social media and security essentials.pptx

Pink Elephant – Leading The Way In IT Management Best Practices

Social Media & Security Essentials

January 31, 2011

Troy DuMoulin AVP Strategic Solutions

Pink Elephant

Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 2

Welcome & Agenda   Agenda

  The Impact & Growth of Social Media

  The key risks of Web 2.0 and Social Media

  Recent Example Case Studies for Facebook and Twitter

  Social Media as an IT Service

  Establishing Social Media Policies

  Looking at 2011   Next Steps

Objective: Practical guidance about how to effectively manage social networking security risks

Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.

The Flood Of Social Media NOW   Adoption has surged to staggering heights. While

Facebook has over 500 million users (July 2010), MySpace has nearly 70 million in the U.S. (June 2010) and LinkedIn has around 75 million worldwide (August 2010). As for Twitter, 105,779,710 registered users (April 2010) account for approximately 750 tweets each second

  Facebook platform houses over 550,000 active applications and is integrated with more than one million websites

  Burson-Marsteller study showed that, “of the Fortune Global 100 companies, 65% have active Twitter accounts, 54% have Facebook fan pages, 50% have YouTube video channels and 33% have corporate blogs”

3

Securing the Social Network – Websense Whitepaper


Managing vs. Blocking Social Media

4

Not possible to ban the use of Social Media anymore than it was possible to ban the internet (both have been tried)


Websense Research Highlights 2010

5

Every hour Websense scans more than 40 million websites for malicious code and nearly 10 million emails for unwanted content and malicious

code. Using more than 50 million real-time data collecting systems, it monitors and classifies Web, email, and data content. www.websense.com

Based on a sample size of 200,000 Facebook and Twitter Entries

•  Websense Security Labs identified a 111.4% increase in the number of malicious websites from 2009 to 2010

•  79.9% of websites with malicious code were legitimate sites that have been compromised— an increase of 3% from the last previous period

•  Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%)

•  52% of data stealing attacks occurred over the Web

2010 Threat Report – Websense


Websense Research Highlights 2010

6

40% of all Facebook status updates have links and 10% of those links are

either spam or malicious.

Based on a sample size of 200,000 Facebook and Twitter Entries

2010 Threat Report – Websense


CISCO Annual Security Report   Consider social media. Its impact on computer security cannot be

overstated, It is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter

  The high levels of trust that users place in social networks – that is, users’ willingness to respond to information appearing within these networks – has provided ample opportunity for new and more effective scams. Instead of searching out technical vulnerabilities to exploit, criminals merely need a good lure to hook new victims

  No longer does business take place solely behind network walls. The critical work of an organization is happening increasingly on social networks, on handheld devices, on Internet kiosks at airports, and at local cafes

  Social Media “Were The Problem” Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong

7


Social Media Risks – 1

8

Threat & Vulnerabilities Risks Lack of control •  Automated protection can only block or

enable websites and domains. (On or OFF) •  Classic Anti Virus software is ineffective

against social engineering or phishing attacks •  Engaging in Social Media does not require IT

involvement or approvals •  Lack of a business policy or lack of

enforcement of the policy Exposure growing on legitimate websites

•  Malicious code “is not just coming from the dark corners of the web, “Some 79 percent is coming from legitimate sites”

Data loss is often based on exploiting implicit trust (Trust conditioning)

•  Social networking sites are all about trusted communities collaboration and data sharing

•  Most malware, scams and phishing attacks are successful since they are based on preying upon trusted relationships


Social Media Risks – 2

9

Threats & Vulnerabilities Risks Customer or Employee exposure •  Loss or exposure of customer information

leading to liability or loss of trust •  Reputational damage •  Targeted marketing to your customers •  Targeted head hunting of your employees

Unclear or loss of content rights for information posted to social media sites

•  Enterprise’s loss of control/legal rights of information posted to the social media sites

•  Privacy violations

Mis-directed surfing on legitimate sites

•  Shortened URL Spoofing •  Identity theft •  Search Engine Optimization (SEO)

poisoning •  Cross site scripting attacks •  Trojan & Botnet proliferation


Early Adoption – Risk & Reward

Luddites

Interested in cost & cost

control

Look for prior Success

Embrace New Technology

Innovators 2.5 %

Early Adopters 13.5 %

Early Majority

34 %

Late Majority

34 %

Laggards 16 %

13

Companies are driven by growth. Growth often comes from innovation. Many companies get a leg on competition by being willing to take a managed risk.

Social Media


CASE STUDY EXAMPLES Recent Social Media Attacks


URL Shortening – Boon & Risk

12

10-12-28 7:10 PMWarning! | There might be a problem with the requested link

Page 1 of 1http://bit.ly/a/warning?url=http%3a%2f%2fsu%2epr%2f4SzLwj&hash=huUyr5

STOP - there might be a problem with the requested link

The link you requested has been identified by bit.ly as being potentially problematic. We have detected a link thathas been shortened more than once, and that may be a problem because:

Some URL-shorteners re-use their links, so bit.ly can't guarantee the validity of this link.Some URL-shorteners allow their links to be edited, so bit.ly can't tell where this link will lead you.Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for.

