More Related Content Similar to Social Media Security 2011 (20) More from Donald E. Hester (20) Social Media Security 20112. Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College
www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca
DonaldH@MazeAssociates.com
5. Social Tech Issues
Rev2/28/2011 © 2011 Maze & Associates 5
M
• Marketing
• Brand Protection
• Customer
Relations
HR
• Hiring
• Personnel
Management
P
• Privacy
• Identity
• Home/Work
7. Brand Protection - Concerns
• Fear of losing control
• Fear of losing customers
• Fear of losing money
• Fear of customers speaking up
• Avoiding social media
– Fear of the unknown
– Thinking it is a fade
• Not understanding social media
• How will you measure impact
Rev2/28/2011 © 2011 Maze & Associates 7
11. How to get started
• Social Technology
– The train has left the building, are you on it?
• Get informed
• Get help (technical and soft skills)
• Develop a social media marketing
strategic plan
• Create short term goals
• Execute and Adapt
Rev2/28/2011 © 2011 Maze & Associates 11
12. Marketing
• Manger's Guide to Social Media
– by Scott Klososky
• The FaceBook Era
– by Clara Shih
• Facebook Marketing: An Hour a Day
– by Chris Treadaway and Mari Smith
• New Rules of Marketing and PR
– by David Meerman Scott
• The Zen of Social Media Marketing: An Easier Way to
Build Credibility, Generate Buzz, and Increase
Revenue
– by Shama Kabani and Chris Brogan
Rev2/28/2011 © 2011 Maze & Associates 12
17. Endorsements
• If you are being paid to endorse a product, you
must make that clear to consumers.
Rev2/28/2011 © 2011 Maze & Associates 17
http://www.ftc.gov/opa/2009/10/endortest.shtm
19. Social Media Uses in HR
• The use of social media outside of
personal lives has increased and
continues to increase
• Concern that potential employers will
misconstrue what is seen
• Used for monitoring current employees
• Used for screening job applicants
– Employees see it as a good way to “get to
know” the applicant
Rev2/28/2011 © 2011 Maze & Associates 19
22. Rev2/28/2011 © 2011 Maze & Associates 22
http://smallbiztrends.com/2009/09/social-media-background-checks.html
23. Horns of a dilemma
• If employers use social media to do
background checks on employees
– The company is open to discrimination
charges
– The candidates is vulnerable to
discrimination
Rev2/28/2011 © 2011 Maze & Associates 23
24. Horns of a dilemma
• If employers don’t use social media to do
background checks on employees
– The company is open to negligent hires
– Good candidates are missed
– Bad candidates are hired
Rev2/28/2011 © 2011 Maze & Associates 24
25. Use of Social Media at Work
• Does your company have a social media
policy?
• How much time do employees use social
media?
• Does it effect employee productivity?
• How much cross over between work /
home life?
Rev2/28/2011 © 2011 Maze & Associates 25
28. Online Privacy
• Do you have control of what is posted?
• Not all fame is good!
• People use anonymity to post stuff
about others!
• Embarrassing, loss of credibility
Rev2/28/2011 © 2011 Maze & Associates 28
29. Information about you online
• Do I have control of
what is posted about
me?
• Look yourself up!
• All but one of these
is about me.
• One of these I was
completely unaware
of.
• Even if you are not
on the web, you may
be on the web!
• Do what you can to
control what is out
there.
• What is you social
relevancy
(Reputation)?
Rev2/28/2011 © 2011 Maze & Associates 29
35. Social Media (Web 2.0)
Services are extremely popular and useful
Almost a must today, (if you are not in, you are
out)
People post too much information about
themselves or their kids
Be aware of your aggregate information
The key is to be aware of what you are sharing
Rev2/28/2011 © 2011 Maze & Associates 35
36. Online Privacy
• Would you invite
a stranger into
your house to
look at your
children's photo
album?
• Public v. Private
• Aggregate
information
sources could
give someone
more information
than intended.
Rev2/28/2011 © 2011 Maze & Associates 36
37. Situation
• Why does someone want your
personal information?
