social media and security essentials.pptx
TRANSCRIPT
Pink Elephant – Leading The Way In IT Management Best Practices
Social Media & Security Essentials
January 31, 2011
Troy DuMoulin AVP Strategic Solutions
Pink Elephant
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 2
Welcome & Agenda Agenda
The Impact & Growth of Social Media
The key risks of Web 2.0 and Social Media
Recent Example Case Studies for Facebook and Twitter
Social Media as an IT Service
Establishing Social Media Policies
Looking at 2011 Next Steps
Objective: Practical guidance about how to effectively manage social networking security risks
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
The Flood Of Social Media NOW Adoption has surged to staggering heights. While
Facebook has over 500 million users (July 2010), MySpace has nearly 70 million in the U.S. (June 2010) and LinkedIn has around 75 million worldwide (August 2010). As for Twitter, 105,779,710 registered users (April 2010) account for approximately 750 tweets each second
Facebook platform houses over 550,000 active applications and is integrated with more than one million websites
Burson-Marsteller study showed that, “of the Fortune Global 100 companies, 65% have active Twitter accounts, 54% have Facebook fan pages, 50% have YouTube video channels and 33% have corporate blogs”
3
Securing the Social Network – Websense Whitepaper
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Managing vs. Blocking Social Media
4
Not possible to ban the use of Social Media anymore than it was possible to ban the internet (both have been tried)
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Websense Research Highlights 2010
5
Every hour Websense scans more than 40 million websites for malicious code and nearly 10 million emails for unwanted content and malicious
code. Using more than 50 million real-time data collecting systems, it monitors and classifies Web, email, and data content. www.websense.com
Based on a sample size of 200,000 Facebook and Twitter Entries
• Websense Security Labs identified a 111.4% increase in the number of malicious websites from 2009 to 2010
• 79.9% of websites with malicious code were legitimate sites that have been compromised— an increase of 3% from the last previous period
• Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%)
• 52% of data stealing attacks occurred over the Web
2010 Threat Report – Websense
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Websense Research Highlights 2010
6
40% of all Facebook status updates have links and 10% of those links are
either spam or malicious.
Based on a sample size of 200,000 Facebook and Twitter Entries
2010 Threat Report – Websense
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
CISCO Annual Security Report Consider social media. Its impact on computer security cannot be
overstated, It is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter
The high levels of trust that users place in social networks – that is, users’ willingness to respond to information appearing within these networks – has provided ample opportunity for new and more effective scams. Instead of searching out technical vulnerabilities to exploit, criminals merely need a good lure to hook new victims
No longer does business take place solely behind network walls. The critical work of an organization is happening increasingly on social networks, on handheld devices, on Internet kiosks at airports, and at local cafes
Social Media “Were The Problem” Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong
7
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Social Media Risks – 1
8
Threat & Vulnerabilities Risks Lack of control • Automated protection can only block or
enable websites and domains. (On or OFF) • Classic Anti Virus software is ineffective
against social engineering or phishing attacks • Engaging in Social Media does not require IT
involvement or approvals • Lack of a business policy or lack of
enforcement of the policy Exposure growing on legitimate websites
• Malicious code “is not just coming from the dark corners of the web, “Some 79 percent is coming from legitimate sites”
Data loss is often based on exploiting implicit trust (Trust conditioning)
• Social networking sites are all about trusted communities collaboration and data sharing
• Most malware, scams and phishing attacks are successful since they are based on preying upon trusted relationships
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Social Media Risks – 2
9
Threats & Vulnerabilities Risks Customer or Employee exposure • Loss or exposure of customer information
leading to liability or loss of trust • Reputational damage • Targeted marketing to your customers • Targeted head hunting of your employees
Unclear or loss of content rights for information posted to social media sites
• Enterprise’s loss of control/legal rights of information posted to the social media sites
• Privacy violations
Mis-directed surfing on legitimate sites
• Shortened URL Spoofing • Identity theft • Search Engine Optimization (SEO)
poisoning • Cross site scripting attacks • Trojan & Botnet proliferation
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Early Adoption – Risk & Reward
Luddites
Interested in cost & cost
control
Look for prior Success
Embrace New Technology
Innovators 2.5 %
Early Adopters 13.5 %
Early Majority
34 %
Late Majority
34 %
Laggards 16 %
13
Companies are driven by growth. Growth often comes from innovation. Many companies get a leg on competition by being willing to take a managed risk.
Social Media
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
CASE STUDY EXAMPLES Recent Social Media Attacks
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
URL Shortening – Boon & Risk
12
10-12-28 7:10 PMWarning! | There might be a problem with the requested link
Page 1 of 1http://bit.ly/a/warning?url=http%3a%2f%2fsu%2epr%2f4SzLwj&hash=huUyr5
STOP - there might be a problem with the requested link
The link you requested has been identified by bit.ly as being potentially problematic. We have detected a link thathas been shortened more than once, and that may be a problem because:
Some URL-shorteners re-use their links, so bit.ly can't guarantee the validity of this link.Some URL-shorteners allow their links to be edited, so bit.ly can't tell where this link will lead you.Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for.
