Assessing risks

Using the knowledge of people in your organization, you can assess the risks by following several basic steps:

It’s important that you don’t make your risk assessment more complicated than it needs to be. You’re looking at where problems might be, how they’ll affect you, and how to deal with them. In identifying these potential hazards, you’ll need to determine which are more serious than others and which are more likely to happen than others. This will help you to prioritize one item over another.

To give a basic illustration of how the process works, let’s look at a simple situation of buying a box of cookies. I might identify a risk of my kids eating them all. They’re kids, so the likelihood is pretty high. The severity of doing this would be low, as they’re cheap and we could buy more. Now, remember that there is a cause and effect relationship between risk and impact. Therefore, the impact might be getting cavities, weight gain, and the cost of replacing them. To mitigate the problem, I might put the box on a high shelf that they can’t reach. We could then monitor the situation and see if it’s working (the box is full), the risk has occurred (the box is empty), or if changes need to be made (hiding them elsewhere).

When you create a list of risks and their related impact, you’ll want to prioritize them and handle the most serious ones first. Some problems are more likely to happen than others, with them being remote, occasional, or probable. In Table 8.1, we’ve listed our risks and ranked the likelihood of each with a number, ranging from 1 to 3 (with 1 being a remote chance of happening and 3 being probable). Some problems can also have a more severe impact than others. In Table 8.1, we’ve rated this from 1 to 5, with 1 being negligible and 5 being catastrophic. Now that we have these numbers, let’s use a calculation of Risk=Probability×Severity. If we multiply the value in the probability column by the one in the severity column, we can immediately see that risks with the highest numbers need to be addressed first and foremost.

If the risk actually happens, then it can influence a number of aspects to your business andor personal life. Since situations can change, risk management is an ongoing process, so you should review your strategy on a recurring basis. If there are changes, you would update your assessment and implement new ways of dealing with potential threats. By being prepared and creating strategies to avoid problems or contingency plans to deal with them, you’ll be better equipped to handle situations as they arise.

Sources of risk revisited

While individuals and businesses will encounter risks unique to them, there are a number of common ones that we discuss throughout this book. In 2010, the Information Technology association ISACA (www.isaca.org) identified the top five potential risks for social media as:

One of the biggest risks that companies identify is the lack of control they have over content. Unlike traditional media that’s one-sided and professionally created, social media content is informal, conversational, and user generated. Even when the information is representative of the company, comments from others can quickly veer the conversation in another direction. This doesn’t mean that you don’t have any control, just that you need to assert it in different ways.

While loss of control can be expected, you can influence conversations and redirect them back to the original point of your post. As with a verbal conversation, as people begin talking about something completely different from an original topic, you can circle them back to the original conversation by mentioning a key point of what you wanted to discuss. As we’ll discuss in this chapter, monitoring and engaging people in conversations can have a dramatic effect on catching problems early and influencing the discussion. As we’ll discuss in Chapter 10, you can also use the alternative approach of moderating conversations, publishing posts that have been vetted, and/or turning off the feature to add comments.

Policies and training on proper use of social media can go a long way in preventing employees from posting content that embarrasses or misrepresents the company. As employees learn the dos and don’ts of social media, they’ll understand what is expected of them, and how inappropriate content posted to their own accounts or those of the company can affect their job and the public perception of the business.

When a business looks at making social media accessible on company computers, there is always a risk of employees excessively using social media during work hours. Management will say the impact of this risk is a loss of productivity. After all, if a person is tweeting about their day and watching YouTube videos that aren’t educational, research or otherwise job-related, they’re not getting work done. A similar fear was seen over a decade ago when businesses considered giving employees access to the Internet. The fear that surfing the Web would sink the business was unjustified, and companies implemented policies, firewall restrictions, content filters, and other controls to monitor and restrict how employees conducted themselves online. By applying similar policies and controls, you can mitigate problems related to accessing social media sites.

The IT department will see a different impact to excessive use of social media. The large amounts of data streamed from a content community may cause network utilization issues, causing employees to find the corporate network slow. In some cases, the internal network infrastructure or Internet connectivity may be out of date and unable to handle the bandwidth used by accessing video or other significant downloads. Many organizations have had to increase their Internet bandwidth to accommodate the use of social media. However, even if the infrastructure can normally handle the network traffic, it may be adversely affected during peak hours of usage. To address such issues, the IT department could restrict access to sites like YouTube so they are only accessible during low periods of network use or create a secondary network that off-loads such traffic from the corporate network. Since a cardinal rule of network security is to only give people the access that they need to do their job, you could also restrict access to content communities. In doing so, people would need to specifically request network access or use personal devices that are off of the corporate network.

