SlideShare a Scribd company logo

Infotec 2010 Ben Rothke - social networks and information security

Ben Rothke
Ben Rothke

Presentation by Ben Rothke from Infotec 2010- Social Networks and Information Security - Oxymoron or can you have both?

BusinessTechnology
1 of 54
Download to read offline
Social Networks and Information Security - Oxymoron or can you have both? Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services April 13, 2010
About me • Ben Rothke, CISSP CISM PCI QSA • Security Consultant – BT Professional Services • Full-time information security since 1994 • Frequent writer and speaker • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) 2
BT in North America • Operating since 1988 • More than 4,000 employees in the US and Canada • Network Operations and Customer Service Centers in Atlanta GA, Boston MA, Los Angeles CA, Princeton NJ, Oakdale MN and Nutley NJ • Seven of the more than 30 BT acquisitions during recent years are HQ in the US, Infonet, Radianz, Counterpane, INS, Comsat, Wire One, Ribbit • More than 3,500 customers in the US and Canada, including 75% of F500 and 50% Fortune 1000 • Serving Canadian enterprises in 32 cities serving hundreds of major customer sites across the country • Of BT’s top 2,000 customers, 50%+ are headquartered or have major operations in the Americas
Why BT for Security? Industry-leading resources 1,400 global practitioners Comprehensive event Operating 9 world Over 100 registered patents, with over 125 accredited correlation platforms and class SOCs globally 190 security papers and security professionals reporting tools 24/7/365 numerous books in the US With proven experience 6,000 security BT has delivered Monitoring 550 Filters over 75,000 security services to Over 1,500 firewalls networks with data engagements in the viruses from client over 75% of the under management from over 150 countries US since 1994 networks each month Fortune 500 and 335,000 devices Delivering an integrated services portfolio Incorporating industry- From assessment to leading technology & mitigation, on a global services, with Counterpane basis at the core Third party validation Many accreditations, including Leadership position in Highest capability BS 27001/ISO 17799, SAS70-II, Gartner’s 2007 North American maturity rating FIPS 140-2, CERT, FIRST, MSSP Magic Quadrant from NSA CLAS, SANS GIAC and CHECK
Agenda • How can enterprises effectively use social networks while not putting their security and data at risk? • Understanding and dealing with the security risks of social networks • Making the security focus shift from infrastructure protection to data protection • Social network security strategies for enterprises • Social network security strategies for individuals • Q/A 5
Why are enterprises interested in social networking? 6
Why this is a very cool information security topic • Easy security tasks – Block all outbound ftp traffic – Require disclaimers on all outbound emails – Block admission to network if host AV signatures are not current – Require encryption on all outbound file to Moscow office • Challenging security tasks – Stop end-users from inappropriate sharing of confidential and proprietary data via social networks 7
Why are people interested in social networking? 8
Social networking - then and now Computer Associates • 1990’s – President Charles Wang limits employees email usage • to 1 hour in the morning & afternoon • to emphasize face-to-face interaction rather than sending e-mails • 2010 – Computer Associates is now on Twitter • http://twitter.com/cainc 9
Social networks huge - getting larger • 75% of US online adults use social tools – up from 56% in 2007 – The Growth Of Social Technology Adoption - Josh Bernoff, Forrester 10
The social web • Social web is about communities, collaboration, peer production and user-generated content • Business reputations are defined by customer opinions and ratings • Press is delivered by independent bloggers • Product development and insight is driven by customers • Digital natives who have grown up with the Internet flood the workplace • Your employees will likely expect to be part of the social web and they'll have a lot to contribute • Source: Joshua-Michéle Ross 11
Today’s social networking reality 12
Resistance to social networks is futile • Social networks are not a fad • Prepare a strategy and have a realistic understanding of the risks and benefits of social software • Understand the unique challenges with social networks and factor them into decision on when and how to proceed • Gartner - Major Challenges Organizations Face Regarding Social Software BT Professional Services 13
Social networks are major news stories 14
But the security risks can’t be ignored 15
Social networks - security game-changer • Organizations and management are struggling – to understand and deal with the security risks of social networks • Traditional information security – firewalls and access control protected the perimeter – social networks open up that perimeter • Focus shift – from infrastructure protection to data protection • DLP (data loss prevention) tools – becoming the new firewall for the social web • Bypass corporate services – Facebook for email – Skype as a telephone system – Gmail for instant messaging 16
Security issues • There are legitimate risks with allowing uncontrolled access to social networking sites – risks can be mitigated via a comprehensive security strategy • Security and trust – social networks require a full taxonomy of security – people are much more trusting of a message from a friend or colleague on a social network than they are of an e-mail – people are used to e-mails being forged • People will share extraordinary amounts of highly confidential personal and business information with people they perceive to be legitimate 17
Social media risks Risk Description Security? Type? Malware Infection of desktops, propagation of malware through staff or corporate profiles on Yes Technology social-media services. Chain of providers Mashups of applications within a social-media service enable the untraceable Yes Technology movement of data. Interface weaknesses Public application interfaces are not sufficiently secured, exposing users to cross-site Yes Technology scripting and other exploits. Reputation damage Degradation of personal and corporate reputations through posting of inappropriate No Content content. Exposure of confidential Loose lips sink ships, breach of IP or other trade secrets, breach of copyright, public Yes Content information posting or downloading of private or sensitive personal information. Legal exposure Legal liabilities resulting from posted content and online conversations or failure to Yes Content meet a regulatory requirement to record and archive particular conversations. Revenue loss For organizations in the information business, making content freely available may Yes Content undercut fee-based information services Staff productivity Workers failing to perform due to the distraction of social media No Behavior Hierarchy subversion Informal social networks erode authority of formal corporate hierarchy and defined No Behavior work processes Social engineering Phishing attacks, misrepresentation of identity and/or authority to obtain Yes Behavior information illicitly or to stimulate damaging behaviors by staff. Identity fraud Profiles and postings that are erroneously attributed to a staff member or corporate Yes Behavior office. 18 Source: Gartner – Report G00173953 - February 2010
How information security groups lose the social media war • Social media security requires a combination of technical, behavioral and organizational security controls – Many information security groups are clueless on how to do that • Arguing that social media presents unmanageable security risks gives the impression that the information security group is incompetent • Too much use of the FUD (fear, uncertainty and doubt) factor as part of their argument 19
