bridging the social media implementation/audit gap

20
Bridging the Social Media Implementation/Audit Gap Jerod Brennen, CISSP CTO and Principal Security Consultant, Jacadis

Upload: jerod-brennen-cissp

Post on 16-May-2015

2.818 views

Category:

Social Media


0 download

DESCRIPTION

It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.

TRANSCRIPT

Page 1: Bridging the Social Media Implementation/Audit Gap

Bridging the Social Media

Implementation/Audit Gap Jerod Brennen, CISSP CTO and Principal Security Consultant, Jacadis

Page 2: Bridging the Social Media Implementation/Audit Gap

Agenda

• Perspective

• Preparation

• Implementation

• Monitoring

• Resources

Page 3: Bridging the Social Media Implementation/Audit Gap

The Five W’s

• Who?

• What?

• When?

• Where?

• Why?

• How?

[Image courtesy of Master Isolated Images / FreeDigitalPhotos.net]

Page 4: Bridging the Social Media Implementation/Audit Gap

Strategy (Who + Why + When)

• Risk vs. Reward ▫ Customer interaction ▫ Revenue streams ▫ Malware attack vectors ▫ Legal and HR concerns

• While revenue may be on the rise… ▫ … so are social engineering

attacks

Image from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/PublishingImages/Social-Media-Business-Risks.JPG

Page 5: Bridging the Social Media Implementation/Audit Gap

Risk vs. Reward

FromWAPSM-Social-Media-Research-1Feb2011.doc, pages 11-12

Risks Rewards

• Disclosure of corporate assets and sensitive (privileged) information accessible to unauthorized parties

• Violations of legal and regulatory requirements

• Loss of competitive advantage • Loss of customer confidence • Loss of reputation • Dissemination of false or fraudulent

information • Inappropriate or unapproved use of

company intellectual property such as logos or trademarked material

• Increasing brand recognition • Increasing sales • Immediately connecting with

perspective customers • Exploring new advertising

channels • Monitoring competition • Researching perspective

employees

Page 6: Bridging the Social Media Implementation/Audit Gap

Regulatory Concerns

• FINRA (Financial Industry Regulatory Authority) ▫ Regulatory Notice 10-06 ▫ Regulatory Notice 11-39

• Advertisements ▫ Public websites & banner ads

• Sales Literature ▫ Email or IM to 25+ prospective retail customers ▫ Password-protected websites

• Correspondence ▫ Email or IM to 1 customer ▫ Email or IM to 1+ existing customers and/or <25 prospective retail

customers • Public Appearances

▫ “Content posted in a real-time interactive electronic forum”

From http://www.finra.org/industry/issues/advertising/p006118

Page 7: Bridging the Social Media Implementation/Audit Gap

Scope (What + Where)

Page 8: Bridging the Social Media Implementation/Audit Gap

Scope, per ISACA

• Current social media tools include: ▫ Blogs (e.g., WordPress, Drupal™, TypePad®) ▫ Microblogs (e.g., Twitter, Tumblr) ▫ Instant messaging (e.g., AOL Instant Messenger [AIM™],

Microsoft® Windows Live Messenger) ▫ Online communication systems (e.g., Skype™) ▫ Image and video sharing sites (e.g., Flickr®, YouTube) ▫ Social networking sites (e.g., Facebook, MySpace) ▫ Professional networking sites (e.g., LinkedIn, Plaxo) ▫ Online communities that may be sponsored by the

company itself (Similac.com, “Open” by American Express) ▫ Online collaboration sites (e.g., Huddle)

FromWAPSM-Social-Media-Research-1Feb2011.doc, page 11

Page 9: Bridging the Social Media Implementation/Audit Gap

Implementation (How)

• Begin at the beginning ▫ Meet with Marketing, HR, Legal, and IT to discuss risks and benefits

• Define policy ▫ More on this later…

• Document training requirements ▫ Employees ▫ Consultants & Contractors ▫ Vendors & Partners

• Document procedures and controls

▫ Access Requests ▫ Monitoring ▫ Assessing

Page 10: Bridging the Social Media Implementation/Audit Gap

Audit/Assurance Program (1 of 3)

• Available at http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc

• Aligned with COBIT (cross-references)

• Planning and Scoping the Audit ▫ Define the audit/assurance objectives ▫ Define the boundaries of the review ▫ Identify and document risk ▫ Define the change process ▫ Define assignment success ▫ Define the audit/assurance resources required ▫ Define deliverables ▫ Communicate

Page 11: Bridging the Social Media Implementation/Audit Gap

Audit/Assurance Program (2 of 3)

