Thanks to Facebook, LinkedIn, Twitter and the like, individuals now post more potentially sensitive information online than ever before, and often with little hesitation. If employees are posting information about their companies, do those organizations know it? Is a greater sense of urgency needed among enterprise information security pros when it comes to social networking data protection?
In this exclusive conversation, security industry luminaries Hugh Thompson, founder of People Security, and Adam Shostack, author of "The New School of Information Security," discuss the state of social networking and data privacy, and why the social networking phenomenon may be an infosec ticking time bomb waiting to explode.
Read the full transcript from this video below:
Face-off: Has social networking changed data privacy forever?
Hugh Thompson: I'm Hugh Thompson and I'm here with Adam Shostack and welcome to the SearchSecurity.com "Face off". So our first topic: social networking. It's been interesting. A lot of it has changed over the last couple of years. If you look at the growth curve of things like Facebook and Twitter, they've just gone like this, straight up. But it seems that the education and the aptitude of the individual user to make good privacy choices have not increased similarly. So, I think this is leading us to a time bomb that's just waiting to detonate. What do you think?
Adam Shostack: I think you're right. I think the amount of information that's going online is astounding. People are doing all sorts of things with this information. And I think that one of the things that I'm really looking forward to seeing over the next couple of years is how companies start engaging with this. Right now, you see people banning it. You see people saying, "We're going to block Facebook."
Hugh Thompson: Oh yeah, the reactionary kind of thing.
More resources on data privacy and security
Read about data privacy and security in healthcare
Learn about new changes in privacy and data security
Read about Microsoft's Charney's opinion about the latest challenges in data privacy and security
Adam Shostack: Yeah. They're reactionary. And you ask how many people have a Facebook app on their phone. It's not like you're going to actually prevent people. So, how do we, as security folks, engage with the people we're trying to help and actually help them use these networks in a good way?
Hugh Thompson: You know what's interesting, man? There doesn't feel like the urgency out there that there should be. So, people are posting information about themselves, sometimes their businesses, sometimes their friends, so there's like collateral exposure. But yet, there's not the effort, at least, that we've seen from government, from companies, that are telling people about the risks of doing this. And the reason that urgency, I think, is a big issue is you're throwing this information out today and say you throw out information to reset questions, like name your favorite pet...
Adam Shostack: Where you meet your high school sweetheart.
Hugh Thompson: Yeah. Once you put that stuff on, it's sticky. It's there forever. You can't get rid of it. So, I think some urgent action needs to be taken. Either that or we're going to have to recalibrate as a society.
Adam Shostack: I think we're going to have to recalibrate as a society, and that worries me because I think privacy is good. I think people should have things that they don't share with the whole world. But what sort of urgent action do you think we could take?
Hugh Thompson: Let me tell you a quick story. As you know, I'm from the Bahamas. And so, I was back home in the Bahamas for Christmas.
Adam Shostack: A very snowy Christmas.
Hugh Thompson: Dude! It's how I like it, man! Eighty and sunny. So, I'm there. I'm opening up our local newspaper in the Bahamas, a very small country, and I'm reading through the newspaper, full page ad "Be careful what you post on Facebook!" And it's got this guy and his girlfriend or I guess some girl he's cheating on with his wife. Something like that. And it has, "Be careful what you post on Facebook! It's there forever." And it was sponsored by the Bahamian government.
Hugh Thompson: Yeah! So, you've got this small country that's taken a big step. I'm talking full page ad, man. And I think this is the kind of stuff that we need. We need to make it personal. We need to push that message out, and it needs to look consequences-based.
Adam: Do you think that will work? Do you think that will actually change people's behavior?
Hugh Thompson: Well, OK. So, look back to... I think there's precedent. I'm not going to say if it will work or not, but I will say that there's precedent. Look at the loose lips sink ships campaign from World War II. And if you look at some of their posters, they were very consequences-based. They showed these horrible things that could happen when somebody spoke, when somebody talked.
Adam: Like this is your brain on drugs.
Hugh Thompson: Yeah. Yeah, right!
Adam: But that didn't work! People made fun of it. Sorry, man.
Hugh Thompson: But we really do need something that personalizes it for the user because I think a lot of this user education around social networking doesn't hit home until it hits you.
Adam: I think that's absolutely right.
Hugh Thompson: Man! One interesting approach, I think, from a business perspective is to get some of these narratives together. So, we've seen lots and lots of cases of where a user, a bad guy, has taken a piece of information from here, from Twitter, a little bit of information about the company, taken a little bit of information from LinkedIn, maybe a little bit of information from another user's Twitter stream, combined them all together to reveal something super sensitive about the company. And I think if we could put some of these narratives together, real world situations, and pump them out to users through the company we might get somewhere, man.
Adam: There was a great paper recently by a guy named Cormac Hurley, who said, "So long and no thanks for the advice."
Hugh Thompson: A little Doug Adams throwback, man, out there?
Adam: Yeah. But he said all of the advice that people are getting about how to avoid phishing, how to avoid malware, how to avoid getting taken on a social network is so overwhelming, and the economic consequences to them are smaller than the cost to following the advice.
Hugh Thompson: Yeah. Yeah. That's a good point.
Adam: So, I think we're going to have to do a lot of work on this one.
Hugh Thompson: Dude. Much remains to be done, man.