My presentation from Interop 2011 on: Social networks and security – can you have both?

1. Social networks and security –
can you have both?
Ben Rothke, CISSP, CISM CISA
Session SE-31
May 12, 2011
@benrothke

2. About me
• Ben Rothke, CISSP, CISM, CISA
• Senior Security Consultant – British Telecom
• Frequent writer and speaker
• Author - Computer Security: 20 Things Every
Employee Should Know (McGraw-Hill)
• Write the Security Reading Room blog
– https://365.rsaconference.com/blogs/securityreading

3. Agenda
• Overview of social networks
• Scary security risks associated with social
networks
• Social network security strategies
• Conclusion / Recommendations / Q/A

4. Security risks can’t be ignored

5. Twitter – corporate, mainstream

6. Facebook – corporate, mainstream

7. Business benefits
• enhanced collaboration
• faster access to information within the
company
• ability to get questions answered
• shared workspaces
• microblogs and chat
• platform applications

8. Social networking reality

9. ….is now social networking
• Your mission
– find 20 design engineers based in the US at Boeing
– build a rapport with them to get designs for new 737 derivative
• Time / Budget / Success
– 1990 – Many people, many months, limited success, very
expensive
– 2011 – One person, multiple Facebook accounts, can outsource to
India, near immediate results, extremely high success rate
• Facebook - easy to find out who they are
– who their friends are
– what they like, where they shop, daily habits, friends

10. • To block or not to block?
– no longer the question
• Social media isn’t a choice anymore – it’s
a business transformation tool
– Natalie Petouhoff – Weber Shandwick
• Business and information security goal
– Secure use and enablement of social
media

11. Reasons not to block
• Don’t blame the game, blame the player
• Smart companies control, not block
– Staff can use social media and be productive
• No longer a 9-5 world
• Lose the benefits of social media
• Abusers don’t suddenly become productive
– Social media abuse - HR issue.
– Not a technical issue

12. New security ideas required
• Easy security tasks
– Block all outbound ftp traffic
– Use DLP to encrypt sensitive -mails
– Block admission to network if host AV signatures are
not current
– Use SIEM to correlate all logs
• Challenging security task
– Stop end-users from inappropriate sharing of
confidential/proprietary data via social networks

13. Resistance is futile
• Social networks are not a fad
• Not only is resistance futile - it is a
negative business decision
• Prepare a social networking strategy
• Have a realistic understanding of the
risks and benefits of social software
• Understand unique challenges and factor
them into on when and how to proceed

14. Try stopping this…

15. Security game-changer
• Organizations and management are
struggling
– to understand and deal with the numerous security
and privacy risks associated with social networks
• Traditional information security
– firewalls and access control protected the perimeter.
Social networks open up that perimeter
• Focus shift
– from infrastructure protection to data protection

16. Security issues
• People will share huge amounts of highly
confidential personal & business information
with people they perceive to be legitimate
• Numerous legitimate security risks with
allowing uncontrolled access to social sites
• But…these risks can be mitigated via a
comprehensive security strategy

17. Security and privacy risks
• Malware
– Social networks as a malware distribution point
• Vulnerabilities
– cross site scripting, cross site request forgery
– 1 in 5 web attacks aimed at social networks
• Corporate espionage
• Phishing / spear phishing
• Bandwidth consumption

18. More security and privacy risks
• Information leakage
• Social engineering attacks
• Geotagging / location-based social
networking
– allows random people to track an individual’s
location and correlate it with other information
– publishing business photos can be detrimental to
business
– Content-based Image Retrieval (CBIR)

19. Cree.py is just the beginning

20. Infosec losing on social media?
• Requires a combination of technical,
behavioral and organizational security
controls
– many information security groups clueless on
how to do that
• Arguing that social media presents a
highly unmanageable set of security risks
– gives the impression that the infosec group is
incompetent

21. Strategies and action items
for enterprises to deal with
the security and privacy
risks of social networks

22. Secure use of social media
1. Enablement
– Awareness, education
2. Governance
– Corporate social media strategy
– Realistic policies
3. Management
– Effective monitoring

23. Get in front of the wave
• Be proactive
– dedicated team to deal with social networks
– identify all issues around social networks
• Get involved and be engaged
• Social networking is moving fast
• Be flexible
– overall uncertainty about what strategies and
tactics to adopt to security social media

24. Risk assessment
• for each social network community
– vulnerabilities associated with each
community
• each social community has its own set of
unique security and privacy concerns
• which users are the greatest risk?