• Strategy and Governance

▫ Risk Management

▫ Policies

• People

▫ HR Function

▫ Training/Awareness

▫ Staffing

Page 12: Bridging the Social Media Implementation/Audit Gap

Audit/Assurance Program (3 of 3)

• Processes

▫ Social Media Alignment With Business Processes

▫ Social Media Brand Protection

▫ Access Management of Social Media Data

• Technology

▫ Social Media Technology Infrastructure

▫ Monitoring Social Media and Effect on Technology

Page 13: Bridging the Social Media Implementation/Audit Gap

Policy and Training • Personal use in the workplace:

▫ Whether it is allowed ▫ The nondisclosure/posting of business-related content ▫ The discussion of workplace-related topics ▫ Inappropriate sites, content or conversations

• Personal use outside the workplace:

▫ The nondisclosure/posting of business-related content ▫ Standard disclaimers if identifying the employer ▫ The dangers of posting too much personal information

• Business use:

▫ Whether it is allowed ▫ The process to gain approval for use ▫ The scope of topics or information permitted to flow through this channel ▫ Disallowed activities (installation of applications, playing games, etc.) ▫ The escalation process for customer issue

From http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf?id=c1f7b9d8-516d-40c1-8087-e3b0e6cd138c

Page 14: Bridging the Social Media Implementation/Audit Gap

Recurring Assessments

• Risk Assessment

▫ SOX, PCI, HIPAA, etc.

▫ Did your previous assessment(s) include social media?

• Penetration Test

▫ Is social engineering in-scope?

Page 15: Bridging the Social Media Implementation/Audit Gap

Preventative Controls

• Antivirus > Endpoint Security ▫ Prevent devices from being infected with malware ▫ Also, host-based firewall and URL filtering

• URL Filtering ▫ Prohibit access to certain websites from corporate devices

• Training ▫ How to use social media responsibly ▫ How to identify and respond to social engineering attacks

• Data Loss/Leakage Prevention ▫ Prevent sensitive corporate information from being transmitted

via email, instant messaging, file uploads, etc.

Page 16: Bridging the Social Media Implementation/Audit Gap

Detective Controls

• Content Filtering ▫ Configure email and web security solution to monitor for

patterns in outbound messages

• Google Hacking ▫ Using powerful customized Google search queries to gather

information

• Monitoring Tools (e.g., Maltego) ▫ Open source intelligence and forensics tool

• Monitoring Services (e.g., RiskIQ) ▫ Monitor web-based content for threats and fraud

Page 17: Bridging the Social Media Implementation/Audit Gap

Resources • ISACA documents

▫ Social Media Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-

Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc ▫ Social Media: Business Benefits and Security, Governance, and Assurance

Perspectives http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-

Paper-26-May10-Research.pdf

• Related Documents ▫ CDC – Social Media Security Mitigations

http://www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf ▫ Ponemon – Global Survey on Social Media Risks

http://www.websense.com/content/ponemon-institute-research-report-2011.aspx ▫ Social Media Standard, State of California

http://www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66B.pdf ▫ Wikipedia – List of Active Social Networking Sites

http://en.wikipedia.org/wiki/List_of_social_networking_websites

Page 18: Bridging the Social Media Implementation/Audit Gap

Resources

• FINRA ▫ Regulatory Notice 10-06

http://www.finra.org/Industry/Regulation/Notices/2010/P120760 ▫ Regulatory Notice 11-39

http://www.finra.org/Industry/Regulation/Notices/2011/P124187 ▫ Advertising Information

http://www.finra.org/Industry/Issues/Advertising/index.htm

• Securing Social Media Profiles

▫ Facebook http://slandail.posterous.com/four-steps-to-secure-your-facebook-profile

▫ Twitter http://www.mediabistro.com/alltwitter/twitter-security-101_b11985

▫ LinkedIn http://www.cio.com/article/485489/LinkedIn_Privacy_Settings_What_

You_Need_to_Know

Page 19: Bridging the Social Media Implementation/Audit Gap

Resources

• Securing Corporate Blogs ▫ Hardening WordPress

http://codex.wordpress.org/Hardening_WordPress ▫ 11 Best Ways to Improve WordPress Security

http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/

• Tools and Services

▫ Google Hacking Database (GHDB) http://www.hackersforcharity.org/ghdb/

▫ Maltego http://www.paterva.com/web5/

▫ Risk IQ http://www.riskiq.com/

▫ Jacadis http://www.jacadis.com/

Page 20: Bridging the Social Media Implementation/Audit Gap

Questions? Jerod Brennen, CISSP

[email protected]

614.819.0151

http://www.linkedin.com/in/slandail

http://twitter.com/#!/slandail