Social network postings are immortal • Physics 101 - Law of conservation of energy – total amount of energy in an isolated system remains constant – energy can’t be destroyed - can only change form • Social networks physics 101 – Internet - huge database of unstructured content with an infinite life – once confidential data is made public, it can never be made confidential again – once data is posted in a Web 2.0 world, it exists forever, somewhere • RSS feeds can’t be unfed – difficulty of complete account deletion • users wishing to delete accounts from social networks may find that it’s almost impossible to remove secondary information linked to their profile such as public comments on other profiles 20
Security issues - aggregation • Aggregation – process of collecting content from multiple social network services – consolidates multiple social networking profiles into one profile • Google OpenSocial – defines common API for social applications across multiple websites – with standard JavaScript and HTML, developers can create apps that access a social network’s friends and update feeds • Long-term anonymity is nearly impossible – users leave traces, IP addresses, embedded links, IDs in files, photos, etc. – no matter how anonymous one tries to be, eventually, with enough traces, aggregation will catch up 21
Security and privacy risks • Malware • Social networks used as a malware distribution point • Vulnerabilities – cross site scripting (XSS), cross site request forgery (CSRF) – 1 in 5 web attacks aimed at social networks • Corporate espionage • Phishing / spear phishing • Bandwidth consumption • Information leakage • Social engineering attacks • Content-based Image Retrieval (CBIR) – emerging technology that matches features, such as identifying aspects of a room (e.g. a painting) in very large databases, increasing the possibilities for locating users 22
Mission Impossible 1999 is social networking 2010 • Your mission – find 20 divorced/single female design engineers based in the US at Boeing Integrated Defense Systems – build a rapport with them – get critical data or designs for new fighter under development • Time / Budget / Success – 1999 – Many people, many months, limited success, very expensive – 2009 – One person, multiple Facebook accounts, can outsource to India, near immediate results, extremely high success rate • Facebook makes it easy to find out who these women are – who their friends are (likely other single women at Boeing) – what they like, where they shop, their daily habits, their friends, entertainment, and much more 23
Social networks and information security • Social networks and security are compatible – requires effort, staff, and a formalized plan of action • Formalized, comprehensive social networking strategy – there are no social network security appliances • Public corporations – subject to SEC disclosure obligations, must deal with fair disclosure rules – inside information on a social network is a regulatory violation – must have formal logging and archiving in place for social networks 24
Strategies and action items for enterprises to deal with the security and privacy risks of social networks 25
Get in front of the social network wave • Organizations must be proactive – dedicated team to deal with social networks – ability to identify all issues around social networks • Get involved and be engaged • Social networking is moving fast – dynamic technology – requires a proactive protection approach • Be flexible – overall uncertainty about what strategies and tactics to adopt to security social media 26
Risk assessment • Social media create new opportunities for fraud and abuse • Enables a wide range of abuses – Must be anticipated and evaluated to construct appropriate security plans and controls • Perform social network risk assessment – create risk assessment for each social network community – vulnerabilities associated with specific sites – which users are the greatest risk? – output will be used to create the social media policy and strategy – customized to your specific risk matrix – balance the risks vs. benefits • US Marines – totally prohibited • Starbucks – totally embraced 27
Social media strategy • Strategy and policy should be based on your social media goals • Take into account any special laws or rules • Identify people or positions who will be the online public face of the firm • Decide if and how employees may identify themselves • Involve risk managers in your planning • Draconian policies preventing the use of social media will not be effective • Use a balanced approach – allow access – manage risk via technical controls, policies and employee training 28
Monitoring • Maintain control over content company owns – monitor employee participation on social networking sites – significant risk of loss of IP protection if not monitored – when inappropriate use of enterprise content occurs, notify employee and explain how their actions violated policy – control where and how corporate content is shared externally 29
Social network assessments • Perform a LinkedIn analysis • From LinkedIn you can tell: – what technologies a company is using – corporate direction – vendors – partners – internal email addresses and address formats • Perform a Facebook analysis • From Facebook you can tell: – almost everything 30
Define corporate social media policy and strategy • Social networks blur boundary between company roles – who speaks for the company on a blog, Twitter, Facebook – border between the company and the outside world is evaporating – this is a management decision, not an IT decision – strategies: block, contain, disregard, embrace – create user scenarios • not all users need access – see Twitter strategy for Government Departments – ensure your corporate social media strategy is realistic – view webinar by Joshua-Michele Ross on how to do this 31
Corporate social networking policy • Social networking policy is a must – even if it prohibits everything, you still need a policy • Policies are needed because employees do stupid things • Define a rational, sensible use of social media services – include photography and video – don’t reference clients, customers, or partners without obtaining their express permission • Data classification – create a data classification program – users need to be able to know precisely the different data classification levels 32
Security awareness • Social media is driven by social interactions • Most of the significant risks are tied to the behavior of staff when they are using social software • Governance of staff behavior must take into account both the technical capabilities of the social software and the relative tendency of staff to engage in risky behavior in social media • Don't shun social media for fear of bad end-user behavior. – Anticipate it and formulate a multilevel approach to policies for effective governance. • 3 C’s: clear, comprehensive, continuous 33
Security awareness • Awareness and training program is critical – must be effectively communicated and customized – disseminate to everyone – ensure recurrent training – create topic taboo lists – define expectations of privacy • Link social networking training to other related training – business ethics, standards of conduct, industry-specific regulations • Public companies – at risk for disclosure of insider information – even if not at fault, assertion of insider disclosure is expensive, embarrassing and time consuming 34
Guidelines • Without clear guidelines, breaches are inevitable • Excellent sources: – Intel Social Media Guidelines – IBM Social Computing Guidelines • directives for blogs, wikis, social networks, virtual worlds and social media 35
Regulatory • Regulatory compliance must be considered – social networks present numerous scenarios which weren’t foreseen when current legislation and data protection laws were created – regulatory framework governing social networks should be reviewed and, where necessary, revised – consider what specific laws/regulations/standards apply – all breach notice laws are relevant • if customer or employee PII is posted, breach response plans would likely need to be followed and notices would need to be sent • HIPAA and expanded responsibilities under ARRA HITECH • newly released final breach response rules from the HHS 36
