Social media and security essentials.pptx

Social Media & Security Essentials

January 31, 2011

Troy DuMoulin
AVP Strategic Solutions
Pink Elephant

Pink Elephant – Leading The Way In IT Management Best Practices

Welcome & Agenda
  Agenda
  The Impact & Growth of

Social Media
  The key risks of Web 2.0

and Social Media
  Recent Example Case

Studies for Facebook
and Twitter
  Social Media as an IT

Service
  Establishing Social

Media Policies
  Looking at 2011

  Next Steps

Objective:
Practical guidance about how to effectively
manage social networking security risks
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 2

The Flood Of Social Media NOW
  Adoption has surged to staggering heights. While
Facebook has over 500 million users (July 2010),
MySpace has nearly 70 million in the U.S. (June 2010)
and LinkedIn has around 75 million worldwide (August
2010). As for Twitter, 105,779,710 registered users (April
2010) account for approximately 750 tweets each second
  Facebook platform houses over 550,000 active
applications and is integrated with more than one million
websites
  Burson-Marsteller study showed that, “of the Fortune
Global 100 companies, 65% have active Twitter
accounts, 54% have Facebook fan pages, 50% have
YouTube video channels and 33% have corporate blogs”
Securing the Social Network – Websense Whitepaper


Managing vs. Blocking Social Media

Not possible to ban the use of Social Media anymore than
it was possible to ban the internet (both have been tried)


Websense Research Highlights 2010
Based on a sample size of 200,000 Facebook and Twitter Entries

•  Websense Security Labs
identified a 111.4% increase
in the number of malicious
websites from 2009 to 2010
•  79.9% of websites with
malicious code were
legitimate sites that have
been compromised— an
increase of 3% from the last
previous period
•  Searching for breaking
trends and current news
represented a higher risk
(22.4%) than searching for
objectionable content
(21.8%)
•  52% of data stealing attacks
occurred over the Web

Every hour Websense scans more than 40 million websites for
malicious code and nearly 10 million emails for unwanted content and malicious
code. Using more than 50 million real-time data collecting systems, it monitors and
classifies Web, email, and data content. www.websense.com

2010 Threat Report – Websense

Websense Research Highlights 2010
Based on a sample size of 200,000 Facebook and Twitter Entries

40% of all Facebook status updates
have links and 10% of those links are
either spam or malicious. 2010 Threat Report – Websense


CISCO Annual Security Report
  Consider social media. Its impact on computer security cannot be
overstated, It is common for workers to blend business and personal
communications on these social networks, further blurring the network
perimeter
  The high levels of trust that users place in social networks – that is,
users’ willingness to respond to information appearing within these
networks – has provided ample opportunity for new and more
effective scams. Instead of searching out technical vulnerabilities to
exploit, criminals merely need a good lure to hook new victims
  No longer does business take place solely behind network walls. The
critical work of an organization is happening increasingly on social
networks, on handheld devices, on Internet kiosks at airports, and at
local cafes
  Social Media “Were The Problem” Social media users believe there is
protection in being part of a community of people they know.
Criminals are happy to prove this notion wrong


Social Media Risks – 1
Threat & Vulnerabilities Risks
Lack of control •  Automated protection can only block or
enable websites and domains. (On or OFF)
•  Classic Anti Virus software is ineffective
against social engineering or phishing attacks
•  Engaging in Social Media does not require IT
involvement or approvals
•  Lack of a business policy or lack of
enforcement of the policy
Exposure growing on •  Malicious code “is not just coming from the
legitimate websites dark corners of the web, “Some 79 percent is
coming from legitimate sites”

Data loss is often based on •  Social networking sites are all about trusted
exploiting implicit trust (Trust communities collaboration and data sharing
conditioning) •  Most malware, scams and phishing attacks
are successful since they are based on
preying upon trusted relationships


Social Media Risks – 2
Threats & Vulnerabilities Risks
Customer or Employee exposure •  Loss or exposure of customer information
leading to liability or loss of trust
•  Reputational damage
•  Targeted marketing to your customers
•  Targeted head hunting of your employees
Unclear or loss of content •  Enterprise’s loss of control/legal rights of
rights for information posted to information posted to the social media
social media sites sites
•  Privacy violations

Mis-directed surfing on •  Shortened URL Spoofing
legitimate sites •  Identity theft
•  Search Engine Optimization (SEO)
poisoning
•  Cross site scripting attacks
•  Trojan & Botnet proliferation


Early Adoption – Risk & Reward
Look for prior
Success Interested in
cost & cost
control
Embrace New
Technology
Luddites
Social
Media

Innovators Early Early Late Laggards
2.5 % Adopters Majority Majority 16 %
13.5 % 34 % 34 %

Companies are driven by growth. Growth often comes from innovation. Many companies get a leg
on competition by being willing to take a managed risk.


Recent Social Media Attacks

CASE STUDY EXAMPLES

Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.