– In an information age information
becomes a commodity
– Information has a value
– Some information has a greater
value
– Your personal information is
potentially worth more than you
think
Rev2/28/2011 © 2011 Maze & Associates 37
38. What is PII
• Personally Identifiable Information
– Name and account number
– Name and social security number
– Name and address
– Credit Card Number
• Where you might find it
– Tax files
– Account Statements
– Records (Medical, Public and other)
– Businesses you do business with
Rev2/28/2011 © 2011 Maze & Associates 38
39. ID Theft vs. ID Fraud
• “Identity fraud," consists mainly of
someone making unauthorized charges
to your credit card.
• “Identity theft,” is when someone
gathers your personal information and
assumes your identity as their own.
"Identify theft is one of the fastest
growing crimes in the US."
John Ashcroft
79th US Attorney General
Rev2/28/2011 © 2011 Maze & Associates 39
40. • March 20th 2001, MSNBC reported the first
identity theft case to gain widespread public
attention
• Thief assumed the identities of Oprah Winfrey
and Martha Stewart, took out new credit cards in
their names, and accessed their bank accounts
• Stole more than $7 million from 200 of the
world’s super rich - Warren Buffet and George
Soros, tech tycoons Paul Allen and Larry Ellison
• Used a library computer, public records, a cell
phone, a fax machine, a PO Box, and a copy of
Forbes Richest People
• 32-year-old Abraham Abdallah was described as
“a high school dropout, a New York City busboy, a
pudgy, disheveled, career petty criminal.”
The Busboy That Started It All
Rev2/28/2011 © 2011 Maze & Associates 40
41. ID Theft & Fraud
• PII exposed by others (Data Breaches)
• PII exposed by ourselves (online & others)
• Malware (Spyware, Viruses, etc…)
• Social Engineering
– Phone
– Internet (Phishing, social websites etc…)
– In Person (at your door, in a restaurant etc…)
• Physical theft
– Mail box
– Trash (Dumpster diving)
– ATMs (skimming)
– Home break-ins
Rev2/28/2011 © 2011 Maze & Associates 41
42. What do they do with stolen IDs?
Rev2/28/2011 © 2011 Maze & Associates 42
43. Drug Trafficking and ID Theft
Meth users see mail theft and check washing as a low risk
way to pay for their habit.
The same chemicals used in Meth production are used in
check washing.
Meth users, dealers and fraudsters are partners in crime.
Rev2/28/2011 © 2011 Maze & Associates 43
44. FTC 2009 Stats
• Top counties with ID theft
– Solano County 18 out of 375
• Average per victim loss
– $10,000
• Total complaints filed in 2009
– 1.3 Million
Rev2/28/2011 © 2011 Maze & Associates 44
FTC http://www.ftc.gov/opa/2010/02/2009fraud.shtm
45. HOW MIGHT YOU EXPOSE YOUR
PII
Rev2/28/2011 © 2011 Maze & Associates 45
46. Watch what you put online
Rev2/28/2011 © 2011 Maze & Associates 46
http://www.youtube.com/watch?v=Soq3jzttwiA
47. Can someone use what you post
against you?
Rev2/28/2011 © 2011 Maze & Associates 47
48. P2P (Peer to Peer file sharing)
• Napster used to fit in this category
• Used to ‘share’ computer files
• Legal issues with copyright
• Malware issues, often the P2P software
will install adware or tracking software.
• Privacy issues, do you know what you
are sharing?
Rev2/28/2011 © 2011 Maze & Associates 48
49. HOW BAD GUYS MIGHT GET
YOUR PII
Rev2/28/2011 © 2011 Maze & Associates 49
50. Malware
• Malware (Viruses, Worms, Spyware,
etc…)
– 1999 Melissa, Kevin Mitnick,
– 2000 Mafiaboy, DoS Assault,
– 2001 Code Red, Nimda,
– 2002 Root Rot, Slapper,
– 2003 SQL Slammer,
– 2004 MyDoom, BerBew,
– 2005 Samy (MySpace),
– 2007 Storm Worm, Botnets, etc..