EU and social networks • EU Data Privacy Directives – EU Directive on Data Protection 95/46/EC – Data Protection Working Party Opinion 5/2009 – EU countries take personal privacy very seriously • tagging of images with personal data without the consent of the subject of the image violates the user’s right to informational self determination • blanket monitoring and logging is unacceptable in EU • many more privacy details need to be considered • Review ENISA position paper – Security Issues and Recommendations for Online Social Networks – Online as Soon as it Happens 37
Human resources • Human resources must be involved – social networks open up a huge can of HR worms – what are disciplinary actions for non-compliance? – candidate’s social network presence as a factor in the hiring process? – create directives for managing personal and professional time – don’t be seen as encroaching on your employees’ free speech rights – put out reasonable guidelines – explain how innocent postings can be misconstrued – but…a too heavy-handed approach will often backfire and result in lower morale and often bad publicity 38
Hardware and software solutions • Gartner – Market for security controls for social media is relatively immature – Security managers need to develop control environments that incorporate new tools and techniques to monitor and control user activity and data movement – IT organizations have concentrated for too long on using technical controls to ensure that IT and business resources are used appropriately – In some situations, social guidelines can be more effective than technical controls 39
Reputation management • Traditional PR and legal responses to an Internet-based negative reputation event can cause more damage than doing nothing • Understanding how to establish, follow and update protocols can make social-media chaos less risky to enterprises • Information security should coordinate activities with PR teams to expand monitoring and supplement monitoring with investigations and evidence collection processes 40
Dealing with reactive chaos • Rare for companies to have tools and skills to conduct investigation into origins of inappropriate material and the identity of the individuals involved in social media breaches • CSIRT are called on to provide investigation support. – but often contacted late • Optimal approach – monitoring and managing social media and incident response requires approach that combines efforts and capabilities of the PR, HR and information security teams 41
Reputation management 42
Reputation management • Goal is to build and protect a positive Internet-based reputation • Risks to reputation are significant and growing with the increased use of social networks • Create reputation management group with input from IT, legal, risk management, PR and marketing • Coordinated approach – proactive / responsive 43
Strategies and action items for individuals to deal with the security and privacy risks of social networks 44
Let’s be careful out there • You can lose your job – policy violation – managers and executives - special responsibility when blogging by virtue of the position – too much time on social network sites – perception that you are promoting yourself at the expense of the company – especially if your employer is not into social networking • Don’t embarrass yourself, friend, family, coworkers • Be aware of the dark side of social networks – divorce – cyberbullies – see MySpace suicide case 45
Action items – individual user • Curb your enthusiasm – those with OCD/addictive personalities must ensure they know the addictive nature of social networking – what is fun today is embarrassing tomorrow – don’t post comment that you don’t want the entire world to see – consider carefully which images, videos and information you publish – set daily time limits on how much time you will spend • When at work – you are being paid to work when you are at work – don‘t abuse the trust your employer had in hiring you 46
Social incrimination • Everything you post may be used against you – be judicious when posting, especially photos/videos • copyright issue – camcorders now have Direct Upload to YouTube capabilities • Don’t post photo that you don’t want the world to see • Watch that pose – the world will see you in that photo – images give away private data about other people, especially when tagged with metadata • Enable Facebook security controls – 10 Privacy Settings Every Facebook User Should Know 47
Action items – individual user • Limited security capabilities – don’t assume social networks sites will give you privacy or confidentiality – especially over the long-term when items are cross-posted/shared • Ensure you know about and are compliant with employer’s social media guidelines – if you post something corporate, ensure that it is public information – be careful about posting customer information, even if it is public – breach of insider information can cost you your job – know the rules of using social networking sites while you’re at work – take extra care if you friend your boss on Facebook – Facebook is viral and addictive – don’t waste your workday on it 48
Action items – individual user • Bad social networking can lead to career suicide • Use and maintain anti-virus software • HR is looking – 45% of employers now screen social media profiles • Realize the inherent tension in social networks – know your limits – social networks are like a party – point is to have fun without humiliating yourself • Choose good passwords – follow password creation rules – don’t use the same password across multiple social networks 49
Action items – individual user • Don’t accept every Facebook invitation • Realize you are a target for social engineers • Be aware of friends asking for salami • What does your friends’ list say about you? • Something you post today, or a YouTube video you appear in, can haunt you for the rest of your life • Trust but verify all invitations • Limit the amount of personal information you post – do you really need to post your birthday? – get in the habit of not sharing personal data 50
Action items – individual user • Be careful when taking surveys – especially on Facebook – answers can be aggregated by bogus surveys to launch social engineering attack – password recovery answers • Not everything needs to be commented on – Think twice before posting about • interviews • complaints about long/boring meetings • complaints about coworkers, management, bosses, etc. • off the cuff remarks 51
Children • Especially susceptible to social network threats – kids misrepresent their age to join sites that have age restrictions – kids post more information in their pictures than was intended, such as hobbies, interests, location of their school • Teach your kids about Internet safety – be aware of their online habits, guide them to appropriate sites – they should never meet in person anyone they met online • Parents must ensure that their children become safe and responsible users • National Cyber Alert System Cyber Security Tip ST05-002 – Keeping Children Safe Online – http://www.us-cert.gov/cas/tips/ST05-002.html 52
Conclusions / Q&A • Social networks introduce significant security risks • Companies must recognize these risks and take a formal approach to deal with them • Individuals can’t be naïve about their responsibilities • Social networks and security - - not an oxymoron – as long as social network security is part of a comprehensive corporate information security program – and end-users and individuals are aware of the risks and their responsibilities 53
Contact information Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services ben.rothke@bt.com www.linkedin.com/in/benrothke www.twitter.com/benrothke 54