25. Risk assessment
• output will be used to create the social
media policy and strategy
– customized to your specific risk matrix
• balance risks vs. benefits
– US Marines – totally prohibited
– Starbucks – totally embraced

26. Social network risk assessment
• LinkedIn analysis – you can determine:
• what technologies a company is using
• corporate direction
• vendors
• partners
• internal e-mail addresses and address formats
• Facebook analysis – you can determine:
• almost everything

27. Social media strategy
• Based on your social media goals
• Identify people or positions who will be the
online public face of the firm
• Decide if/how employees may identify
themselves
• Twitter strategy for Government
Departments
– http://digitalengagement.cabinetoffice.gov.uk/blog

28. Social media strategy
• Draconian policies preventing the use of
social media will most often not be
effective
• Use a balanced approach
– allow access
– manage risk via technical controls, policies
and employee training

29. Blurred role boundaries
• who speaks for the company
• border between the company and the
outside world is evaporating
• management decision, not an IT decision
• strategies: block, contain, disregard,
embrace
• create user scenarios
– not all users need access

30. Social networking policy
• Social networking policy is a must
– even if it prohibits everything, you still need a policy
• Employees will do stupid things
• Rational, sensible use of social media
services
– include photography and video
– don’t reference clients, customers, or partners
without obtaining their express permission

31. Monitoring
• Maintain control over content company
owns
– monitor employee social networking participation
– significant risk of loss of IP protection if not
monitored
– inappropriate use of enterprise content occurred?
• notify employee - explain how their actions violated
policy
– control where and how corporate content is
shared externally

32. Security awareness
• Social media is driven by social interactions
• Most significant risks are tied to the behavior of
staff when they are using social software
• Don'shun social media for fear of bad end-
t
user behavior
– Anticipate it and formulate a multilevel approach to
policies for effective governance
• 3 C’s
– clear, comprehensive, continuous

33. Security awareness
• Awareness and training program is critical
– effectively communicated and customized
– disseminate to everyone
– ensure recurrent training
– create topic taboo lists
– define expectations of privacy

34. How to get fired in 3 tweets….
• Let employees know they can lose their job
– policy violation
– managers and executives - special responsibility
when blogging by virtue of their position
– too much time on social network sites
– perception that they are promoting themselves at
the expense of the company
– especially if employer is not into social networking

35. End-user awareness
• Curb your enthusiasm
– those with OCD/addictive personalities – be
cognizant of addictive nature of social networking
– what is fun today is embarrassing tomorrow
– expect that entire world will see your comments
– consider carefully which images, videos and
information you publish
– set daily time limits on social media

36. Awareness 101
• Ensure staff know about and are
compliant with social media guidelines
– post something corporate, ensure that it is
public information
– be careful about posting customer
information, even if it is public

37. Awareness 101
• Ensure staff know about and are
compliant with social media guidelines
– breach of insider information can cost you your job
– know the rules of using social networking sites
while at work
– take extra care if you friend your boss on Facebook
– Facebook is viral and addictive – don’t waste the
workday on it

38. Social media guidelines
• Without guidelines, breaches are inevitable
• Excellent sources:
– Intel Social Media Guidelines
– IBM Social Computing Guidelines
– Oracle Social Media Participation Policy
• Policies much have directives for blogs, wikis, social networks,
virtual worlds, social media and more.

39. Regulatory compliance
• Regulatory framework should be reviewed
and where necessary, revised
• Consider what specific laws, regulations,
standards, breach notice laws apply

40. Reputation management
• Traditional PR and legal responses to an
Internet-based negative reputation event can
cause more damage than doing nothing
• establish, follow and update protocols can
make social-media chaos less risky to
enterprises
• Infosec coordinate activities with PR teams
– expand monitoring and supplement monitoring with
investigations and evidence collection processes

41. Reputation management

42. Reputation management
• Goal is to build and protect a positive
Internet-based reputation
• Risks to reputation are significant and
growing with the increased use of social
networks
• Create reputation management group with
input from IT, legal, risk management, PR
and marketing

43. Reputation management
• Coordinated approach
– proactive / responsive

44. HR must be involved
• Social networks open up a huge can of HR
worms
• What are disciplinary actions for non-
compliance?
• Can candidate’s social network presence
be a factor in hiring process?
• Create directives for managing personal
and professional time

45. HR must be involved
• Don’t be seen as encroaching on
employees’ free speech
• Create reasonable guidelines
• Explain how innocent postings can be
misconstrued
• heavy-handed approach will often backfire
and result in lower morale and often bad
publicity

46. HR & FCRA
• Via Facebook, you can know way too
much about a candidate:
– race, orientation, religion, politics, health, etc.
– such information can be used to show bias
• EEOC and expensive litigation

47. References
• Clearswift Security Awareness Research
• New Media and the Air Force
• ENISA position papers
– Security Issues and Recommendations for Online
Social Networks
– Online as Soon as it Happens
• Parents’ Guide to Facebook

48. Conclusion
• Social networks introduce security risks
– social networks & security can be compatible
• Perform a comprehensive risk assessment
against all social networks to be used
• Understand business & technical
requirements
• Recognize these security and privacy risks
and take a formal approach to mitigate them

49. Contact info
• Ben Rothke, CISSP CISA
• Senior Security Consultant
• BT Professional Services
• @benrothke
• www.linkedin.com/in/benrothke
• www.twitter.com/benrothke
• www.slideshare.net/benrothke