The link you requested may contain inappropriate content, or even spam or malicious code that could bedownloaded to your computer without your consent, or may be a forgery or imitation of another website,

designed to trick users into sharing personal or financial information.

Bit.ly suggests that youChange the original link, and re-shorten with bit.lyClose your browser windowNotify the sender of the URL

Or, continue at your own risk tohttp://su.pr/4SzLwj

You can learn more about harmful content at www.StopBadware.orgYou can find out more about phishing from www.antiphishing.orgFor more information about our policy please contact support%[email protected]

Read more about bit.ly's spam and antiphishing partners here

Publish with bit.ly and protect your links

Security vendor McAfee Inc. is warning of a rising security risk in 2011 in the 3,000 shortened URLs generated per minute for use on social

media sites such as Twitter.


Short URL Checkers

13

10-12-28 7:12 PMShort URL Checker - RESULTS

Page 1 of 2http://www.pcistools.com/process_tURL.php

Short URL Checker ResultsHome > Tinyurl Checker

URL as entered: http://su.pr/4SzLwj http://www.good.is/post/12-year-old-girl-runs-make-shift-school-for-

village-children/

Enter Another URL or read more information about this link:

Safe Browsing Information About This Site

Safe Browsing information for this link (source: Google.com)

WHOIS

Whois Information (source: Domaintools.com)

Blog Search

Blogs (source: Google Blog Search)

Social Media Analysis

Social Internet Search (source: SocialMention)

Brought to you by: http://pcistools.com/tinyurlchecker.php


Facebook Email Scam

14


Awkward (haha) Video Facebook Scam

15

Exposed URL’s not

Always hidden

Click-Jacking Rapid spread of

Malware SPAM


Instant Messenger Attacks

16

www.securelist.com/en/blog


Facebook Toolbar Phishing

17

Warning: Fake Zynga Toolbars Will Steal Your FacebookPassword

There are two “free toolbars” circulating around the web thatpretend to enable users to cheat at Zynga games on Facebook,but actually attempt to steal Facebook login credentials. Thefalse toolbars were spotted by Sunbelt researchers and shouldbe avoided at all cost. See below for more details.

The images below were provided courtesy of Help Net Security and detail the methodof operation of the deceitful toolbars.

At first glance, the toolbars look legitimate and appear at the top of your browser,along with a legitimate Facebook logo. The buttons have features that allow forcheating on “Zynga Games” along with other links as well.

The problem is, when users click on the “Facebook” logo in the top left corner of thebar (they layout sometimes changes), they are taken to a false Facebook page that asksyou to login but actually steals your credentials instead!



Facebook Survey Scams

18

Nakedsecurity.sophos.com/category/social-networks


Malware Infection Example

19

Nakedsecurity.sophos.com/category/social-networks


Leveraging Twitter Trends

20



Fake Adobe Attack From Twitter

21



SERVICE LIFECYCLE & RISK MANAGEMENT

Using Frameworks To Manage Social Media Strategy

22


In this world there are four kinds of people:

  Those who make things happen   Those who watch things happen   Those who have things happen to them   Those who wonder what happened

Service Management & Social Media?

"In its simplest terms, there is anarchy in the absence of social media policy and training," says John Pironti, ISACA board member and president of IP Architects, LLC.


IT Service Lifecycle & Social Media

•  Business Engagement •  Social Media Strategy •  Business Risk Assessment

•  Estimate business and technical resources •  Define Governance & Monitoring •  Establish Social Media Measures •  Establish Risk Mitigation plan •  Establish financial budgets and funding

•  Insource / Outsource •  Choose Social Media platforms •  Communication strategy •  Training strategy

•  Build / Publish Services •  Define change approval process •  Service Testing •  Transition to production

•  Track Planned vs Actual cost •  Accounts Payable

•  Summary, drill down, analysis •  KPIs

•  Service Analysis •  Customer Value Realization Assessment •  Continual Service Improvement

Business Requirement

Source /build

Plan

Provision

Deliver/ Operate

Cost / Recovery

Report

Manage

Manage

Operate Plan / Build •  Content Development

•  Content Management •  Incident Management •  Security Management •  Change Management


Service Management Integration SERVICE STRATEGY •  Service Strategy •  Financial Management •  Service Portfolio Management •  Demand Management

SERVICE OPERATION •  Event Management •  Incident Management •  Request Fulfillment •  Problem Management •  Access Management

Functions •  Service Desk •  Technical Management •  IT Operations Management •  Application Management

SERVICE DESIGN •  Service Catalog Management •  Service Level Management •  Capacity Management •  Availability Management •  IT Service Continuity Management •  Information Security Management •  Supplier Management