Not implementing social media might seem like a solution to these risks, but avoiding it is a risk in itself. By not engaging in social media, you’re avoiding the possible benefits. You’ve removed an opportunity to reach new and existing customers, prevented employees from interacting or collaborating with other professionals, and given your competition a clear competitive advantage. Sticking your head in the sand and hoping social media will go away isn’t an option. Those who never face risk, never benefit from its possible rewards.

Privacy policies and terms of service

Social media sites have rules that should be reviewed prior to deciding to setting up an account and periodically reviewed afterward to identify any changes. The Terms of Service outlines the limitations and conditions of using the site. In using the site, you’re consenting to those rules, so you should read them to know what you’re agreeing to. You should also determine whether the terms of a social media site are contrary to the terms used on your company’s Web site. If you link to a social media presence from your site, you should indicate in the Terms of Service on your site that your company is not responsible for terms and conditions applicable to third-party sites.

Social media sites will also provide a Privacy Policy, which outlines how personal information is handled by the site and any restrictions placed on you when capturing data from other users. As we’ll discuss in Chapter 9, a developer might create an app and make it available through the site, which will access information on a user’s account. Because of this, apps available on a site may also have their own privacy policies that should be reviewed. Infringing on a privacy policy may result in the site closing your account and could also violate privacy laws. As we’ll discuss in the sections that follow, there is government legislation protecting the privacy of people online, and companies can be penalized for violating them.

Sarbanes–Oxley act

In response to the financial scandals involving Enron, WorldCom, and other companies, the Sarbanes–Oxley Act (SOX) was enacted in 2002 to protect shareholders and the public from fraudulent business practices. It regulates financial disclosures from corporations and prevents fraudulent accounting and ensures the validity of records. The Act applies to all public companies in the United States, any company (foreign or domestic) that has registered equity or debt with the Security and Exchange Commission, and accounting firms that provide auditing services for them. Noncompliance with SOX can result in fines, imprisonment, or both.

Section 409 of SOX requires companies to disclose material changes in their financial conditions and operations and keep this information up to date. While companies regulated under the act are required to communicate the information through traditional disclosure mechanisms, many have made use of social media sites to disseminate financial statements. In doing so, they need to ensure that they reflect current and updated information is published to these sites and monitor them to ensure compliance with legislation.

The SOX also defines what records are to be stored, and for how long they’re to be available. Such regulations can have a dramatic effect on the retention and archiving of data. As we’ll discuss in Chapter 9, it’s important that records retention policies also address information posted on social media. Because documents are documents regardless of whether they’re digital, it’s important to archive social media content in case there are questions of whether your company has violated SOX or other regulations.

Health insurance portability and accountability act

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a legislation that (among other things) provides privacy protection for health care information. The act outlines the policies and procedures for keeping a patient’s identifiable information secure, inclusive to any data that is in an electronic format, and sets penalties for any violations.

Under HIPAA, health care providers, insurance companies, and other individuals and organizations that have access to your health care information can’t disclose protected information. The status of your health, health care provisions, and payments are all protected information that is linked to a person and could identify them.

The right to privacy isn’t limited to adults. The act also extends the right to privacy to younger people, aged 12–18. However, there are exceptions. If a child was suspected of being abused, then the health care provider is required to notify child welfare services and release the relevant medical history to the agency.

Social media provides a new way for information to be disclosed, and there have been numerous violations throughout the world of health care providers infringing on a patient’s right to privacy. If you work in health care, commenting on a patient’s social networking site that they have an appointment or making a post about a difficult patient you had that day could put you in hot water. In some cases, privacy infringements have been more blatant. In 2010, a 60-year-old man was brought into St. Mary Medical Center in Long Beach, California, after being brutally stabbed multiple times. Nurses and other staff at the hospital took pictures of the man and posted the images on Facebook, leading to three staff members being disciplined and four being fired.

HIPAA also provides clear guidelines on how digital information is handled through information systems. For example, any data that’s sent over an open network needs to be encrypted, and systems that store the data must be protected from intrusion. Even though you’d expect any site to try and prevent intrusion, public sites would not have the same level of protection as closed networks. The messages you post or send to mailboxes on social networking sites would not be encrypted, as many social media sites don’t even use HTTPS for secure communication, although this is improving.

Fair information practice principles

The United States Federal Trade Commission created a set of guidelines related to privacy protection called Fair Information Practice Principles (FIPs). FIPs isn’t an enforceable piece of legislation but has served as the basis for other laws and regulations. There are five core principles designed to protect consumers when personal information is collected and used:

Payment card industry data security standard

The Payment Card Industry Data Security Standard (PCI DSS) addresses the protection of debit, credit, and cash card transactions, and the personal information of cardholders. It is a widely accepted set of policies and procedures that applies to any company that processes, stores, or transmits card information. In other words, it applies to any business that accepts payment with a credit card/debit card, which is any merchant that has a Merchant ID (MID), and ensures that any data related to the card, cardholder, and transactions is transmitted and maintained in a secure environment. In complying with PCI DSS, the sensitive information that’s handled by payment processors and merchants is secure, and information related to their payments and purchases is protected.