Recommended

Federal IT Initiatives - BDPA Conference Executive Panel
Federal IT Initiatives - BDPA Conference Executive PanelFederal IT Initiatives - BDPA Conference Executive Panel
Federal IT Initiatives - BDPA Conference Executive PanelBDPA Education and Technology Foundation
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010thaiantivirus
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityNational LECET
 

Recommended

Federal IT Initiatives - BDPA Conference Executive Panel
Federal IT Initiatives - BDPA Conference Executive PanelFederal IT Initiatives - BDPA Conference Executive Panel
Federal IT Initiatives - BDPA Conference Executive PanelBDPA Education and Technology Foundation
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010thaiantivirus
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityNational LECET
 
20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final ResultsCIONET
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clintonCIONET
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small BusinessJulius Clark, CISSP, CISA
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3NTT Innovation Institute Inc.
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Cyberthreats: causes, consequences, prevention
Cyberthreats: causes, consequences, preventionCyberthreats: causes, consequences, prevention
Cyberthreats: causes, consequences, preventionmoldovaictsummit2016
 
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Seungjoo Kim
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksSocialKwan
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseReadWrite
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and SystemParam Nanavati
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security Booz Allen Hamilton
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsBooz Allen Hamilton
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant EnterpriseBooz Allen Hamilton
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Disaster Risk Management in the Information Age
Disaster Risk Management in the Information AgeDisaster Risk Management in the Information Age
Disaster Risk Management in the Information Ageglobal
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective amarukanda
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 

