Untitled

from the NSA:
Dear Industry Partner,

(U)  GUIDELINES FOR THE PERSONAL USE OF SOCIAL NETWORKING SITES

(U)  Would you give your address to a stranger on the street?  Of course not!  What if the stranger were a burglar?  They’d know you’re not at home and would be free to ransack your house.  So why would you post personal information to social networking sites on the Internet?


(U)  The Internet really is the new Wild West, with very few controls and no assurance that your personal information is protected.  Despite site privacy settings, you should assume that anything you post can be viewed by anyone with an Internet connection—including cyber and identity thieves, as well as traditional criminals.


(U)  The following guidelines are provided to reduce your exposure to potential threats on social networking websites:


·        (U)  Use your personal email address, not your government or company email address, as the means of identification on social networking sites.


·        (U)  Do not use any screen name, username, "handle", URL, personal space name or other designation that would reveal an association with the U.S. Government or any other Enterprise- or Intelligence Community-related word.


·        (U)  Avoid posting sensitive personal and work-related information, such as plans, schedule and location information; phone number, address or other sensitive contact information; an unclassified government e-mail address; or names and personal information of coworkers, friends and family members.


·        (U)  Do not reveal any other individual’s affiliation with specific government agencies.


·        (U)  Do not post pictures, videos, diagrams or other graphics that may reveal an association with your organization.  Be particularly aware of compromising information that might be contained in the background of pictures or videos, such as pictures taken in front of your facility, or reflected images from tables or mirrors.


·        (U)  Ask family and friends not to post photos and information about you without prior approval.


·        (U)  Avoid adding third-party plugins, add-ons or applications such as “Farmville” or “Mafia Wars” to your social networking profile, especially when not familiar with the associated vulnerabilities and security threats.  Remember that many third-party applications may gain unrestricted access to Personally-Identifiable Information (PII).


·        (U)  Become familiar with the End-User License Agreements of social networking sites in order to know the site’s access and rights to personal information and personal material.


·        (U)  Periodically monitor privacy settings and security options. Consider using each site’s privacy settings to prevent strangers from viewing your profile/content, e.g., by removing yourself from site search results; prevent photo tagging; define access permissions for social networking associates or “friends” to determine what PII they can view; and define access permissions for public viewing and search results.


·        (U)  Regularly monitor postings from family and friends to see if they have disclosed PII about you, and respond accordingly.  If you are unsure how to respond, please contact your supervisor or your Security Officer.


·        (U)  Do not allow people you don’t know to be on your “friends” lists.


·        (U)  Check all groups’ privacy settings before joining them.


·        (U)  Avoid joining groups or associations that might suggest your employer or job affiliation.


·        (U)  Ensure that your systems and software (including web browsers) are up to date with the latest virus definitions, patches and malware protection.


·        (U)  Beware of links and attached files posted to social networking sites, as they may link to or contain malware.  Be sure to protect your computer against viruses, trojans, etc.


·        (U)  Use unique, complex passwords for each online account.  Vary usernames and passwords for personal accounts, such as personal e-mail, home banking, blogs, social networking, etc.  Then, if one account is compromised, all others should remain secure and not susceptible to unauthorized access.


·        (U)  Protect your passwords.  Do not share them.


·        (U)  Look for HTTPS and the lock icon that indicate active transmission security before logging in or entering sensitive data (especially when using wi-fi hotspots).


·        (U)  Avoid accessing social networking sites from especially risky public locations such as hotels, cyber-cafes or airport hotspots, particularly when in a foreign country.  Usernames, passwords and other sensitive information could be intercepted during transmission.


·        (U)  Certain clues could help indicate if your Social Network page has been compromised.  If you notice any of these events, contact the site administrators of the SNS and report it.  More than likely your page will be locked out until it’s resolved or a new password is generated by the site and emailed to your personal email address.  Things to watch for include:


·        (U)  A major increase or decrease of friends (someone besides yourself could be sending friend requests to strangers, or removing approved friends from your page.)


·        (U)  Wall Posts, Blogs, applications, even the design of your page have been added, modified, or deleted.


·        (U)  Your password no longer works.


·        (U)  You receive an email on the address that is assigned to your SNS stating that changes have been made.


·        (U)  Pictures have been added or removed from your profile or your default picture has changed.


·        (U)  Any changes to your identifying information, such as hometown, date of birth, etc.


·        (U)  Your profile has been added as a member of Groups or Fan Pages you normally do not join.


·        (U)  Report all suspicious or overly aggressive contacts, as well as anyone who asks any probing or leading questions pertaining to your government affiliation, to your Security Officer.


Regards,