Payment Card Industry Security Standards Council (PCI SSC) was created in 2006 by MasterCard, Visa, American Express, Discover, and JCB as an independent body to manage the standards and improve the security of account transactions. In doing so, it sets the standards and improves on them, so that the disclosure of information about credit cards and cardholders is regulated. The council does not enforce the standards, as this is the responsibility of the payment brands.

In relation to social media, PCI DSS provides protection on any purchases you make online. It also protects you from your credit card information or information about you as a cardholder appearing on sites or being available as a public download. The unauthorized release of such information could result in a business paying higher processing fees, receiving fines or penalties, and possibly reimbursing a cardholder for damages related to the breach of information.

Digital millennium copyright act

The Digital Millennium Copyright Act (DMCA) is an American copyright law that protects the ownership of digital information. Through it, any images, video, music, or other digital media that you create or own can’t be shared or sold in ways you indicated it not be used, or that prevent you from making intended profits. If you were to reproduce, distribute, publicly display, or have a public performance of copyright material, it would be a violation of Federal law. This protects the person who created or owns the work from unauthorized copies being made, distributed, or sold without their consent.

DMCA has a significant impact on a variety of areas related to social media. In creating a blog or maintaining a page, adding photos or other content that was protected by copyright would be a violation of the act. As we’ll discuss in a later section, using the intellectual property of another person or company without permission means that they can’t profit from the work they did. You’ve taken their product, used a professional service they provide, but didn’t pay for it. Since this is stealing, you don’t want to add any professional content that you haven’t created yourself on a page, or you could face serious penalties and/or litigation.

Through this Act, any photos, video, or other data you create are protected. This prevents online marketers, competitors, or other parties with access to your data from using your material if they haven’t obtained permission. The Act also provides protection from others who publish pictures or video of you, or digital media in which you own the rights to. Under Section 512, it is illegal to post an unsolicited photo of you without your consent. If you found a site was hosting an image of you, you can submit a take-down notice, which requires them to remove the photo. If they don’t, they could be liable for infringement.

Intellectual property and trademark infringement

Intellectual property is a creative product that is owned by an individual, group, or organization. It can include such things as trademarks, designs, or copyright material, as in the case of written works, movies, music, or other works. Because of person’s livelihood or a company’s profits may depend on the revenue generated from such property, it’s important that their property is protected and not used without authorization or proper license.

Social media causes unique problems for organizations. Since the content isn’t professionally created, issues like adhering to copyright or trademark restrictions may be overlooked. Consider a person who copies and pastes a poem or short story on his or her blog, or someone who uses a photo taken by a professional photographer. The artist has not only lost money that comes from selling his or her work, but others may now consider it as public domain and take and share the content further. Because the content has been used without permission, this can leave the organization vulnerable to lawsuits.

The issues of intellectual property rights and trademark infringement can also take the form of counterfeit products being sold online. According to the 2012 Internet Crime Report, the FBI received 56 complaints from people who purchased thought they were buying designer merchandise from Jeannine Buford through an online auction. While some paid and failed to receive their orders, others got counterfeit products. In total, people had lost $145,333. As a result of the crime, Buford was sentenced to 57 months in federal prison, had to pay $225,500 in restitution, and forfeited the contents of her bank account, 2011 Camaro, and other items. As you can see from this, sometimes crime not only doesn’t pay, it can cost you much more than you earned.

Counterfeit products consist of almost any good you can think of, including watches, jewelry, clothes, CDs, DVDs, software, and even cigarettes. While you’ll find them sold almost anywhere, a 2013 report by the United Nations Office on Drugs and Crime (UNODC) stated how prevalent it is for them to be sold and sought out by consumers online. The UNODC also reported that according to the World Customs Organization, between 2008 and 2010, approximately 75% of the counterfeit goods seized worldwide were manufactured in East Asia, with most of it coming from China. Despite the financial losses to genuine manufacturers, cost to taxpayers in losses of duty and sales taxes, and potential health risks of buying counterfeit products, it continues to be big business. In 2010, an estimated $24.4 billion worth of counterfeit goods from East Asia were sold to the United States and European Union.