URL Shortening – Boon & Risk
Warning! | There might be a problem with the requested link 10-12-28 7:10 PM

STOP - there might be a problem with the requested link
The link you requested has been identified by bit.ly as being potentially problematic. We have detected a link that
has been shortened more than once, and that may be a problem because:
Some URL-shorteners re-use their links, so bit.ly can't guarantee the validity of this link.
Some URL-shorteners allow their links to be edited, so bit.ly can't tell where this link will lead you.
Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for.

The link you requested may contain inappropriate content, or even spam or malicious code that could be
downloaded to your computer without your consent, or may be a forgery or imitation of another website,
designed to trick users into sharing personal or financial information.

Bit.ly suggests that you
Change the original link, and re-shorten with bit.ly
Close your browser window
Notify the sender of the URL

Or, continue at your own risk to
http://su.pr/4SzLwj

You can learn more about harmful content at www.StopBadware.org
You can find out more about phishing from www.antiphishing.org
For more information about our policy please contact support%2Bspam@bit.ly

Read more about bit.ly's spam and antiphishing partners here

Publish with bit.ly and protect your links

Security vendor McAfee Inc. is warning of a rising security risk in 2011
in the 3,000 shortened URLs generated per minute for use on social
media sites such as Twitter.

http://bit.ly/a/warning?url=http%3a%2f%2fsu%2epr%2f4SzLwj&hash=huUyr5 © Pink Elephant, 2011. All Rights Reserved.
Page 1 of 1

Short URL Checkers
Short URL Checker - RESULTS 10-12-28 7:12 PM

Short URL Checker Results
Home > Tinyurl Checker

URL as entered: http://su.pr/4SzLwj
http://www.good.is/post/12-year-old-girl-runs-make-shift-school-for-
village-children/
Enter Another URL or read more information about this link:

Safe Browsing Information About This Site

Safe Browsing information for this link (source: Google.com)

WHOIS

Whois Information (source: Domaintools.com)

Blog Search

Blogs (source: Google Blog Search)

Social Media Analysis

Social Internet Search (source: SocialMention)

Brought to you by:
http://pcistools.com/tinyurlchecker.php


http://www.pcistools.com/process_tURL.php Page 1 of 2

Facebook Email Scam


Awkward (haha) Video Facebook Scam

Exposed
URL’s not
Always hidden

Click-Jacking
Rapid spread of
Malware
SPAM


Instant Messenger Attacks

www.securelist.com/en/blog


Password
There are two “free toolbars” circulating around the web that
pretend to enable users to cheat at Zynga games on Facebook,
but actually attempt to steal Facebook login credentials. The

Facebook Toolbar Phishing false toolbars were spotted by Sunbelt researchers and should
be avoided at all cost. See below for more details.

The images below were provided courtesy of Help Net Security and detail the method
of operation of the deceitful toolbars.

At first glance, the toolbars look legitimate and appear at the top of your browser,
along with a legitimate Facebook logo. The buttons have features that allow for
cheating on “Zynga Games” along with other links as well.

The problem is, when users click on the “Facebook” logo in the top left corner of the
bar (they layout sometimes changes), they are taken to a false Facebook page that asks
you to login but actually steals your credentials instead!



Facebook Survey Scams

Nakedsecurity.sophos.com/category/social-networks

Malware Infection Example

Nakedsecurity.sophos.com/category/social-networks

Leveraging Twitter Trends



Fake Adobe Attack From Twitter



Using Frameworks To Manage Social Media Strategy

SERVICE LIFECYCLE &
RISK MANAGEMENT


Service Management & Social Media?
In this world there are four kinds of people:

  Those who make things happen
  Those who watch things happen
  Those who have things happen to them
  Those who wonder what happened

"In its simplest terms, there is anarchy in the absence of social media policy and
training," says John Pironti, ISACA board member and president of IP Architects, LLC.

23

IT Service Lifecycle & Social Media
Manage Business
Requirement
•  Business Engagement
•  Social Media Strategy
Manage •  Business Risk Assessment
Plan
•  Service Analysis •  Estimate business and technical resources
•  Customer Value Realization Assessment •  Define Governance & Monitoring
•  Continual Service Improvement •  Establish Social Media Measures
•  Establish Risk Mitigation plan
•  Establish financial budgets and funding

Report Source /build
•  Summary, drill down, analysis •  Insource / Outsource
•  KPIs •  Choose Social Media
platforms
•  Communication strategy
•  Training strategy

Cost / Recovery Provision
•  Track Planned vs Actual cost •  Build / Publish Services
•  Accounts Payable •  Define change approval process
Deliver/ •  Service Testing
Operate •  Transition to production
•  Content Development
•  Content Management
Plan / Build
•  Incident Management
Operate •  Security Management
•  Change Management


Service Management Integration
SERVICE STRATEGY SERVICE DESIGN
•  Service Strategy •  Service Catalog Management
•  Financial Management •  Service Level Management
•  Service Portfolio Management •  Capacity Management
•  Demand Management •  Availability Management
•  IT Service Continuity Management
•  Information Security Management
•  Supplier Management

© Crown copyright 2007
Reproduced under license from OGC
Figure 1.2 Service Strategy 1.2.3