More Related Content

What's hot

20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final ResultsCIONET
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clintonCIONET
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3NTT Innovation Institute Inc.
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Cyberthreats: causes, consequences, prevention
Cyberthreats: causes, consequences, preventionCyberthreats: causes, consequences, prevention
Cyberthreats: causes, consequences, preventionmoldovaictsummit2016
 
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Seungjoo Kim
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksSocialKwan
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseReadWrite
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and SystemParam Nanavati
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsBooz Allen Hamilton
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Disaster Risk Management in the Information Age
Disaster Risk Management in the Information AgeDisaster Risk Management in the Information Age
Disaster Risk Management in the Information Ageglobal
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 

What's hot (20)

20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results20101012 CIOnet Cyber Security Final Results
20101012 CIOnet Cyber Security Final Results
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Cyberthreats: causes, consequences, prevention
Cyberthreats: causes, consequences, preventionCyberthreats: causes, consequences, prevention
Cyberthreats: causes, consequences, prevention
 
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
Why is it getting harder to train the cybersecurity workforce? (ExtendedVersion)
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaks
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's Enterprise
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and System
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber Analysts
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
 
Disaster Risk Management in the Information Age
Disaster Risk Management in the Information AgeDisaster Risk Management in the Information Age
Disaster Risk Management in the Information Age
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document
 

Similar to Infotec 2010 Ben Rothke - social networks and information security

Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective amarukanda
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudCompTIA UK
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMwareVMUG IT
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in ManufacturingCentraComm
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber securityAurobindo Nayak
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
Nvis pitch deck version 4 - 2021 dec
Nvis pitch deck version 4 - 2021 decNvis pitch deck version 4 - 2021 dec
Nvis pitch deck version 4 - 2021 decPhilSmith151163
 
HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7Mark Interrante
 
Steel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. Hawkins
Steel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. HawkinsSteel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. Hawkins
Steel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. Hawkinslthawkins
 
Journey to the Perfect Application: Digital Transformation During a Crisis
Journey to the Perfect Application: Digital Transformation During a CrisisJourney to the Perfect Application: Digital Transformation During a Crisis
Journey to the Perfect Application: Digital Transformation During a CrisisAggregage
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondNandita Nityanandam
 
Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...
Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...
Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...ThousandEyes
 

Similar to Infotec 2010 Ben Rothke - social networks and information security (20)

Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
The New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler ArchitectureThe New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler Architecture
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in Manufacturing
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber security
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
Nvis pitch deck version 4 - 2021 dec
Nvis pitch deck version 4 - 2021 decNvis pitch deck version 4 - 2021 dec
Nvis pitch deck version 4 - 2021 dec
 
HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7
 
Steel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. Hawkins
Steel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. HawkinsSteel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. Hawkins
Steel Point Solutions IAS Track 3 "Sustaining a Cyber Workforce" by L.T. Hawkins
 
Journey to the Perfect Application: Digital Transformation During a Crisis
Journey to the Perfect Application: Digital Transformation During a CrisisJourney to the Perfect Application: Digital Transformation During a Crisis
Journey to the Perfect Application: Digital Transformation During a Crisis
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICES
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
 
Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...
Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...
Assure Patient and Clinician Digital Experiences with ThousandEyes for Health...
 

More from Ben Rothke

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comBen Rothke
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligattBen Rothke
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeBen Rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperBen Rothke
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceBen Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftBen Rothke
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 

More from Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 

Recently uploaded

Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024Matteo Carbone
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 

Recently uploaded (20)

Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 

Infotec 2010 Ben Rothke - social networks and information security

  • 1. Social Networks and Information Security - Oxymoron or can you have both? Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services April 13, 2010
  • 2. About me • Ben Rothke, CISSP CISM PCI QSA • Security Consultant – BT Professional Services • Full-time information security since 1994 • Frequent writer and speaker • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) 2
  • 3. BT in North America • Operating since 1988 • More than 4,000 employees in the US and Canada • Network Operations and Customer Service Centers in Atlanta GA, Boston MA, Los Angeles CA, Princeton NJ, Oakdale MN and Nutley NJ • Seven of the more than 30 BT acquisitions during recent years are HQ in the US, Infonet, Radianz, Counterpane, INS, Comsat, Wire One, Ribbit • More than 3,500 customers in the US and Canada, including 75% of F500 and 50% Fortune 1000 • Serving Canadian enterprises in 32 cities serving hundreds of major customer sites across the country • Of BT’s top 2,000 customers, 50%+ are headquartered or have major operations in the Americas
  • 4. Why BT for Security? Industry-leading resources 1,400 global practitioners Comprehensive event Operating 9 world Over 100 registered patents, with over 125 accredited correlation platforms and class SOCs globally 190 security papers and security professionals reporting tools 24/7/365 numerous books in the US With proven experience 6,000 security BT has delivered Monitoring 550 Filters over 75,000 security services to Over 1,500 firewalls networks with data engagements in the viruses from client over 75% of the under management from over 150 countries US since 1994 networks each month Fortune 500 and 335,000 devices Delivering an integrated services portfolio Incorporating industry- From assessment to leading technology & mitigation, on a global services, with Counterpane basis at the core Third party validation Many accreditations, including Leadership position in Highest capability BS 27001/ISO 17799, SAS70-II, Gartner’s 2007 North American maturity rating FIPS 140-2, CERT, FIRST, MSSP Magic Quadrant from NSA CLAS, SANS GIAC and CHECK
  • 5. Agenda • How can enterprises effectively use social networks while not putting their security and data at risk? • Understanding and dealing with the security risks of social networks • Making the security focus shift from infrastructure protection to data protection • Social network security strategies for enterprises • Social network security strategies for individuals • Q/A 5
  • 6. Why are enterprises interested in social networking? 6
  • 7. Why this is a very cool information security topic • Easy security tasks – Block all outbound ftp traffic – Require disclaimers on all outbound emails – Block admission to network if host AV signatures are not current – Require encryption on all outbound file to Moscow office • Challenging security tasks – Stop end-users from inappropriate sharing of confidential and proprietary data via social networks 7
  • 8. Why are people interested in social networking? 8
  • 9. Social networking - then and now Computer Associates • 1990’s – President Charles Wang limits employees email usage • to 1 hour in the morning & afternoon • to emphasize face-to-face interaction rather than sending e-mails • 2010 – Computer Associates is now on Twitter • http://twitter.com/cainc 9
  • 10. Social networks huge - getting larger • 75% of US online adults use social tools – up from 56% in 2007 – The Growth Of Social Technology Adoption - Josh Bernoff, Forrester 10
  • 11. The social web • Social web is about communities, collaboration, peer production and user-generated content • Business reputations are defined by customer opinions and ratings • Press is delivered by independent bloggers • Product development and insight is driven by customers • Digital natives who have grown up with the Internet flood the workplace • Your employees will likely expect to be part of the social web and they'll have a lot to contribute • Source: Joshua-Michéle Ross 11
  • 13. Resistance to social networks is futile • Social networks are not a fad • Prepare a strategy and have a realistic understanding of the risks and benefits of social software • Understand the unique challenges with social networks and factor them into decision on when and how to proceed • Gartner - Major Challenges Organizations Face Regarding Social Software BT Professional Services 13
  • 14. Social networks are major news stories 14
  • 15. But the security risks can’t be ignored 15
  • 16. Social networks - security game-changer • Organizations and management are struggling – to understand and deal with the security risks of social networks • Traditional information security – firewalls and access control protected the perimeter – social networks open up that perimeter • Focus shift – from infrastructure protection to data protection • DLP (data loss prevention) tools – becoming the new firewall for the social web • Bypass corporate services – Facebook for email – Skype as a telephone system – Gmail for instant messaging 16
  • 17. Security issues • There are legitimate risks with allowing uncontrolled access to social networking sites – risks can be mitigated via a comprehensive security strategy • Security and trust – social networks require a full taxonomy of security – people are much more trusting of a message from a friend or colleague on a social network than they are of an e-mail – people are used to e-mails being forged • People will share extraordinary amounts of highly confidential personal and business information with people they perceive to be legitimate 17
  • 18. Social media risks Risk Description Security? Type? Malware Infection of desktops, propagation of malware through staff or corporate profiles on Yes Technology social-media services. Chain of providers Mashups of applications within a social-media service enable the untraceable Yes Technology movement of data. Interface weaknesses Public application interfaces are not sufficiently secured, exposing users to cross-site Yes Technology scripting and other exploits. Reputation damage Degradation of personal and corporate reputations through posting of inappropriate No Content content. Exposure of confidential Loose lips sink ships, breach of IP or other trade secrets, breach of copyright, public Yes Content information posting or downloading of private or sensitive personal information. Legal exposure Legal liabilities resulting from posted content and online conversations or failure to Yes Content meet a regulatory requirement to record and archive particular conversations. Revenue loss For organizations in the information business, making content freely available may Yes Content undercut fee-based information services Staff productivity Workers failing to perform due to the distraction of social media No Behavior Hierarchy subversion Informal social networks erode authority of formal corporate hierarchy and defined No Behavior work processes Social engineering Phishing attacks, misrepresentation of identity and/or authority to obtain Yes Behavior information illicitly or to stimulate damaging behaviors by staff. Identity fraud Profiles and postings that are erroneously attributed to a staff member or corporate Yes Behavior office. 18 Source: Gartner – Report G00173953 - February 2010