Malware has cost
trillions of dollars in
the last decade
Rev2/28/2011 © 2011 Maze & Associates 50
51. Viruses
• In the past they were primarily
destructive
• Today they focus on stealing information
• Using your computer as a Bot (Zombie)
to send out SPAM
Rev2/28/2011 © 2011 Maze & Associates 51
52. Phishing: Internet Fraud
• Oldest trick in the book,
there are examples in the
1500s
• One particular fraud is called
the “Nigerian 419” scam or
“Advanced Fee Fraud”
• Started as a letter, then it
showed up in faxes and now
it is sent by email.
• Many variations on the story
the message contains
http://www.secretservice.gov/fraud_email_advisory.shtml
Rev2/28/2011 © 2011 Maze & Associates 52
56. Cell Phone Spyware
Rev2/28/2011 © 2011 Maze & Associates 56
http://www.youtube.com/watch?v=uCyKcoDaofg
http://news.rutgers.edu/medrel/news-releases/2010/02/rutgers-researchers-20100222
http://www.youtube.com/watch?v=UZgf32wVTd4
57. Physical theft
• Dumpster diving
• ATM – Credit Card skimming
• Mailbox
• Home Break-in
Rev2/28/2011 © 2011 Maze & Associates 57
62. Credit Card Skimming Stats
TOP MERCHANT GROUPS
RESTAURANTS
GAS
HOTELS
CAR RENTALS
ALL OTHER
SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET
SERVICERev2/28/2011 © 2011 Maze & Associates 62
63. Credit Card Skimming Stats
BY MERCHANT LOCATIONS
CALIFORNIA
FLORIDA
NEW YORK
NEW JERSEY
TEXAS
MEXICO
ILLINOIS
ALL OTHER
SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET
SERVICERev2/28/2011 © 2011 Maze & Associates 63
65. How others might expose your PII
• Data Breach
– Lack of security on the part of businesses
– Organization may post information online
– Loss of a laptop, hard drive or paper work
– Data loss by a third party
– Hacker (Organized Crime & Nation State)
– Organizations may break into your
computer
Rev2/28/2011 © 2011 Maze & Associates 65
67. Public Records
Rev2/28/2011 © 2011 Maze & Associates 67
“The federal government is the
biggest offender.”
Paul Stephens
Privacy Rights Clearinghouse
68. Others losing your ID
4.2 million customer card transactions were compromised by hackers
Rev2/28/2011 © 2011 Maze & Associates 68
70. Top 10 Largest Breaches*
Records Date Organizations
130,000,000 2009-01-20 Heartland Payment Systems
94,000,000 2007-01-17 TJX Companies Inc.
90,000,000 1984-06-01 TRW, Sears Roebuck
76,000,000 2009-10-05 National Archives and Records Administration
40,000,000 2005-06-19 CardSystems, Visa, MasterCard, American Express
30,000,000 2004-06-24 America Online
26,500,000 2006-05-22 U.S. Department of Veterans Affairs
25,000,000 2007-11-20 HM Revenue and Customs, TNT
17,000,000 2008-10-06 T-Mobile, Deutsche Telekom
16,000,000 1986-11-01 Canada Revenue Agency
Rev2/28/2011 © 2011 Maze & Associates 70
*Top ten data breaches as of 22 Feb 2010. Data provided by DataLoss db.
725,797,885 breached records out of 2466 reported incidents.
71. Repeat Offenders*
Company Number of
Reported Breaches
LPL Financial 12
Nationwide 11
Equifax 11
Experian 11
Blue Cross 10
B of A 9
Cornell University 9
University of Iowa 9
HSBC 8
Pfizer 8
Rev2/28/2011 © 2011 Maze & Associates 71
*As of 22 Feb 2010. Data provided by DataLoss db.
725,797,885 breached records out of 2466 reported incidents.
72. Sony Root kit
• Sony, in its efforts to preserve control
over its product, installed root kits on
consumers computers
• Consumers were not aware it was
installed (on copy-protected CDs)
• Gave Sony and potentially hackers the
ability to remotely control your computer
• Removal of software disabled CD drives
on consumers computers
http://www.cnet.com/4520-6033_1-6376177-1.html?tag=nl.e501
Rev2/28/2011 © 2011 Maze & Associates 72