The link you requested may contain inappropriate content, or even spam or malicious code that could bedownloaded to your computer without your consent, or may be a forgery or imitation of another website,
designed to trick users into sharing personal or financial information.
Bit.ly suggests that youChange the original link, and re-shorten with bit.lyClose your browser windowNotify the sender of the URL
Or, continue at your own risk tohttp://su.pr/4SzLwj
You can learn more about harmful content at www.StopBadware.orgYou can find out more about phishing from www.antiphishing.orgFor more information about our policy please contact support%[email protected]
Read more about bit.ly's spam and antiphishing partners here
Publish with bit.ly and protect your links
Security vendor McAfee Inc. is warning of a rising security risk in 2011 in the 3,000 shortened URLs generated per minute for use on social
media sites such as Twitter.
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Short URL Checkers
13
10-12-28 7:12 PMShort URL Checker - RESULTS
Page 1 of 2http://www.pcistools.com/process_tURL.php
Short URL Checker ResultsHome > Tinyurl Checker
URL as entered: http://su.pr/4SzLwj http://www.good.is/post/12-year-old-girl-runs-make-shift-school-for-
village-children/
Enter Another URL or read more information about this link:
Safe Browsing Information About This Site
Safe Browsing information for this link (source: Google.com)
WHOIS
Whois Information (source: Domaintools.com)
Blog Search
Blogs (source: Google Blog Search)
Social Media Analysis
Social Internet Search (source: SocialMention)
Brought to you by: http://pcistools.com/tinyurlchecker.php
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Facebook Email Scam
14
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Awkward (haha) Video Facebook Scam
15
Exposed URL’s not
Always hidden
Click-Jacking Rapid spread of
Malware SPAM
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Instant Messenger Attacks
16
www.securelist.com/en/blog
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Facebook Toolbar Phishing
17
Warning: Fake Zynga Toolbars Will Steal Your FacebookPassword
There are two “free toolbars” circulating around the web thatpretend to enable users to cheat at Zynga games on Facebook,but actually attempt to steal Facebook login credentials. Thefalse toolbars were spotted by Sunbelt researchers and shouldbe avoided at all cost. See below for more details.
The images below were provided courtesy of Help Net Security and detail the methodof operation of the deceitful toolbars.
At first glance, the toolbars look legitimate and appear at the top of your browser,along with a legitimate Facebook logo. The buttons have features that allow forcheating on “Zynga Games” along with other links as well.
The problem is, when users click on the “Facebook” logo in the top left corner of thebar (they layout sometimes changes), they are taken to a false Facebook page that asksyou to login but actually steals your credentials instead!
www.securelist.com/en/blog
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Facebook Survey Scams
18
Nakedsecurity.sophos.com/category/social-networks
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Malware Infection Example
19
Nakedsecurity.sophos.com/category/social-networks
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Leveraging Twitter Trends
20
www.securelist.com/en/blog
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Fake Adobe Attack From Twitter
21
www.securelist.com/en/blog
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
SERVICE LIFECYCLE & RISK MANAGEMENT
Using Frameworks To Manage Social Media Strategy
22
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 23
In this world there are four kinds of people:
Those who make things happen Those who watch things happen Those who have things happen to them Those who wonder what happened
Service Management & Social Media?
"In its simplest terms, there is anarchy in the absence of social media policy and training," says John Pironti, ISACA board member and president of IP Architects, LLC.
