Renu Chawla
$10/hr
Garment manufacturing technologist with experience in science, finance and education.
- Reply rate:
- 50.0%
- Availability:
- Full-time (40 hrs/wk)
- Location:
- Noida, Uttar Pradesh, India
- Experience:
- 20 years
Facebook Security Analysis
TABLE OF CONTENTS
1. INTRODUCTION
2. CURRENT SECURITY STATE OF FACEBOOK
3. SECURITY MEASURES EMPLOYED AT FACEBOOK CURRENTLY
4. SUGGESTING MEASURES OF IMPROVING SECURITY
5. SECURITY ROLES AND TITLES
6. DEVELOPMENT OF A STRONG SECURITY PROGRAM
7. IMPROVEMENT IN PERSONNEL DEPLOYMENT AND ROLE WITH TRAINING AND CORRECT PRACTICES
8. ISO STANDARDS USED BY FACEBOOK
9. SUGGESTED SECURITY MODEL-Information Security Governance Framework
10. THE SWOT ANALYSIS
11. CONCLUSION
FACEBOOK SECURITY ANALYSIS
Facebook was founded on February 4, 2004, by Mark Zuckerberg along with his fellow Sophomores Andrew McCollum, Chris Hughes, Eduardo Saverin, Dustin Moskovitz, and Divya Narendra at the prestigious Harvard College. Facebook was then called “thefacebook.com. This Website in its Present state is the single most viewed and browsed search engine of the world today. Mark Zukerberg holds a 29.3% stake in Facebook.
Facebook as it is known today has been mired in a history of accusations of fraud and theft by Mark Zukerberg’s seniors at Harvard College. With such Precedents, the concern of security and safety of data is of prime concern at Facebook. Facebook, thus, is a veritable fortress of both Manual and Automated security systems.
CURRENT SECURITY STATE OF FACEBOOK
Despite all the measures being taken, a social platform as vast as Facebook, has an inherent susceptibility to scams and thefts. The most recent example of that was evidenced on 16th September 2018, where about 50 million accounts were affected. A simple feature of Facebook “view as”, which allows users to see their own profile as it is visible to others, was hijacked and its access codes/tokens manipulated to access and take over people’s accounts. Then the attackers could access other linked accounts through one hacked account, creating a cascade of exposed accounts. So, the very strength of Facebook which links several accounts turned to be its weak link in exposing millions of its users to a security risk
*Saket Modi, CEO and Co-Founder of security firm Lucideus explained that the access tokens maintain a constant session even when your IP (or even MAC Address) changes. “In this case, hackers were able to steal these tokens of nearly 50 Million Facebook users(targets), which basically means the hacker could fool Facebook servers to believe they are the authorized users of the target’s account that would give the attacker, complete access of the target’s account,” he said.
The security breach was big enough to goad the founder of Facebook, Mark Zukerberg to publically take cognizance of it and offer his assurance to the users, that a proper investigative probe had been launched to plug the holes at all levels and ensure future security to all user accounts. That this has happened in a company of the stature of Facebook, only underlines the fact that the best is not good enough in the field of Security. There is always a plug that can be pulled to cause the whole system to collapse and come crumbling down.
So, Currently, Facebook has been through one of its worst security tangles. Thankfully, the vigilance and alertness of the security profile of the organization arrested the breach in its initial stages, and rectification channels were put in place promptly. The aberration was detected on September 16th, the vulnerability was detected on the 25th of September afternoon and all of it was patched and arrested by the same evening bringing all security systems updated to the new threat.
But the flip side of the story is that a system with as many meandering interconnects and complexities as Facebook, is susceptible to bugs at any stage. The complex interaction of several bugs can trigger a permutation not accounted for by the Security parameters instituted to protect a system. The security control preparedness is in the end the key to maintaining the safety, soundness, and trustworthiness of the system.
SECURITY MEASURES EMPLOYED AT FACEBOOK CURRENTLY
A system as large as this definitely needs a complete and round security system enrolling both manual and automated measures. The line of defense has to go several levels deep and has to be all-encompassing.
The basic security measures employed at Facebook are mainly:-
1. Regular code up-gradation.
2. Code reviews at short intervals to weed out bugs.
3. Monitoring of sites for any aberrant behavior and uncertainty analysis.
4. Statically reviewing all data to analyze trends, rise, and fall of consumer behavior, aberrant ranges in any parameter in the security compass.
5. Regular weed out of BOT/ fake/fraudulent accounts
6. Keeping abreast of suddenly overactive links and hyperlink. Any suspicious, out of the ordinary change has to be monitored on a continuous basis. Constant alertness is the key here.
