Security is an important issue for the widespread
application of social network. It is generally agreed that without the proper
countermeasures in place, use of social network will be severely impeded and
insecure.
Security Objectives
When developing an application, it is best to define
security objectives and requirements early in the process. Security objectives
are goals and constraints that affect the confidentiality, integrity, and
availability of your data and application.
Identification of security objectives is the first step you
can take to help ensure the security of your application, and it is also one of
the most important steps. The objectives, once created, can be used to direct
all the subsequent security activities that you perform. Security objectives do
not remain static, but are influenced by later design and implementation
activities.
Security objectives should be identified as early in the
development process as possible, ideally in the requirements and analysis
phase. The objectives, once created, can be used to direct all the subsequent
security activities that you perform. Security objectives do not remain static,
but are influenced by later design and implementation activities.
Identifying security objectives is an iterative process that
is initially driven by an examination of the application’s requirements and
usage scenarios. By the end of the requirements and analysis phase, you should
have a first set of objectives that are not yet tied to design or
implementation details. During the design phase, additional objectives will
surface that are specific to the application architecture and design. During
the implementation phase, you may discover a few additional objectives based
upon specific technology or implementation choices that have an impact on
overall application security.
Each evolution of the security objectives will affect other
security activities. You should review the threat model, architecture and
design review guidelines, and general code review guidelines when your security
objectives change.
OSI (Open Systems Interconnection) Security Services
With regard to the framework of the OSI Reference Model, the
authentication services require authentication information comprising locally
stored information and data that is transferred to facilitate the
authentication:
Authentication
These services provide for the authentication of a
communicating peer entity and the source of data.
Access control
This service provides protection against unauthorized use of
resources accessible via OSI.
Data confidentiality
These services provide for the protection of data from
unauthorized disclosure.
Data integrity
These services counter active threats and may take one of
the forms.
Non-repudiation
This service may take one or both of two forms: proof of
origin or delivery.
Social Network Security Objectives
As mentioned in week 10, we know there are three main
security objectives identified in the context of OSNs:
Privacy
Integrity
Availability
Privacy in OSNs encompasses user profile privacy,
communication privacy, message confidentiality, and Information disclosure.
To be integrity, the user’s identity and data must be
protected against unauthorized modification and tampering.
Availability of user profiles is consequently required as a
basic feature. Besides availability of data access, message exchange among
members should also be taken into consideration.
Differences between the social network security objectives and conventional online networks
1.
Confidentiality
In conventional online networks, privacy calls for data confidentiality,
including connection confidentiality, connectionless confidentiality, selective
field confidentiality, and traffic flow confidentiality.
However, in the OSN (Online Social Network), privacy means the possibility
to hide any information about any user, even to the extent of hiding their
participation in the OSN in the first place, requiring explicit disclosure
leads to the need for access control.
2.
Integrity
Data integrity, in OSI, refers to five facets: connection integrity with
recovery, connection integrity without recovery, selective field connection
integrity, connectionless integrity, and selective field connectionless
integrity.
In traditional social networks, the creation of personae, such as bogus
accounts, cloned accounts, or other types of impersonation, is easy to achieve.
Therefore integrity in the context of OSNs has to be extended to ensure the
existence of real persons behind registered OSN members.
3.
Availability
Data access provides protection against unauthorized use of resources
accessible via OSI. In OSNs, availability of user profiles is required as a
basic feature, even though considering recreational use, including robustness
against censorship, and the seizure or hijacking of names and other key words. Besides
data access, availability, while message is exchanging among members, should be
ensured as well.
References:
3.
lecture 10 (page 6 -10)
You mentioned about the conventional network security and social network security. Beside, you point out their differences.
回覆刪除Well, do you think what other security factors should be taken into consideration, when social network is exploding?
I think both traditional network security and social network security have its advantages and disadvantages, so what about combine with both to achieve a better performance? What’s your opinion?
刪除yeah, that is a good idea, I quite agree.
刪除Besides, I think, in the future, there will be more and more application online. something may beyond our imagination, so "security" should always developing with other applications and prepare for new challenges...
Software applications would be upgraded immediately to keep pace with the rapid development of technology.
刪除Agree, but sometimes new version of software will introduce new vulnerability!!! Facebook Timeline is an example.
刪除This is really a great articale and I think we should attach more attention to our social network security and do a better security job on that paltform.
回覆刪除Yes. We call for advanced technologies based on social network security objectives.
刪除In the confidentiality sector, what is the meaning of connectionless confidentiality, selective field confidentiality and traffic flow confidentiality?
回覆刪除Connectionless confidentiality
刪除This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU
Selective field confidentiality
This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.
Traffic flow confidentiality
This service provides for the protection of the information which might be derived from observation of traffic flows.
In my opinion, comparing with traditional networking security, social networking security will put much more attention to the three parts,which are confidentiality,integrity, and availability. Since that social media is becoming more and more a part of everyday life for much of the world. More and more businesses are also relying on social media marketing to promote their business. If a small flaw on social media, it could bring a huge online disaster.
回覆刪除So social network calls for regulation eagerly and hides a huge potential marketing opportunity.
刪除I have learned a lot from this blog. I think social networking security is more important and difficult than traditional networking security because of their own features. It is quite open and information is transmitted fast on social networks. Do you have any special ideas on how to protect the security of social networks which are different from traditional networks?
回覆刪除Social network is not only convenient for their users sharing information and communicating with each other immediately, but also a big potential marketing for vendors. On the other side, we should reinforce awareness of defending hacker or other damages via establishing regulation or develop advanced technology, I reckon.
刪除Thanks for the detail summery about what we have learn in lecture 10, i have learn a lot in this blog, "security" is a hot topic in the social network, we can touch more example on it.
回覆刪除Some suggestions, if you can compare the social network security and the conventional one with some examples, it will be perfect.
回覆刪除The 3-rd party application is quit a security and privacy problem,some applications pretend to provide information or entertainment for users to cheat social networking platforms however they quietly to collect confidential information of users or intrude into some sensitive profiles to gain profit.And I think in one way,we should not be easy to trust strange applications and in the other way it is the social networking platform's duty to enhance some measurements to protect us form such applications.
回覆刪除Your information is very useful and complete. Thanks for sharing
回覆刪除Your blog is useful. And you give out some basic concepts about security. Yes, there is a big challenge about social network security which is much more serious than conventional network service. Many times, the designer of a social network has to make balance between user experience and security. For example, many social networks will provide access of profile for your friends by default. But in fact this is not appropriate assumption that the friend you added may be just a common online user which you have never seen before. But if the designer set the profile to a private level for anybody. They may think that is good for attract new users, especially when set the status information to a private level. So there are more consideration about social network security.
回覆刪除I found a considerable number of classmates have opted for this topic. It seems that this topic is very worthy of study. Furthermore, If you can provide some examples to support your opinion, it will be more prefect.
回覆刪除I agree with your point. Also, further adoption of social networking media will continue to blur the network parameter of network security.
回覆刪除