Discrimination

As we saw in Chapter 3, discrimination is a serious concern in social media. If a potential employer viewed information about a candidate on a social networking site, they might see the person’s photo or personal information. From this, they could determine the person’s age, race, religious beliefs, and possible disabilities. If an employer reviewed the photos, likes, or posts of an employee who’s considered for a promotion, it’s possible they might ascertain the person’s sexual orientation or other information they were previously unaware of. In each of these cases, they would see identifiable aspects that are protected by legislation. By not offering the candidate a job, an argument could be made that the company discriminated against the employee.

Discrimination can also occur in workplaces between employees. An employee may add coworkers as friends or make a post that reveals a protected characteristic, resulting in the person being excluded or treated unfairly. The coworkers may even discriminate against the employee through social media, such as by creating an event on Facebook and inviting other employees, but excluding that one person. As we’ll see in Chapter 9 when we discuss policies, such discrimination can result in the company being vulnerable to a civil lawsuit or may be part of a larger pattern of workplace harassment.

Defamation

Defamation is the act of making false accusations or misrepresenting someone in a malicious way. It can occur through slander, which is a spoken statement, or through libel where a person is defamed in a permanent record. In terms of social media, such records can include posts, email or direct messages, tweets, or videos and images that are uploaded to a site. False or malicious comments can cause serious damage to your reputation, causing embarrassment or financial loss.

Defamation isn’t limited to individuals, and many businesses have suffered from statements that have made them infamous on the Internet. Clay Nissan, a car dealership in Massachusetts, had the misfortune of experiencing this in 2013. In 2012, Jill Colter was fired for inappropriate interactions with employees and customers. Her brothers Adam and Jonathon started a social media campaign, rallying people to boycott the company, and claiming that she was fired because she had cancer. They also claimed that other employees had been fired for having cancer, and that the company had a policy of discriminating against cancer patients. Their Facebook called “Boycott Clay Nissan” had 30,000 followers by August 2012, and the company suffered significant losses from loss of business. After suing the brothers, the court awarded Clay $700,000 in damages.

Harassment

As we saw in Chapter 7, issues dealing with harassment should be a serious concern when using social media. Harassment is a behavior or a conduct that annoys, threatens, intimidates, or makes a person fearful of their safety. The person is demeaned and may be the target of derogatory comments or representations that allude to the victim’s race, color, gender, religion, or other aspects of who they are. Due to the seriousness of the crime, states and countries have created laws to protect victims, making it enforced through civil litigation and/or criminal penalties.

Even if you weren’t the one who initially set out to harass someone, you could still be held responsible. In 2013, Jennifer Pawluck posted an Instagram photo of graffiti depicting a local police officer named Ian Lafreniere with a bullet hole in his head. Even though she didn’t create the graffiti, taking a photo of it and posting it online was enough for her to be charged with criminal harassment and intimidation. Posting or sharing content that promotes violent or unlawful action against someone could be seen as endorsement of a threat.

You should always be careful about sharing or posting content that demeans or could make a person fearful. If you wouldn’t want to be the focal point of such attention, then don’t do it to someone else. This not only applies to personal use of social media but also in the workplace, where you may find people being bullied or sexually harassed. As we’ll discuss in Chapter 9, even the harasser’s conduct doesn’t result in criminal harassment charges, an organization should have policies in place to deal with such problems and help employees who are victimized.

Digital forensic software

If you go on the Internet, you’ll find a number of security tools that allow you to recover data from a computer or mobile device. However, if the data was recovered using a hacking tool or some program that could modify the time stamp of files or other data, it might not be admissible in court. While that might not seem important when you first use such tools, you never know what you might find, and whether it could lead to testifying about the evidence in court. Because of that, it’s always best to use proven digital forensic tools whenever possible.

SANS Investigative Forensic Toolkit (SIFT) is a free VMWare appliance that can run in VMWare Player and comes with preconfigured forensic tools. The SIFT workstation can be downloaded from http://computer-forensics.sans.org/community/downloads. Because the tools are open source and frequently updated, it provides an excellent platform for learning and performing forensic investigations.

While there are many security and forensic tools that can be used to analyze information on various systems, not all of them are available to the public. EnCase and Cellebrite’s forensic software and tools are examples of this. Both are widely used by law enforcement and military but only available to approved corporations.

EnCase is a suite of products from Guidance Software (www.guidancesoftware.com) that’s used for performing computer forensics. It copies data by creating an exact, bit-for-bit copy of the drive. By having the bitstream image saved as a file, it can be stored and analyzed later using a user-friendly graphical user interface. By saving an image of the drive, you analyze the copied information in the file, rather than data on the actual machine. This prevents time stamps and other information on the computer from accidentally being modified.

