This document discusses social media infiltration in enterprises. It begins by defining social media and highlighting its widespread adoption, with billions of users on Facebook, Twitter and LinkedIn. The presenter argues that enterprises must embrace social media as that is where customers and prospects are increasingly engaging. Both opportunities and risks of social media for businesses are covered. The presentation emphasizes establishing social media policies and strategies to manage risks and prevent potential disasters, while leveraging benefits like improved collaboration and marketing reach. It concludes by arguing that doing nothing is not an option for enterprises, and a formal approach is needed to mitigate new security risks introduced by social media.
Powerful Google developer tools for immediate impact! (2023-24 C)
Social Media: Infiltrating The Enterprise
1. SOCIAL MEDIA:
INFILTRATING THE
ENTERPRISE
MIDTECH IT Summit
June 27th, 2011
JAY A. MCLAUGHLIN, CISSP
SVP, CHIEF INFORMATION OFFICER
2. DISCLAIMER
The materials, thoughts, comments, ideas
and opinions expressed throughout this
presentation are entirely my own and do
not necessarily represent the thoughts or
opinions of my employer (past or present).
3. AGENDA
• Defining social media
• Embracing the Inevitable
• Understanding the Benefits Risks
• Friending your Customers
• Preventing social media disasters
• Building a strategy
4. : forms of electronic communication (as Web sites
for social networking and microblogging) through
which users create online communities to share
information, ideas, personal messages, and other
content
What is Social
Media?
Social media is media for social interaction using
highly accessible and scalable communication
techniques. Social media is the use of web-based
and mobile technologies to turn communication
into interactive dialogue.
5.
6. • 500 Million
• 250 Million
• 700 Billion
Source: Facebook.com April 2011
10. • 100 Million
• 2 Million
• 4.3 Billion
Source: LinkedIn.com May 2011
11.
12. WHY SHOULD WE CARE?
• It's where your customers are
• It's where your prospects are
• It's
reach stretches further broader than any
marketing channel
• It's relevant to be in the game
13. We don t have a choice
on whether we will DO
social media, the question
is how WELL we DO it.
- Erik Qualman, Author
Socialnomics
http://www.youtube.com/user/Socialnomics09?blend=1ob=5
14. * companies that have 100 or more employees
Source: eMarketer, Nov
2010
15. Enhanced
Collaboration
Shared Faster access to
BUSINESS Workspaces
Information
BENEFITS
Extended Organizational Reach
Compete
Ability to
16. • When leveraged effectively,
social networks become an
THE
equalizer, leveling the playing EQUALIZER
field
• Itallows organizations both
large and small to compete
and be relevant in their space
• Ability
to influence with little
or not cost
19. IS YOUR ORGANIZATION
PREPARED FOR...?
• Employees posting opinions about the organization
• Managing brand reputation and public opinion/
exposure
• Responding to positive and negative feedback from
customers
• Standing by the decision NOT to get engaged....?
20. SOCIAL MEDIA SWOT
• Strength - ability to build • Weakness - silo-ed as a
relationships with your business function and not
target audience like never integrated in overall
before.
business strategy.
• Opportunities - its • Threat - fear of losing
where our customers control. Seeks risk aversion.
are. Integration with the Non-innovative.
business is key.
22. THE BASICS
• Doyour employees know what is acceptable or
permitted?
• How may (or not) employees identify themselves?
• To what degree can corporate content be used?
• Hasyour organization determined what is can do
with information obtained through social media?
Establishing a policy is critical!
23. ESTABLISH A STRATEGY
• Governance required implement and enforce acceptable
usage policy covering social networking sites
• It
is key that all staff receive security awareness training
covering your acceptable usage policy for social
networking
• Promote good practices to help improve users behavior
ultimately reducing and/or mitigating some of the risks
• Permit access only to social networking sites that have
obvious business benefits only to users with a business
need
24. ESTABLISH A STRATEGY
• Institute processes to manage and monitor activity
• Be flexible - overall uncertainty about what strategies and
tactics to adopt to security social media
• Understand and identify which users create the most
amount of risk?
