There is no argument about the popularity of the social platforms such as Facebook, YouTube, twitter, etc. These platforms can be used to stay in touch with your friends, increase sales revenues for organizations and as a collaboration tool to stay connected with the public. However, each of these benefits comes at a cost, putting your private information at a risk/ exposed. We aim to discuss the common security risks associated with usage of these platforms including risk mitigation strategies. Intro Video : https://www.youtube.com/watch?v=zxpa4dNVd3c Presentation for Computer Society of Sri Lanka on 24 Feb 2015

1. Social Media and Security Risks
http://www.isaca.lk/ info@isaca.lk
Parakum Pathirana
Principal Consultant – LOLC Technologies, President – ISACA Sri Lanka Chapter
MSc, FBCS, CISA, CISM, CGEIT, CISSP, ISO 27001 LA, MCP, CHFI, QCS, ITIL, CCSK

2. Disclaimer
• I’m employed in the #infosec industry, however not
authorized to speak on behalf of my employer/
clients
• Everything I say can be blamed on the voices in
your head

3. My credentials
• 9+ years in #Infosec field
• Tutor, consultant/ advisor,
auditor, head of InfoSec
• Sectors: financial, leisure,
manufacturing, advertising,
gov, insurance, etc.
• Crazy about #cycling, #infosec,
#socialmedia
• Still learning and not an expert
at anything
• lk.linkedin.com/pub/parakum-
pathirana/2/a52/2a2/

4. Agenda
• Key facts
• Sri Lanka digital overview
• Security threats
• Case study
• Facebook graph search
• Threats arising from third party applications
• TMI
• Defense

5. Social Media Jungle !!!

6. Facebook

7. Twitter

8. Key facts
• Facebook has over 1.11 billion monthly active
users, and daily active users passed 665 million 1
• Research suggests that only 14% of consumers
trust advertisements 2
• Social media & Arab spring
• Impact on Sri Lanka Presidential Elections 2015
• Free wi-fi
• Impact on individuals, organizations, etc.

9. Sri Lanka digital overview
Attribute Sri Lanka Indonesia Malaysia
Total population 21,675,648 251,160,124 29,628,392
Internet users 3,927,948 72,700,000 19,200,408
Internet penetration 18% 29% 65%
Active Facebook accounts 2,000,000 62,000,000 15,600,000
Facebook penetration 9% 25% 53%
Active mobile subscriptions 20,324,070 281,963,665 41,324,700
Mobile subscription penetration 94% 112% 139%
Percentage of mobile subscriptions
that are 3G connections
13% 22% 43%
Number of active mobile broadband
subscriptions
953,000 80,100,000 4,000,000
Mobile broadband subscriptions as a
percentage of the total population
4.4% 32% 14%
Active social media users accessing
social media on a mobile device
1,400,000 52,000,000 13,000,000
Penetration of mobile social as a
percentage of the total population
6.6% 21% 44%

10. Security threats
• Malware distribution
• Koobface - a worm masquerading as Adobe Flash Player update
• Started in 2009, users were enticed to watch a funny video, then
conned into “updating” Flash
• Koobface connected infected computers to botnet, served
machines ads for fake antivirus software
• Estimated 400,000–800,000 bots in 2010
• Cyber stalking/ harassment
• Privacy concerns
• Impact on employment, reputation, etc.
• Concerns for organizations: brand reputation, laws
and regulations

11. Security threats

12. Case Study

13. Case Study
•Not the first time Sir
John has been left red-
faced over photos posted
on Facebook.
• His wife, Lady Sawers,
put up a picture of Sir
John wearing skimpy
swimming shorts on her
Facebook page last May
when he was appointed
to the MI6 top job.

14. News Highlights

16. Facebook Graph Search

17. Social Networking – Local context

18. Cricket Sri Lanka

19. J.P. Morgan

20. Threats arising from third party applications
• Anyone can write one…No assurance on security
or privacy
• No complete Terms and Conditions – either allow
or deny
• Once installed, developers will have access rights
to look at your profile and overrides your privacy
settings!

21. TMI
• Lack of common sense: it’s very difficult to delete
information after it’s been posted online
• Indiscreet information can adversely affect college
employment, your personal life, etc.
“Connor Riley: “Cisco just offered me a job! Now I have to weigh
the utility of a [big] paycheck against the daily commute to San
Jose and hating the work.”
• Location services, be careful when you check-in
• URL shortner services
• E.g. bit.ly

22. How to defend yourself?
• Reasonable “Common sense” measures
• Use strong, unique passwords
• Provide minimal personal information: avoid entering birthdate,
address, etc.
• Review privacy settings, set them to “maximum privacy”
• “Friends of friends” includes far more people than “friends only”
• Exercise discretion about posted material:
• Pictures, videos, etc.
• Opinions on controversial issues
• Anything involving coworkers, bosses, classmates
• Anything related to employer (unless authorized to do so)
• Be wary of third party apps
• Supervise children on social media

23. How to defend yourself?
• “If it sounds too good to be true, it probably is”
• Use browser security tools for protection:
• Anti-phishing filters (IE, Firefox, Chrome)
• Web of Trust
• AdBlock/NoScript
• Personal reputation management:
• Search for yourself online, look at the results…
• Google Alerts
• Extreme cases:
• Cease using, delete accounts?
• Contact law enforcement

24. How to defend yourself?
• Combatting url shortners
• Think before you click?

25. Defense strategy for organizations
• Monitoring & Responding
• Formulating the necessary policy framework
• Awareness

27. ….

28. Thank you