Celebrite’s (www.cellebrite.com) Universal Forensic Extraction Device system is used to perform digital forensics on mobile devices. The series of products allow you to perform a bit-for-bit extraction of data and do an in-depth analysis of mobile devices, inclusive to phones, tablets, GPS devices, and more. The solutions not only allow you to view easily accessible information on a device but can also break codes, acquire data from flash memory, extract hidden and deleted information, and decipher encrypted data. You can view a person’s contacts, call logs, messages, saved files, trip logs, and any other data stored on the device.

As we discussed in Chapter 6, mobile devices can be remotely wiped or locked. To prevent this from happening before evidence can be acquired, it’s important to turn it off as soon as you get it. If you contacted police or a forensic investigator, they would put the phone, tablet, or other device into a Faraday bag or Faraday cage. The Faraday bag or cage is made from a material that prevents the device from receiving a signal from the phone plan carrier or connecting to a Wi-Fi. Since the device is cut off from the Internet and service provider, it never receives any messages to wipe or lock the device.

Whenever you’re using or analyzing a computer for your business or personal use, if you discover anything you feel is illegal, it’s important to stop what you’re doing and contact police. Continuing to examine the machine could easily modify data on the computer or device and possibly alter evidence. You should also document any steps you’ve taken prior to contacting police and give it to them as soon as possible. Your documentation may be used as evidence or part as your statement. It’s also incredibly useful for future reference in case you need to testify.

Don’t delete messages

Even though forensic software can recover deleted data, that doesn’t mean it’s an open invitation to erase it. While you might be tempted to remove threatening or upsetting messages, you should never delete them, as they may be used as evidence. Even if you print out a copy of the messages the person has sent, keeping the original digital message is important. An email contains message headers or MIME (Multipurpose Internet Mail Extensions) information, which will show the path an email took crossing mail servers, IP addresses, and other valuable data. Using this will trace the email back to the original sender. The email headers will often be hidden but becomes visible when configured to do so. For example, on Gmail, you would view the message headers by doing the following:

Using information in the email, you can identify where it originated. In looking at the information in the headers, you’ll see a line beginning with “Received: from” followed by a series of numbers between square brackets. These numbers are an IP address that identifies the computer that the message originated from. For example, the line may look similar to the following:

Received: from exprod8mx241.postini.com ([64.18.3.141] helo=psmtp.com)

Once you have this information, you can then use a number of different tools to acquire information about the sender, which could include the person’s approximate geographic location and the email service or Internet Service Provider (ISP) used to send the email.

Acquiring information from social media sites

When investigations involve social media, the sites will try and accommodate law enforcement requests. Police can (and do) make requests to sites asking for account information, log files, and details about specific posts, tweets, and messages. The evidence through these requests can be crucial to tracing a post or message to the person who wrote it and acquiring supporting personal information about a suspect.

To protect users, requests need to be in accordance with American law, inclusive to the Stored Communications Act, 18 U.S.C. Sections 2701-2712, where a valid subpoena, court order, and/or search warrant is provided asking for the user’s records to be disclosed. For International requests, the officer requesting the person’s account records needs to make an international Mutual Legal Assistance Treaty request. This helps to prove that the request is coming from a law enforcement agency and is not an arbitrary attempt to see personal information about a user of the site.

When a request is made, police need to be as specific as possible. The site needs to know the account you’re trying to get information about, specific posts or tweets you’re trying to gather facts about, dates and times, and any additional details you can provide. The facts provided help to isolate the information you’ve requested.

When a request is made to preserve evidence, sites will do so for a limited time. For example, Facebook will try and preserve the account information for 90 days from the time the request was made. Doing so allows an investigation to take place without any of the information being modified or deleted. Facebook online requests by law enforcement can be made at www.facebook.com/records, while requests to preserve account information on Twitter can be made at https://support.twitter.com/forms/lawenforcement.

• Reviewing the social media profiles and activities of suspects (86.3%)

• Reviewing the social media profiles and activities of victims (49.4%)

• Using a fake profile or undercover identity to monitor someone or gather information (53.3%)

Incriminating yourself

There are many instances where people incriminate themselves on social media sites without thinking. Controversial comments, compromising photos, or any number of posts or tweets could be used against you as evidence in a criminal or civil trial. Before admitting to anything online, think before you post.

In some cases, the content people post online provide everything that’s needed for an arrest. In 2012, 19-year-old Hannah Sabata sent a text message to her ex-boyfriend about how she had robbed a bank, along with a link to the 7-minute video called “Chick Bank Robber” that she posted on YouTube. On the video, she brags about stealing a car, shows the drugs in her possession, and flashes a wad of cash she stole from the Cornerstone Bank in Waco, Nebraska. By the time the former boyfriend called police about it, people had already informed police about the video. In June 2013, she was sentenced to 10–20 years in prison.

