SAN FRANCISCO -- Social networking security, online privacy risks and a "renaissance" in identity management topped the list of topics covered at an RSA Conference 2010 Advisory Board roundtable this month.
The roundtable featured Asheem Chandna of Greylock Partners, Benjamin Jun of Cryptography Research Inc., Ari Juels of RSA Laboratories, John Madelin of Verizon Business and Hugh Thompson, chief security strategist at People Security and conference program chair.
Last year, cybersecurity threats dominated the roundtable. This year, social media and associated information security issues drew the most attention. "We've seen incredible growth rates in Twitter, Facebook and LinkedIn," said Thompson. "People are sharing data in ways they've never done before."
Those updates can be aggregated into what Thompson called "gateway data." "It's data that seems harmless on the surface, but when used in conjunction or cross-referenced that can be put together to create a narrative that can be quite interesting," he said.
Thompson described how some basic digital forensic work traced a tweet about quality control to the department of the manufacturer in question. "Take a tool like Exomind, give it a little bit of information from LinkedIn, Facebook or other social networks, and it will build picture of who you are," he said. "Or PleaseRobMe.com, which also reveals information that may be of useful. I think we'll see many more incidents of this, both from criminals and from competitors, all under the guise of competitive intelligence gathering."
Education key to social networking security
The term Jun suggested instead of gateway data was teasing. "It's what you do to get someone engaged with a website, and not just social websites. You need partial pieces of information to entice someone. There are a growing number of examples of things we'll do to reduce security in the names of education."
What can be done to mitigate insider threats and keep sensitive data out of the public eye and malware out of the enterprise? "Education is the major piece," said Madelin. "A group of teachers I talked with recently had no awareness of security risks. It all sounded like scaremongering to them."
Juels said education around social networking security should be about fundamental principles. "Don't trust strangers. Change default passwords. Antiphishing is a burden placed on the consumer that should have been placed on the infrastructure," he said. "People are only finitely educable. The problem is not to change the user, but to change the queues that the systems are presenting to the user."
Chandna recommended brand monitoring tools and software that can filter traffic at the application layer. "Firewalls historically have no visibility into application traffic," he said.
Information security risks grow as location technology improves
"My proposition, from the technical perspective, is that anonymity is a losing battle," said Juels. "There's a social shift move towards that as well. RFID tags,
for instance, are basically everywhere. All of us here probably have two or three in a wallet or purse." Beyond radio frequency identity tags, mobile phones and cameras also offer ways of tracking people. "I'm not saying this is desirable," said Juels. "I would consider myself a privacy advocate, but this is what's possible."
Madelin focused his concern on identity theft. "I'd argue that the most valuable thing is yourself," he said. "National governments acknowledge that you need to be identified for a host of reasons."
That's one reason that Verizon has been involved in the Open Identity Exchange (OIX) trust framework from its early days.
"It's very clear that a usercentric model is the way things have to go in identity management," said Madelin. "Anyone who has been involved in a large-scale identity management project sees the value of usercentric authentication. Users will have to take more responsibility for enrolling themselves, and a trusted third party will have to take the side of the user in brokering trusted transactions."
A renaissance of identity management?
"Humans are becoming the network nodes," said Madelin. "We're now deeply interested in consumer technology, as people become the weakest point in networked systems. We're seeing a renaissance of identity management."
Companies are using encryption platforms to bind authentication closer to users, said Chandna. "Most products are not linked to Active Directory, but most enterprises have Active Directory as the default identity scheme. If you look at security products, you'd think they'd be tied in. They're not -- most are tied to IP address, not by user. In the enterprise, that's where the next innovation may be."
Chandna wondered if that void might be filled by Facebook Connect or some other provider, like OIX. (Greylock Partners, where Chandna is a partner, is an investor in Facebook.) "Such identities are going to become by default our identity externally," he said. "For authentication, users will have to take more responsibility for enrolling themselves. A trusted third party will have to take the side of the user in brokering trusted transactions. Users don't realize the value of having a trusted identity. Service providers are going to have to see the value. You can see this in tax rebates -- users will take time to identify themselves well. The best online databases are the ones where users have an incentive to do it well."