SERVICE TRANSITION •  Transition Planning & Support •  Change Management •  Service Asset & Configuration

Management •  Release & Deployment

Management •  Service Validation & Testing •  Evaluation •  Knowledge Management CONTINUAL SERVICE IMPROVEMENT

•  Seven Step Improvement •  Service Measurement •  Service Reporting

© Crown copyright 2007 Reproduced under license from OGC

Figure 1.2 Service Strategy 1.2.3


A Risk Management Effort Includes:

  Identifying risks related to social media use   Assessing these risks to ascertain the probability of these

risks occurring and the potential impact to the business if they do occur

  Planning a mitigation strategy to deal with the higher impact, higher priority risks

  Managing & Monitoring the risks through

communication and the implementation of risk mitigation and avoidance strategies


Establishing A Social Media Strategy

  When creating a social media strategy, some questions to consider are:   What are the strategic benefits/goals for leveraging Social Media?   Are all appropriate stakeholders involved in social media strategy

development?   What platforms will be used when, by whom and for what objectives?   What are the risks and how will they be mitigated?   What policies need to be established?   What are the new legal issues associated with the use of social media?   How will customer privacy issues be addressed?   How can positive brand recognition be ensured?   How will awareness training be communicated to employees and

customers?   How will inquiries and concerns from customers be handled?   Does the enterprise have the resources to support such an initiative?

27

Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives


EXAMPLE SOCIAL MEDIA POLICES

Establishing Policies

28


Social Media Policy Categories   Personal use in the workplace:

  Whether it is allowed   The nondisclosure/posting of business-related content   The discussion of workplace-related topics   Inappropriate sites, content or conversations

  Personal use outside the workplace:   The nondisclosure/posting of business-related content   Standard disclaimers if identifying the employer   The dangers of posting too much personal information

  Business use:   Whether it is allowed   The process to gain approval for use   The scope of topics or information permitted to flow through this

channel   Disallowed activities (installation of applications, playing games, etc.)   The escalation process for customer issues

29

Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives


Example General Guidelines

  Be respectful to the company, other employees, customers, partners, and competitors

  Social media activities should not interfere with other work commitments or impact productivity

  Your online presence reflects the company. Be aware that your actions captured via images, posts, or comments can reflect that of our company

  Do not reference or site company clients, partners, or customers without their express consent. In all cases, do not publish any information regarding a client during the engagement

  Company logos and trademarks may not be used without written consent


Policy Statement Examples   Personal blogs should have clear disclaimers that the

views expressed by the author in the blog is the author’s alone and do not represent the views of the company

  Information published on social networking sites should comply with the company’s confidentiality and disclosure of proprietary data policies. This also applies to comments posted on other blogs, forums, and social networking sites

  Watching videos or reading blogs are invaluable sources of inspiration and information. Please refrain from reading personal or non-industry blogs during company time

  Please refrain from personal online shopping during company time


Resources & Policies Examples

  Harvard Law Blogging Policy http://blogs.law.harvard.edu/terms-of-use/

  Oracle Social Media Participation Policy http://www.sun.com/communities/guidelines.jsp

  IBM Social Computing Guidelines http://www.ibm.com/blogs/zz/en/guidelines.html

  30 Tips to Manage Employees Online http://ariwriter.com/30-tips-to-manage-employees-online/

  Baker and Daniels Law http://www.bakerdstreamingvid.com/publications/Baker_Daniels_Social-Media-Policy.pdf

32


Looking Forward – Discussion

  McAfee Labs Predicts December 28, Emerging Threats in 2011   Exploiting Social Media: URL-shortening services   Exploiting Social Media: Geolocation services   Mobile: Usage is rising in the workplace, and so will

attacks   Apple: No longer flying under the radar   Applications: Privacy leaks—from your TV   Hacktivism: Following the WikiLeaks path   Advanced Persistent Threat: Cyberespoinage

  Your Thoughts ???

33

www.mcafee.com


Next Steps When You Go Back

  Within 30 days:   Conduct an assessment of corporate and personal Social

Media use   Within 60 days:

  Conduct risk assessment for Social Media   Established policies that addresses social media use covering

both business and personal use   Conduct policy training for all users

  Within 90 days:   Define service strategy for Social Media   Service Design (functional and non functional requirements)   Define Transition plans   Define operational processes and resources   Define Management and CSI activities and measures

34


References

  Securing Social Network – Websense   Social Media: Business Benefits and Security – ISACA   CISCO Annual Report on Security 2009   Social Networking & Security – Infosec.co.uk   2010 Threat Report – Websense

35


Questions?

Thank You PINK ELEPHANT www.pinkelephant.com

Troy DuMoulin

[email protected]

http://blogs.pinkelephant.com/troy

http://twitter.com/TroyDuMoulin

social media and security essentials.pptx

Technology

social media risks

use of social media

flood of social media

social networks

social engineering

problem social media

local cafes social media

social networking sites