Even if you’re not posting facts about crimes you’ve committed, being friends with a suspect would show you’re associated with that person. The Facebook friends of gang members, drug dealers or users, terrorists, or other criminals can be used to identify their associates, who might be involved in crimes or a criminal enterprise. After all, social media is extremely useful in showing connections between people.

In 2012, New York Police Officer Michael Rodrigues went on Facebook and friended several members of the Brower Boys gang. Using their posts, he was able to identify gang members, track their movements based on what they said, and set up surveillance to arrest them. Members of the gang even posted pictures of their crimes, providing more evidence. Ultimately, 14 members of the gang were arrested.

Defending yourself online

While you have the right to remain silent, it doesn’t happen too often on social networking sites. On July 10, 2013, Matthew Oliver saw his photo on Facebook page of the Pasco County Sheriff’s Office (www.facebook.com/pascosheriff). The page featured him as their “Fugitive of the Day,” which inspired hundreds of comments, including ones from Oliver himself. Rather than turning himself in or calling a lawyer, he began commenting on his own wanted bulletin and used it as a forum to argue his innocence. Obviously, the conversation that was generated didn’t always go his way, and he was soon responding to off-topic remarks about the size of his ears, and how he was grinning in the wanted photo. Despite the ongoing dialog of that day, he failed to win over the police and was arrested 2 days later.

While it may be tempting to argue your case online, it’s not wise to do so if it’s related to an ongoing or upcoming trial. A lighthearted quip to a fellow poster could make you seem unremorseful, while kvetching about the police could make you appear as though you have a problem with authority or disregard of the law. If it’s a legal issue, let the lawyers handle it.

Outdated content

Since news can become outdated quickly, you need to be discerning when it comes to crime-related content. As we discussed in Chapter 5, there have been many instances where a person goes missing, and an email or a post on a social networking site asks for help finding them. In many cases, the requests continue to circulate long after the person’s found. The same can apply to bulletins about a wanted person. Even though a person is no longer a fugitive or wanted for questioning, the initial post still indicates a person is wanted and can be shared long afterward.

The problems aren’t difficult to imagine. If you were identified as a suspect on a social networking site, turned yourself in and/or later found innocent, you would no longer be a wanted person. An employer or clients could still see a post stating you were a fugitive, people might continue writing posts that defamed you, or someone might try to be a hero and restrain you until the police were called. Such incidents could injure you or your livelihood, and all have the markings of a potential lawsuits.

The way that information is updated on a social networking site can be a legitimate problem. On Facebook, you can delete or hide a post but not edit it. Posting a comment under the post to update people isn’t enough, as it can be buried in countless other comments. If you’re the subject of outdated information, you can request police to remove it from the site. However, while this takes care of the original source, you may still experience problems from it appearing on other people’s pages, where they’ve shared or reposted it. If you’re reading such posts, it’s important to verify that the information’s valid by searching online and visiting the police department’s official Web site.

Direct use of social media to solve crimes

In 2011, the Vancouver Police used social media during and after the riots that broke out during the final game of the Stanley Cup. On June 15, 2011, it’s estimated that over 100,000 people were gathering in downtown Vancouver, watching the hockey game on large screens that had been set up. In the final minutes of the game, fights broke out, bottles were thrown, and escalated to cars being lit on fire or flipped over. Over 100 people were treated at hospital for injuries, and there were millions of dollars in property damage. Police used Twitter to disseminate information to the public, including transportation routes people could use to leave the area.

While the riot was in progress, people began a campaign to identify and shame rioters, posting photos and video on Web sites, blogs, Twitter, and Facebook. It resulted in people who were identified as being harassed, and in one case a rioter’s family was threatened. People were fired from their jobs, and even their employers experienced backlash from their employee’s involvement. As a result of the shaming, 34 people turned themselves into police between June 15 and July 20.

The police and public interactions through social media were staggering. The tweets made by police were retweeted an estimated 75 times, extending the information to a wider audience. There were so many people linking to their press releases from Twitter that the server crashed. During the riot, the Vancouver Police provided instructions on how to submit photos and video as evidence, so that people involved could be identified. Police also encouraged members of the public to tag any photos of people they knew, which assisted law enforcement in the investigation that followed. According to the 2011 Stanley Cup Riot Review prepared by the Vancouver Police, within 5 days of the riot, they had received 4300 email tips, 15,000 images, and 1500 hours of video from the public.

