- images give away private data about other people, especially when tagged with metadata
Tips for Parents
Like a good parent, you want to know what your kids are doing on social networks. You read the Parents’ Guide to Facebookand articles like this. But realize that for the most part, your teen will leave you clueless as to what they are doing. You will be light-years behind them in technology and how they cover their tracks.
With that, you still need to do the best you can to understand your kids, know what they are doing, and the risks they are facing.
First off, realize that kids are especially susceptible to social network threats. They jump into it without understanding the risks involved. Even for sites that have age restrictions, they are for the most part worthless, and kids will misrepresent their age to join sites that have age restrictions.
Let your kids know what they should share. Kids invariably post more information in their pictures and posts than was intended or they realize, such as hobbies, interests, location of their school
If nothing else, reiterate and reiterate to your children, that they should never meet in person anyone they met online. In the event they do that, make sure you go with them, and meet in a very public location.
For a good overview, parents should read Cyber Security Tip ST05-002 from the US-CERT Keeping Children Safe Online. The guide notes that the unique risks are associated with kids is that when they use a social network site, the normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. As a parent, you need to consider these characteristics when determining how to protect your data and the child.
Tips for Grandparents
Everyone knows at least one tech-savvy grandma or grandpa who has just recently dipped a big toe into cyberspace, and now wants to be hip like their kids and grandkids. They want to get on MySpace and Facebook, or even decide it would be cool to document their family tree online. While they were fortunate enough to still be around at a time when they could take advantage of all that this new media can offer, they may not understand the risks. It is certainly great to be able to stay in touch with their friends and family scattered across the country via email or even Skype with the grandkids.
But some grandparents, like their grandchildren, may also be easily targeted for fraud, mislead or end up at the wrong end of targeted cyber-based scam. Grandparents too need to understand the Internet is forever, and there is great wisdom in an old saying they most assuredly can remember, ‘…discretion is the better part of valor.” In fact, the Consumer Federation of America (CFA) last year released a special alert for grandparents to protect themselves from the “Grandparent Scam”.
So what can you do for Gramps and Grammy? Buy them a shredder for a holiday or birthday gift, and strongly encourage its use. Make sure they understand why it is important filter out unwanted SPAM and not click on every hyperlink they see in an unsolicited email. Make sure they are very careful about online banking, why they should never login to the bank account via a public kiosk, and to check their statements regularly for suspicious activities. And have someone make sure they keep their antivirus software up-to-date and active.
The evolution of social networks and their powerful societal impacts have indeed changed how people and organizations interact in the world today. Along with great power and capabilities comes great responsibility. If not engaged with careful deliberation, social networks can also introduce significant unnecessary risk to personal well-being, reputations, and even financial assets.
Parents and their kids must understand and learn to address such possible outcomes. Indeed whole families should work together to keep each other safe as a matter of good course. And indeed when all the world’s good netizens do the same, it is a better, safer place for all of us.
About the authors
David Mundhenk, CISSP, PCI QSA, PA-QSA, works for a global technology company and is an enthusiastic, passionate Information Security-Protection evangelist.
Ben Rothke, CISSP, CISA is an information security professional and the author of Computer Security: 20 Things Every Employee Should Know.