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 24
IT Service Lifecycle & Social Media
• Business Engagement • Social Media Strategy • Business Risk Assessment
• Estimate business and technical resources • Define Governance & Monitoring • Establish Social Media Measures • Establish Risk Mitigation plan • Establish financial budgets and funding
• Insource / Outsource • Choose Social Media platforms • Communication strategy • Training strategy
• Build / Publish Services • Define change approval process • Service Testing • Transition to production
• Track Planned vs Actual cost • Accounts Payable
• Summary, drill down, analysis • KPIs
• Service Analysis • Customer Value Realization Assessment • Continual Service Improvement
Business Requirement
Source /build
Plan
Provision
Deliver/ Operate
Cost / Recovery
Report
Manage
Manage
Operate Plan / Build • Content Development
• Content Management • Incident Management • Security Management • Change Management
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Service Management Integration SERVICE STRATEGY • Service Strategy • Financial Management • Service Portfolio Management • Demand Management
SERVICE OPERATION • Event Management • Incident Management • Request Fulfillment • Problem Management • Access Management
Functions • Service Desk • Technical Management • IT Operations Management • Application Management
SERVICE DESIGN • Service Catalog Management • Service Level Management • Capacity Management • Availability Management • IT Service Continuity Management • Information Security Management • Supplier Management
SERVICE TRANSITION • Transition Planning & Support • Change Management • Service Asset & Configuration
Management • Release & Deployment
Management • Service Validation & Testing • Evaluation • Knowledge Management CONTINUAL SERVICE IMPROVEMENT
• Seven Step Improvement • Service Measurement • Service Reporting
© Crown copyright 2007 Reproduced under license from OGC
Figure 1.2 Service Strategy 1.2.3
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 26
A Risk Management Effort Includes:
Identifying risks related to social media use Assessing these risks to ascertain the probability of these
risks occurring and the potential impact to the business if they do occur
Planning a mitigation strategy to deal with the higher impact, higher priority risks
Managing & Monitoring the risks through
communication and the implementation of risk mitigation and avoidance strategies
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Establishing A Social Media Strategy
When creating a social media strategy, some questions to consider are: What are the strategic benefits/goals for leveraging Social Media? Are all appropriate stakeholders involved in social media strategy
development? What platforms will be used when, by whom and for what objectives? What are the risks and how will they be mitigated? What policies need to be established? What are the new legal issues associated with the use of social media? How will customer privacy issues be addressed? How can positive brand recognition be ensured? How will awareness training be communicated to employees and
customers? How will inquiries and concerns from customers be handled? Does the enterprise have the resources to support such an initiative?
27
Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
EXAMPLE SOCIAL MEDIA POLICES
Establishing Policies
28
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Social Media Policy Categories Personal use in the workplace:
Whether it is allowed The nondisclosure/posting of business-related content The discussion of workplace-related topics Inappropriate sites, content or conversations
Personal use outside the workplace: The nondisclosure/posting of business-related content Standard disclaimers if identifying the employer The dangers of posting too much personal information
Business use: Whether it is allowed The process to gain approval for use The scope of topics or information permitted to flow through this
channel Disallowed activities (installation of applications, playing games, etc.) The escalation process for customer issues
29
Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Example General Guidelines
Be respectful to the company, other employees, customers, partners, and competitors
Social media activities should not interfere with other work commitments or impact productivity
Your online presence reflects the company. Be aware that your actions captured via images, posts, or comments can reflect that of our company
Do not reference or site company clients, partners, or customers without their express consent. In all cases, do not publish any information regarding a client during the engagement
Company logos and trademarks may not be used without written consent
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Policy Statement Examples Personal blogs should have clear disclaimers that the
views expressed by the author in the blog is the author’s alone and do not represent the views of the company
Information published on social networking sites should comply with the company’s confidentiality and disclosure of proprietary data policies. This also applies to comments posted on other blogs, forums, and social networking sites
Watching videos or reading blogs are invaluable sources of inspiration and information. Please refrain from reading personal or non-industry blogs during company time
Please refrain from personal online shopping during company time
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Resources & Policies Examples
Harvard Law Blogging Policy http://blogs.law.harvard.edu/terms-of-use/
Oracle Social Media Participation Policy http://www.sun.com/communities/guidelines.jsp
IBM Social Computing Guidelines http://www.ibm.com/blogs/zz/en/guidelines.html
30 Tips to Manage Employees Online http://ariwriter.com/30-tips-to-manage-employees-online/
Baker and Daniels Law http://www.bakerdstreamingvid.com/publications/Baker_Daniels_Social-Media-Policy.pdf
32
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Looking Forward – Discussion
McAfee Labs Predicts December 28, Emerging Threats in 2011 Exploiting Social Media: URL-shortening services Exploiting Social Media: Geolocation services Mobile: Usage is rising in the workplace, and so will
attacks Apple: No longer flying under the radar Applications: Privacy leaks—from your TV Hacktivism: Following the WikiLeaks path Advanced Persistent Threat: Cyberespoinage
Your Thoughts ???
33
www.mcafee.com
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Next Steps When You Go Back
Within 30 days: Conduct an assessment of corporate and personal Social
Media use Within 60 days:
Conduct risk assessment for Social Media Established policies that addresses social media use covering
both business and personal use Conduct policy training for all users
Within 90 days: Define service strategy for Social Media Service Design (functional and non functional requirements) Define Transition plans Define operational processes and resources Define Management and CSI activities and measures
34
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
References
Securing Social Network – Websense Social Media: Business Benefits and Security – ISACA CISCO Annual Report on Security 2009 Social Networking & Security – Infosec.co.uk 2010 Threat Report – Websense
35
Social Media & Security Essentials © Pink Elephant, 2011. All Rights Reserved. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 36
Questions?
Thank You PINK ELEPHANT www.pinkelephant.com
Troy DuMoulin
http://blogs.pinkelephant.com/troy
http://twitter.com/TroyDuMoulin