Scareware/ransomware

Malicious software isn’t only used to damage data and devices. There is malware designed to extort money, get people to provide credit card information, or buy bogus products. A common scam involves scareware, which is malware that scares you into believing your computer is infected with a serious virus. A pop-up may appear on your screen saying that you’ve been infected and won’t allow you to close the screen. It will say you need to click on the button to buy antivirus software, which is actually a fake product. In clicking the link, you may be asked to provide credit card information, or malicious code will be installed on your machine.

A variation of scareware scams involves phoning you, where a person claims to be from a trusted company like Microsoft Support. The person will tell you that they’ve identified a virus on your computer and try to get you to purchase bogus antivirus software. You may be directed to visit a Web site, where malicious code runs and infects your computer. The software installed may give the cybercriminal remote access to your machine.

Ransomware is similar to this but will lock you out of your computer until you pay to have malware removed. When the malware is installed, it may overwrite explorer.exe, write information to the Windows Registry, or other data needed by your operating system. One type of worm is called Citidel ransomware, which installs malicious software called Reveton. Whenever the computer loads, an imposing warning appears on the screen that appears to be from the FBI or other law enforcement, telling you how you’ve violated federal laws. It may even state that you’ve visited child pornography sites or may take over your webcam to give the illusion that you’re being recorded. To unlock the computer, it gives instructions on how to pay a fine using a prepaid money card.

Removing these threats can be difficult, but you should never follow the instructions they give. Instead, use another computer to visit a legitimate antivirus or anti-malware site and find the steps required to remove the malware. In some cases, running anti-malware software like Malwarebytes (www.malwarebytes.org) may be able to remove the scareware or ransomware. If you can open System Restore on a Windows computer, you can also try restoring it to a previous state, before it was infected. To use System Restore on a Windows machine, do the following:

Baiting

One method of infecting a person with malware is associated with social engineering. Baiting is a technique in which a CD-R, DVD-R, USB flash drive, or some other storage media is left in a location, in the hopes someone to use it on their machine. For example, I might leave a CD labeled with something intriguing like “employee salaries” by the entrance to your business, and you might pick it up and decide to see what information is on it. When you opened a file on the disk, malicious software would then be installed on your machine. If the computer was set to auto-run programs as soon as storage media is inserted, your computer would be infected after you inserted it in the CD/DVD-ROM. For social engineering, a Trojan might be used to send information on your computer to an Internet site or it might download additional viruses or exploits to your machine.

Browser hijacking

Redirection to an incorrect site has been a longtime problem on the Internet. By adding some simple JavaScript to a page, a person can be sent from a legitimate site to a fake one. Because of this, it’s always important to look at the address bar of your browser to make sure that you’re on the correct site and haven’t been redirected to a fake one, before you start entering personal data, passwords, and other sensitive information. Unfortunately, fake sites can also be a source of infection by malicious code. This happened in 2012 to almost 30,000 WordPress blogs when such code was added, taking visitors to a site that displayed what appeared to be an antivirus check finding malware and viruses on the person’s system. Such sites can exploit outdated browsers and plug-ins, causing Trojans and malware to be installed.

Browsers can also be redirected through malware. Add-ons, plug-ins, or other software on your machine may change the settings of your browser, so when you open your home page or default search engine, you’re redirected to another site. Restoring your browser back to the way it was can require various degrees of work. In more serious cases, you may need to revert your system to a previous state using System Restore, as we discussed earlier. In many cases, running antivirus and anti-malware software that we discuss later in this chapter will remove the malware. You can also try uninstalling the software affecting your system by doing the following:

Browser hijacking often occurs through Browser Helper Objects, which are plug-ins that provide additional functionality to the browser. Malicious software posing as add-ons, extensions, or toolbars may be installed on a system. Generally, antivirus and anti-malware software will identify malicious ones and attempt to remove them. You can also disable them through the browser. On Firefox, you would click the Tools menu and then click Add-ons, while on Internet Explorer, you would click the Tools menu, click Manage add-ons, and then click Toolbars and Extensions. Once the dialog box opens, you can then review the list of add-ons for ones that you can’t identify and probably shouldn’t be there. Selecting the unwanted add-on and clicking the Disable button will prevent it from loading in the browser.

Once you’ve removed or disabled the cause of the problem, you’ll still need to restore your home page and default search engine settings in the browser. If you don’t, you could wind up reloading the page that caused the malware or add-on to be installed in the first place. To restore your home page in Internet Explorer, do the following:

Protecting yourself from backdoors and exploits

Backdoors are undocumented ways of accessing systems. A programmer may have included one to access a system without needing to be authenticated or may be created when a system is compromised by a virus, worm, or other malicious software. Once the backdoor is in place, a hacker can use it for continued access to a system, until the software providing the backdoor has been patched by updated software.