7. Arrest propagation of any fake news that may trigger an anomalous behavior from users.
8. Instituting a physical security team comprising people capable of data coding and analytically reading the algorithmic resonance of a systems tools. They should be able to read the impact of permutations and combinations of codes, their use, and misuse. Public surface web, deep web, and dark web content Analysis is an important tool used here to initiate system checks at all levels.
9. Security scanners and cloud scanning tools to assess vulnerability.
10. Monitoring fraudulent activity and compliance violations.
11. Protection of accounts against frauds, hacking of accounts, malicious software intervention, data loss/misuse, and reputational harm.
*In interviews Thursday, Sheryl Sandberg re-affirmed the company’s commitment to its users – and announcing new ways it plans to protect them.
Sandberg says the social media giant will spend years improving security.
“This isn’t a one-time change or a one-time exercise – this is ongoing because security and safety is an arms race,” she said.
1. External and internal data monitoring to ward of any mismatch.
2. Regular training programs to enhance awareness about new threats and circumventing strategies.
3. A smooth interface between full-time and part-time/outsourced security personnel.
4. Testing the security system at regular intervals. Subscribing to different forms of testing parameters. Encouraging out-of-the-box testing strategies from personnel.
5. Establishing exacting tools to measure system anomaly, growth, lapse, etc.
6. Ensuring automatic locks, blocks, and alerts in case of failure of authentication and repeat misdemeanor.
7. Facebook has doubled its security staff in recent times to cater to the increasing threats from social media abusers and misusers.
8. Employing external fact-checkers from third party participants to obviate false content from being publicized. Facebook has 3rd party agreements with 25 partners in 14 countries. All the fact-checkers are certified by an impartial international fact-checking network.
9. Following up on both static and dynamic threats and ways to blunt their impact.
10. Erecting a well-planned infrastructure to monitor security in all the ways of impact.
SUGGESTING MEASURES OF IMPROVING SECURITY
1. A multilevel check system should be initiated to break through all security obviating factors. The Security threats may not be visible in the initial stages and may compound cataclysmically if not checked. This can be controlled by instituting multilevel checks and audits.
2. Keeping track of external fact-checkers, contract security, contract tools, and third party participants in security control. The assessment should include an investigation of their efficacy, alertness, upgrade, and timeliness of action through non-partisan parties through a systematic audit procedure.
3. Cloud harnessing, scanners, and filters to control fraudulence and harm motivated strikes both from within and outside.
4. Awareness of the challenges to the security system.
5. Breaking down the security module into smaller components to handle the vastness of the platform.
6. Risk management strategies should be revised on a regular basis.
7. Insurance should be initiated as a part of the subscription to the social platform.
SECURITY ROLES AND TITLES
Largely the roles of the Security personnel and their titles may be defined as follows in descending order:
1. CISO or CSO – This is a title that is held by the man at the top, or the Chief Security officer. He assesses, manages, and implements the program.
2. Security Managers - This is the top-level planners who control the decision making and action schedules to expedite and process the program plan as defined by the CSO/ CISO. They lay down the blueprint for day-to-day operations.
3. Security Administrators and Analysts- These are the people who identify the problem and initiate steps to mitigate and diffuse it. Administrators have the technological competence and are responsible for training and policy-making while Security analysts are involved in designing technology backed security solutions. The definition line between the two is often hazy at best.
4. Security technicians – They are the people who are equipped with limited knowledge of technology to do the hands-on work or carrying out security measures, troubleshoot problems and handle the lower rung responsibilities
5. Security staffers and Watchstanders – They handle administrative roles.
6. Security consultants – These are independent experts often hired as third party interveners who are outsourced on a case-to-case basis.
7. Security officers and investigators – They are physical security officers who control the law enforcement function.
8. Help desk personnel – They are the interface between the user and the Security team.
DEVELOPMENT OF A STRONG SECURITY PROGRAM
The strength of a strong security program depends on the sense of accountability that prevails amongst the personnel. The active integration of responsible behavior, quality work, dependability, alertness, and efficiency are strong components of a good security team.
The interaction between different levels would also form a good interface for effectively carrying out a security program.
Social behavior and attitude of the employees greatly affects the work. There have to be constant motivation, encouragement, and incentives to make sure all employees strive to deliver good work lending to a good security program.
IMPROVEMENT IN PERSONNEL DEPLOYMENT AND ROLE WITH TRAINING AND CORRECT PRACTICES
Regular training programs not only boost performance but also engender a team spirit which is good for all systems.
Upgrade of technological education can be done by offering regular enhancement courses. This will not only help security personnel to advance in career but will also give them a sense of belonging. They will take more initiative and be more committed to their work.
Active and passive versions of educational methods may be employed. Posters, newsletter, internal magazines, performance boards, user support groups and forums, technology games and activity calendars, security trinkets/tabletops teach passively. While seminars, classes, courses, training sessions, and webinars are active teaching methods. Facebook offers both in good numbers alongside having learned as you earn programs.