SERVICE OPERATION SERVICE TRANSITION
•  Event Management •  Transition Planning & Support
•  Incident Management •  Change Management
•  Request Fulfillment •  Service Asset & Configuration
•  Problem Management Management
•  Access Management •  Release & Deployment
Management
Functions •  Service Validation & Testing
•  Service Desk •  Evaluation
•  Technical Management CONTINUAL SERVICE IMPROVEMENT •  Knowledge Management
•  IT Operations Management •  Seven Step Improvement
•  Application Management •  Service Measurement
•  Service Reporting


A Risk Management Effort Includes:

  Identifying risks related to social media use
  Assessing these risks to ascertain the probability of these
risks occurring and the potential impact to the business if
they do occur
  Planning a mitigation strategy to deal with the higher
impact, higher priority risks

  Managing & Monitoring the risks through
communication and the implementation
of risk mitigation and avoidance
strategies


Establishing A Social Media Strategy
  When creating a social media strategy, some questions to
consider are:
  What are the strategic benefits/goals for leveraging Social Media?
  Are all appropriate stakeholders involved in social media strategy
development?
  What platforms will be used when, by whom and for what objectives?
  What are the risks and how will they be mitigated?
  What policies need to be established?
  What are the new legal issues associated with the use of social media?
  How will customer privacy issues be addressed?
  How can positive brand recognition be ensured?
  How will awareness training be communicated to employees and
customers?
  How will inquiries and concerns from customers be handled?
  Does the enterprise have the resources to support such an initiative?
Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives


Establishing Policies

EXAMPLE SOCIAL MEDIA
POLICES


Social Media Policy Categories
  Personal use in the workplace:
  Whether it is allowed
  The nondisclosure/posting of business-related content
  The discussion of workplace-related topics
  Inappropriate sites, content or conversations
  Personal use outside the workplace:
  The nondisclosure/posting of business-related content
  Standard disclaimers if identifying the employer
  The dangers of posting too much personal information
  Business use:
  Whether it is allowed
  The process to gain approval for use
  The scope of topics or information permitted to flow through this
channel
  Disallowed activities (installation of applications, playing games, etc.)
  The escalation process for customer issues
Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives

Example General Guidelines
  Be respectful to the company, other employees, customers,
partners, and competitors
  Social media activities should not interfere with other work
commitments or impact productivity
  Your online presence reflects the company. Be aware that
your actions captured via images, posts, or comments can
reflect that of our company
  Do not reference or site company clients, partners, or
customers without their express consent. In all cases, do not
publish any information regarding a client during the
engagement
  Company logos and trademarks may not be used without
written consent

Policy Statement Examples
  Personal blogs should have clear disclaimers that the
views expressed by the author in the blog is the author’s
alone and do not represent the views of the company
  Information published on social networking sites should
comply with the company’s confidentiality and disclosure
of proprietary data policies. This also applies to
comments posted on other blogs, forums, and social
networking sites
  Watching videos or reading blogs are invaluable sources
of inspiration and information. Please refrain from
reading personal or non-industry blogs during company
time
  Please refrain from personal online shopping during
company time

Resources & Policies Examples

  Harvard Law Blogging Policy
http://blogs.law.harvard.edu/terms-of-use/
  Oracle Social Media Participation Policy
http://www.sun.com/communities/guidelines.jsp
  IBM Social Computing Guidelines
http://www.ibm.com/blogs/zz/en/guidelines.html
  30 Tips to Manage Employees Online
http://ariwriter.com/30-tips-to-manage-employees-online/
  Baker and Daniels Law
http://www.bakerdstreamingvid.com/publications/
Baker_Daniels_Social-Media-Policy.pdf


Looking Forward – Discussion
  McAfee Labs Predicts December 28, Emerging Threats
in 2011
  Exploiting Social Media: URL-shortening services

  Exploiting Social Media: Geolocation services

  Mobile: Usage is rising in the workplace, and so will

attacks
  Apple: No longer flying under the radar

  Applications: Privacy leaks—from your TV

  Hacktivism: Following the WikiLeaks path

  Advanced Persistent Threat: Cyberespoinage

  Your Thoughts ???

www.mcafee.com


Next Steps When You Go Back
  Within 30 days:
  Conduct an assessment of corporate and personal Social

Media use
  Conduct risk assessment for Social Media

  Established policies that addresses social media use covering

both business and personal use
  Conduct policy training for all users

  Define service strategy for Social Media

  Service Design (functional and non functional requirements)

  Define Transition plans

  Define operational processes and resources

  Define Management and CSI activities and measures


References

  Securing Social Network – Websense
  Social Media: Business Benefits and Security – ISACA
  CISCO Annual Report on Security 2009
  Social Networking & Security – Infosec.co.uk
  2010 Threat Report – Websense


Questions?

Troy DuMoulin
t.dumoulin@pinkelephant.com
http://blogs.pinkelephant.com/troy
http://twitter.com/TroyDuMoulin

Thank You
PINK ELEPHANT
www.pinkelephant.com

Social media and security essentials.pptx

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Social media and security essentials.pptx

Similar a Social media and security essentials.pptx (20)

Más de Pink Elephant

Más de Pink Elephant (7)

Último

Último (20)

Social media and security essentials.pptx