It’s important to keep up to date with installing patches, updates, and service packs on computers. When operating systems and software are released, there may be bugs or glitches in the software that a hacker or malware can exploit. An exploit is a command, method, or software that will use a vulnerability in a system to gain additional access, download additional malware, or run commands that can damage your data or system. As bugs and vulnerabilities are identified, software vendors will release patches, bug-fixes, and other updates that will fix the problems to make the system more stable and secure.

The other way to protect systems is to limit what’s installed. Organizations commonly set up security on computers, network group policies, and corporate policies that restrict the download and installation of software. By preventing users from downloading unauthorized apps, widgets, and programs, there’s less chance that malicious software will also be downloaded by mistake.

Protecting yourself from viruses and malware

There are numerous tools available on the Internet that will detect, block, and remove viruses and malicious software. In using antivirus and anti-malware software, you’ll need to update the signature files that contain information used by the program to detect viruses and malware. In many cases, you’ll find that apps will do this for you, and programs installed on your machine will provide the option to run in the background and install updates as they become available. If signature files aren’t regularly updated, you’re putting your computer and mobile device at risk, because it won’t be able to detect the latest malicious code that’s become known and thereby will unable to block or remove it from your system.

Symantec provides a number of security products that are commonly used for business and home use. Norton Anti-virus, Norton Internet Security, and Norton 360 are all products from Symantec that provides protection from viruses and other malicious code, such as spyware that will monitor your computer, and provides free technical support. It also comes with Norton Safe Web, which scans your Facebook newsfeed for downloads that it knows are dangerous, and will automatically warn you and people you’ve added as friends. To purchase any of these products you can visit www.norton.com.

Norton Mobile Security (http://us.norton.com/norton-mobile-security) is another tool from Symantec for mobile devices. It runs on iPhone, iPad, and Android devices and provides protection from viruses and other threats to mobile devices and detection of phishing that can compromise personal and sensitive information. It also provides features to remotely locate, lock, and wipe a device and remotely take a photo of someone who has it. If you’re concerned about a particular person contacting you, it allows you to block calls and messages from phone numbers you specify, as well as unknown or anonymous numbers. If you’re concerned about security on your phone or other mobile devices, it is definitely worth looking into to safeguard your security.

There are many antivirus and security programs which offer a free trial and then require you to continue using their service by purchasing the product or buying a subscription. If you don’t have the money to spend right now, it doesn’t mean that you need to be exposed to viruses and malware. There are tools that provide limited protection for free. Through them, you get free antivirus protection and can get additional features if you like the program and want to get more out of it.

As we’ve discussed in previous chapters, Lookout Security and Antivirus is a tool that will check and block viruses and other threats to a mobile device and provides security features, such as the ability to remotely lock, find, and wipe a device. Even if you only use the limited features, you can upgrade to use more premium features at anytime.

Avast (www.avast.com) is free antivirus software that provides protection against viruses and malware. It is an exceptional tool at detecting and removing viruses and supports remote assistance so that a friend can assist if there’s a problem. If you want more advanced security, they also provide an Internet security suite that provides a virtual browser window, firewall, antispam, and additional features.

AVG Free Anti-Virus (http://free.avg.com) is free software that will scan your computer for viruses and malware and remove it from the system. It also has features that will scan links to detect whether clicking it will take you to sites that are known for having malicious software, viruses, phishing scams, and so on. A family safety feature can also be activated to prevent access to inappropriate sites containing mature content.

AVG also has free antivirus software for Android devices. AVG Antivirus for Android (http://www.avg.com/us-en/antivirus-for-android) will scan the device for viruses and malware and also provides features to locate, lock, or wipe a device. They also have family safety software for Windows phone (http://www.avg.com/us-en/avg-family-safety-mobile-win) that will block a child from accessing inappropriate sites and also those that are known for having malicious software, phishing scams, and so on.

While you should only run one antivirus program on a computer to avoid conflicts, there is additional software that you can install will scan your system and remove malware. If your computer has already been infected by malware, you should consider Malwarebytes (www.malwarebytes.org) to remove it. As with other software we’ve discussed, it uses signature files to identify malicious software, modified Registry keys, and other threats that have been downloaded and installed on your machine. It’s an exceptional tool that you should run regularly to identify any potential threats that other antivirus/anti-malware software may have missed.

In choosing a product, you should only download and install antivirus/anti-malware software that is known and trusted. As we discussed earlier in this chapter, there are programs that will pretend to be a legitimate product but are actually scams or actually malware that will install additional programs on your system. Even researching new products can be dangerous, as some sites will actually do a drive-by download, where malicious code on the page downloads malware to your system. If you’re unsure what products to trust and decided against any of the ones mentioned here, consider asking a professional in your IT department at work or ask someone who’s well versed with computers and can personally vouch for products.