• Create reasonable guidelines that can be followed
• Review sites terms and conditions to understand risks
associated with each site
25. REGULATION is coming
For regulated industries, what
requirements do you face?
ex. FINRA
Employers know ALOT about
their employees/candidates
26. HR: OBTAINING INFORMATION FROM
SOCIAL NETWORKS
• HRis tempted to peak at these sites to gather information
about employees and potential candidates
• Consider discrimination lawsuits! Proceed with caution.
- ex: viewing the online photo/picture of a candidate
• Consistency is KING - it will minimize your risk.
- ex: if conducting a search for ONE candidate, then do so for ALL
• Evenif employers have the technical capability to gain access
to social networking information of their employees or
candidates, it does not imply the legal right to do so.
27. consider ALL risks
Is there a need to address how to evaluate the risk of
sharing too much information online in relation to the
value it brings to the business?
28. Security Concerns
• There is a continued growth in social networking sites
being used as an attack distribution platform
• Users are less likely to see malware when it is passed
on by a friend as it has a certain level of authenticity
and a level of trust
• Social networks give attackers a potentially powerful
point of leverage, sometimes allowing them to launch
sophisticated attacks against businesses
• Known weaknesses exist in the security of the
networks themselves, which limit our control
29.
30. Threatscape of sites
• Session-hijacking / authentication weaknesses
• Profile harvesting leading to social engineering
- ex: phishing / spear-phishing
• Cross-site scripting (XSS) / Cross-site request forgery
(CSRF)
• Malicious code / Malware
- ex: drive-by downloads
31. XSS Example
iframe id= CrazyDaVinci
style= display:none; src= http://
m.facebook.com/connect/prompt_feed.php?
display=wapuser_message_prompt= script
window.onload=function(){document.forms
[0].message.value= Just visited
http://y.ahoo.it/gajeBA Wow.. cool! nice page
dude!!! ;document.forms[0].submit();}/
script /iframe
• this bit of HTML/Javascript would be included in a viral page.
• the code sets the content of the wall post to a message that
includes a link to a viral page, then submits the prompt automatically.
32. Microsoft has documented a
steady rise in the number of
attacks targeting social networks
Primary vectors:
• Phishing attempts
• Social engineering tactics
Instances of Phishing impressions increased from 8.3% to 84.5%
33. Verizon highlighted in its 2011
DBIR, that malware and social
engineering to have been the
culprit for 60% of all reported
attacks/breaches
Contribution of malware:
• 49% of breaches
• 79% of records stolen
34. PROTECT SERVE
Policing Social Media:
How do we protect the usage of social networks?
35. Policing Social Media
• Is it possible to establish and implement a standard set
of guidelines for enterprise users?
• ...that would help to not only prevent data leaks, but
also keep emerging social networking malware at bay?
• It requires a combination of technical, behavioral
and organizational security controls
36. CONCLUSION
• Social media isn t a choice anyone….recognize it is
a business transformation tool
• Perform a comprehensive risk assessment against all
social networks that will be considered for use
• Social networks DO introduce new security risks -
take a formal approach to mitigate them through
policy enforcement and user education
• Doing nothing is not an option...will you take that
risk?
1. 500 Million active users 2. 250 Million mobile users 700 Billions minutes per month users spend 300,000 businesses have a presence on Facebook - Socialnomics;
1. 6939 tweets per second 2. 319 signups per second / 300,000 per day 3. 140 Million tweets per day
Websites lag for information sharing, but using Twitter, businesses now have access to hundreds/thousands/millions of followers through a system designed to reach people across the globe in real time in a matter of seconds.
1. 100 Million professional users 2. 2 Million companies have LinkedIn company pages 3. 4.3 Billion initial value for IPO
Q-The ROI is often raised - how do we measure? A-The ROI of doing it is that you ’ re company will be in business in five yrs...