Deployment of security personnel is a good mix of right people, for the right job at the right time and in the right numbers. So the selection of the right people backed by the correct set of rules and technology is important. Most importantly the selection has to match the right target audience.
The role of each employee deployed at each security level has to be well defined with correct insertions of time defined objectives, goals, and scope.
Regular evaluation of techniques, strategies, time/action studies, threat awareness, alertness, personnel behavior, and attitude will go a long way in helping the improvement along.
Maintaining an efficacy level in identifying and diffusing a security threat is an important part of improvement. A burn-out is possible in the field of technology, especially in cybersecurity. To keep the personnel active and alert is a challenge always. Motivational strategies may be used here to keep employees in the right frame of mind.
Heavy investments in research on the Security threat perception, intelligence and monitoring, statistical analysis, and defense, backed with training has been an anthem for Facebook. Heavy investments are made in the above areas throughout the year.
ISO STANDARDS USED BY FACEBOOK
Facebook uses the ISO27001:2013 standard for security. This is the most widely accepted and used compliance system used in the field of cyber and software security. The ISO27001 was established for use after careful audits of Facebook’s security program and the ISMS (information security management system) system that they use. The ISMS system is a diverse system covering
1. All physical locations
2. Total infrastructure and systems both physical and cyber.
3. Design and development policies, strategies, and foci.
4. Customer service and satisfaction models
5. Risk management policies with regard to cybersecurity.
6. Information, data, and asset base.
The ISO27001 keeps all of the above safe.
* https://workplaceblog.fb.com/product-news/workplace-secure-iso27001/
SUGGESTED SECURITY MODEL
Information Security Governance Framework:
The Information Security Governance Framework is a model that focuses on management and its contributions to cybersecurity. This model owes its emergence to the National Cyber Security Partnership and task force .38. The Model propounds the development and implementation of the Infosec governance structure. It initiates a guiding framework to be followed using the security personnel through various ranks as its building blocks. This is used to define all tools, policies, actions, and strategies to attain cybersecurity. It also lays down the participation of third parties to formulate policies as an important aspect of its strategy.
Largely, the handing down of responsibilities from the CISO level to the help desk and even the users are covered under this. The interface between the directors, senior management, team members, technical staff, the help desk, and the users come together to form the strategy of information Security Governance Framework.
Since Facebook is already ISO 27001 compliant, the next step is to sync its InfoSec program in accordance with practices listed on the ISO27001 list and see that each management level of the organization develops documents and implements the same.
Not only does this model seeks to integrate each management or personnel level with each other and the company’s organizational and operational infrastructure but also with the governance structure of the organization. Further, it seeks to integrate the company’s governance structure with the state's governance structure. This form of integration establishes a commonality of interests making sure that the company’s IT investments and Security Investments yield the desired results thus contributing to profits. It involves reporting on a regular basis in a transparent manner the Facebook’s InfoSec program for its every organizational unit/level. Also, a valid evaluation system is laid down to adjudge the effectiveness on a regular basis.
THE SWOT ANALYSIS
The Strength of Facebook’s cyber Security is definitely in its well-controlled Vastness. The same reason strangely leads to its weakness. The largeness of the operations and the sheer volume of users make it a difficult system to control. Opportunities for security enhancement, control, and management are increasing due to Facebook’s constant devotion to research programs and their investment in security tools.
The Threats faced by Facebook security would definitely be the underlying uncertain bug combinations that crop up from time-to-time and stump the well-established security system.
Having said that, the System is a self-evolving one due to the tightness of managerial control in the organization’s security framework. Constant security elevating educational programs also is a big contributor to the technological excellence of the system.
CONCLUSION
In conclusion, the challenges in the Security arena are many-fold but the unstinted pursuit of security objectives backed by a supportive infrastructure is an excellent combination
REFERENCES
https://indianexpress.com/article/explained/fewer-affected-facebook-data-breach-worse-than-once-thought-/
https://indianexpress.com/article/technology/social/facebook-security-breach-faqs-mark-zuckerberg-/
https://www.facebook.com/security/videos/-/
https://www.cnbc.com/2018/10/16/facebook-hack-affected-3-million-in-europe-first-big-test-for-gdpr.html
https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
http://panmore.com/facebook-inc-swot-analysis-recommendations
https://venturebeat.com/2017/11/01/zuckerberg-facebooks-security-investments-will-significantly-impact-profitability/
https://techcrunch.com/2018/09/06/alex-stamos-facebook-yahoo-security-officer/
http://security.marist.edu/FB-SEC.PDF
https://www.energy.gov/sites/prod/files/A_guide_to_Facebook_security_settings.pdf