  • 19. How information security groups lose the social media war • Social media security requires a combination of technical, behavioral and organizational security controls – Many information security groups are clueless on how to do that • Arguing that social media presents unmanageable security risks gives the impression that the information security group is incompetent • Too much use of the FUD (fear, uncertainty and doubt) factor as part of their argument 19
  • 20. Social network postings are immortal • Physics 101 - Law of conservation of energy – total amount of energy in an isolated system remains constant – energy can’t be destroyed - can only change form • Social networks physics 101 – Internet - huge database of unstructured content with an infinite life – once confidential data is made public, it can never be made confidential again – once data is posted in a Web 2.0 world, it exists forever, somewhere • RSS feeds can’t be unfed – difficulty of complete account deletion • users wishing to delete accounts from social networks may find that it’s almost impossible to remove secondary information linked to their profile such as public comments on other profiles 20
  • 21. Security issues - aggregation • Aggregation – process of collecting content from multiple social network services – consolidates multiple social networking profiles into one profile • Google OpenSocial – defines common API for social applications across multiple websites – with standard JavaScript and HTML, developers can create apps that access a social network’s friends and update feeds • Long-term anonymity is nearly impossible – users leave traces, IP addresses, embedded links, IDs in files, photos, etc. – no matter how anonymous one tries to be, eventually, with enough traces, aggregation will catch up 21
  • 22. Security and privacy risks • Malware • Social networks used as a malware distribution point • Vulnerabilities – cross site scripting (XSS), cross site request forgery (CSRF) – 1 in 5 web attacks aimed at social networks • Corporate espionage • Phishing / spear phishing • Bandwidth consumption • Information leakage • Social engineering attacks • Content-based Image Retrieval (CBIR) – emerging technology that matches features, such as identifying aspects of a room (e.g. a painting) in very large databases, increasing the possibilities for locating users 22
  • 23. Mission Impossible 1999 is social networking 2010 • Your mission – find 20 divorced/single female design engineers based in the US at Boeing Integrated Defense Systems – build a rapport with them – get critical data or designs for new fighter under development • Time / Budget / Success – 1999 – Many people, many months, limited success, very expensive – 2009 – One person, multiple Facebook accounts, can outsource to India, near immediate results, extremely high success rate • Facebook makes it easy to find out who these women are – who their friends are (likely other single women at Boeing) – what they like, where they shop, their daily habits, their friends, entertainment, and much more 23
  • 24. Social networks and information security • Social networks and security are compatible – requires effort, staff, and a formalized plan of action • Formalized, comprehensive social networking strategy – there are no social network security appliances • Public corporations – subject to SEC disclosure obligations, must deal with fair disclosure rules – inside information on a social network is a regulatory violation – must have formal logging and archiving in place for social networks 24
  • 25. Strategies and action items for enterprises to deal with the security and privacy risks of social networks 25
  • 26. Get in front of the social network wave • Organizations must be proactive – dedicated team to deal with social networks – ability to identify all issues around social networks • Get involved and be engaged • Social networking is moving fast – dynamic technology – requires a proactive protection approach • Be flexible – overall uncertainty about what strategies and tactics to adopt to security social media 26
  • 27. Risk assessment • Social media create new opportunities for fraud and abuse • Enables a wide range of abuses – Must be anticipated and evaluated to construct appropriate security plans and controls • Perform social network risk assessment – create risk assessment for each social network community – vulnerabilities associated with specific sites – which users are the greatest risk? – output will be used to create the social media policy and strategy – customized to your specific risk matrix – balance the risks vs. benefits • US Marines – totally prohibited • Starbucks – totally embraced 27
  • 28. Social media strategy • Strategy and policy should be based on your social media goals • Take into account any special laws or rules • Identify people or positions who will be the online public face of the firm • Decide if and how employees may identify themselves • Involve risk managers in your planning • Draconian policies preventing the use of social media will not be effective • Use a balanced approach – allow access – manage risk via technical controls, policies and employee training 28
  • 29. Monitoring • Maintain control over content company owns – monitor employee participation on social networking sites – significant risk of loss of IP protection if not monitored – when inappropriate use of enterprise content occurs, notify employee and explain how their actions violated policy – control where and how corporate content is shared externally 29
  • 30. Social network assessments • Perform a LinkedIn analysis • From LinkedIn you can tell: – what technologies a company is using – corporate direction – vendors – partners – internal email addresses and address formats • Perform a Facebook analysis • From Facebook you can tell: – almost everything 30
  • 31. Define corporate social media policy and strategy • Social networks blur boundary between company roles – who speaks for the company on a blog, Twitter, Facebook – border between the company and the outside world is evaporating – this is a management decision, not an IT decision – strategies: block, contain, disregard, embrace – create user scenarios • not all users need access – see Twitter strategy for Government Departments – ensure your corporate social media strategy is realistic – view webinar by Joshua-Michele Ross on how to do this 31