Why are we trying to measure social media like a traditional channel? Social media can touch every facet of business and is more an extension of good business. When asked what the ROI of social media, he responds, "what's the ROI of your phone?"- What is the cost of doing nothing? - Do you really want to take that risk?
Basically, by the end of this year, 4 out of 5 businesses will adopt in some form.
1-Taco Bell - 2 million views on YouTube when NYC restaurant infested with rats 2-The microphone is always on! if you wouldn ’ t say something to everyone, don ’ t say it at all. 3-American Red Cross - accidental mixup by employee thinking he was posting a personal tweet
This past February, Southwest Airlines kicked director Kevin Smith off a flight from San Francisco headed to Los Angeles for being too fat. Southwest was quick to respond — 16 minutes after Smith ’ s first tweet regarding the incident. TechCrunch - heavily followed tech blog - experience slowness which impacted site visitors. After tweeting, they received a call from a Comcast manager that and the problem was resolved within 20 minutes.
1-Identify the collaboration hot-spots 2-Select technologies that will improve or accelerate existing process workflows 3-Identify the high-value business outcomes you want to achieve 4-The benefits and employments of social media tools are different for every organization. The ROI may not be as identifiable for your company.
Not having a policy is no longer optional. And it is a good place to start. You need to give your employees a guide on how to successfully engage online. These guidelines should be supported by training on how to use social media tools effectively.
Social media demands new technology and a fresh business approach. IT must make sure any traffic generated doesn ’ t bring the business applications your organization depends on to its knees. Your network needs to be told to give ‘ real work ’ the priority it deserves.
the Genetic Information Nondiscrimination Act ("GINA") that went into effect on November 21, 2009, prohibits employers from utilizing genetic tests or considering an applicant or employee's genetic background in hiring, firing, or promotions. with the explosion in the use of social media, the EEOC is worried that health insurers and employers will data mine an applicant or employee's social media accounts and utilize the information obtained to discriminate against them -- may result in expensive litigation!
1-Although this practice is common, employers that rely on social media websites to obtain information regarding applicants ’ employment histories and personal lives should proceed with caution. 2-failure to hire the applicant because of his or her race, ethnicity, gender, or any other protected classification that might be perceived from the picture. 4-What are the employee ’ s rights? Visiting www.privacyrights.org ,which is a self-proclaimed Privacy Rights Clearinghouse, doesn ’ t mention social sites. There is no precedence.
Social networking is a haven for marketers AND a collaboration between colleagues. But it can put corporate information assets and reputations at risk. Social networking platforms, such as Facebook, Twitter and LinkedIn, are becoming an integral part of people's personal and business worlds. The lines are blurring…
1-Recent study by Symantec 2-We need to educate - example - when reading emails they're kind of aware of looking out for in unsafe looking attachments or spelling or grammar mistakes 3-Corporations are increasingly being exposed to hacking by savvy attackers who glean information about their employees from social networks. 4-HTTPS at the point of authentication, then the connection is switched to HTTP
1-Lack of SSL - recommend using ForceTLS to obtain a secure connection when offered 1-HTTPS at the point of authentication, then the connection is switched to HTTP 3-Critical XSS vulnerability that would make it possible for attackers to infect users with spyware, adware, and just maybe anything else they want. 3-One in five web-based attacks are aimed at social networks 4-Automatic infection without intentional user request
Anyone clicking the link would get the same code executed on their account.
The report found a steady increase in social engineering attacks and an influx of rogue security software, designed to trick users into installing phony antivirus programs containing keyloggers, backdoors and other nasty malware...why? There is an increased level of trust people have on SNs.
More attacks targeting the username and passwords of social networking users..why? These are passwords that they might be using for other sites, such as financial sites. A Social Network Fraud survey in 2010 by Harris Interactive showed that nearly 75% (sample of 1,103) of Americans use the same password for their social sites and email.
Requires a combination of technical, behavioral and organizational security controls