  • 32. Corporate social networking policy • Social networking policy is a must – even if it prohibits everything, you still need a policy • Policies are needed because employees do stupid things • Define a rational, sensible use of social media services – include photography and video – don’t reference clients, customers, or partners without obtaining their express permission • Data classification – create a data classification program – users need to be able to know precisely the different data classification levels 32
  • 33. Security awareness • Social media is driven by social interactions • Most of the significant risks are tied to the behavior of staff when they are using social software • Governance of staff behavior must take into account both the technical capabilities of the social software and the relative tendency of staff to engage in risky behavior in social media • Don't shun social media for fear of bad end-user behavior. – Anticipate it and formulate a multilevel approach to policies for effective governance. • 3 C’s: clear, comprehensive, continuous 33
  • 34. Security awareness • Awareness and training program is critical – must be effectively communicated and customized – disseminate to everyone – ensure recurrent training – create topic taboo lists – define expectations of privacy • Link social networking training to other related training – business ethics, standards of conduct, industry-specific regulations • Public companies – at risk for disclosure of insider information – even if not at fault, assertion of insider disclosure is expensive, embarrassing and time consuming 34
  • 35. Guidelines • Without clear guidelines, breaches are inevitable • Excellent sources: – Intel Social Media Guidelines – IBM Social Computing Guidelines • directives for blogs, wikis, social networks, virtual worlds and social media 35
  • 36. Regulatory • Regulatory compliance must be considered – social networks present numerous scenarios which weren’t foreseen when current legislation and data protection laws were created – regulatory framework governing social networks should be reviewed and, where necessary, revised – consider what specific laws/regulations/standards apply – all breach notice laws are relevant • if customer or employee PII is posted, breach response plans would likely need to be followed and notices would need to be sent • HIPAA and expanded responsibilities under ARRA HITECH • newly released final breach response rules from the HHS 36
  • 37. EU and social networks • EU Data Privacy Directives – EU Directive on Data Protection 95/46/EC – Data Protection Working Party Opinion 5/2009 – EU countries take personal privacy very seriously • tagging of images with personal data without the consent of the subject of the image violates the user’s right to informational self determination • blanket monitoring and logging is unacceptable in EU • many more privacy details need to be considered • Review ENISA position paper – Security Issues and Recommendations for Online Social Networks – Online as Soon as it Happens 37
  • 38. Human resources • Human resources must be involved – social networks open up a huge can of HR worms – what are disciplinary actions for non-compliance? – candidate’s social network presence as a factor in the hiring process? – create directives for managing personal and professional time – don’t be seen as encroaching on your employees’ free speech rights – put out reasonable guidelines – explain how innocent postings can be misconstrued – but…a too heavy-handed approach will often backfire and result in lower morale and often bad publicity 38
  • 39. Hardware and software solutions • Gartner – Market for security controls for social media is relatively immature – Security managers need to develop control environments that incorporate new tools and techniques to monitor and control user activity and data movement – IT organizations have concentrated for too long on using technical controls to ensure that IT and business resources are used appropriately – In some situations, social guidelines can be more effective than technical controls 39
  • 40. Reputation management • Traditional PR and legal responses to an Internet-based negative reputation event can cause more damage than doing nothing • Understanding how to establish, follow and update protocols can make social-media chaos less risky to enterprises • Information security should coordinate activities with PR teams to expand monitoring and supplement monitoring with investigations and evidence collection processes 40
  • 41. Dealing with reactive chaos • Rare for companies to have tools and skills to conduct investigation into origins of inappropriate material and the identity of the individuals involved in social media breaches • CSIRT are called on to provide investigation support. – but often contacted late • Optimal approach – monitoring and managing social media and incident response requires approach that combines efforts and capabilities of the PR, HR and information security teams 41
  • 43. Reputation management • Goal is to build and protect a positive Internet-based reputation • Risks to reputation are significant and growing with the increased use of social networks • Create reputation management group with input from IT, legal, risk management, PR and marketing • Coordinated approach – proactive / responsive 43
  • 44. Strategies and action items for individuals to deal with the security and privacy risks of social networks 44
  • 45. Let’s be careful out there • You can lose your job – policy violation – managers and executives - special responsibility when blogging by virtue of the position – too much time on social network sites – perception that you are promoting yourself at the expense of the company – especially if your employer is not into social networking • Don’t embarrass yourself, friend, family, coworkers • Be aware of the dark side of social networks – divorce – cyberbullies – see MySpace suicide case 45
  • 46. Action items – individual user • Curb your enthusiasm – those with OCD/addictive personalities must ensure they know the addictive nature of social networking – what is fun today is embarrassing tomorrow – don’t post comment that you don’t want the entire world to see – consider carefully which images, videos and information you publish – set daily time limits on how much time you will spend • When at work – you are being paid to work when you are at work – don‘t abuse the trust your employer had in hiring you 46
  • 47. Social incrimination • Everything you post may be used against you – be judicious when posting, especially photos/videos • copyright issue – camcorders now have Direct Upload to YouTube capabilities • Don’t post photo that you don’t want the world to see • Watch that pose – the world will see you in that photo – images give away private data about other people, especially when tagged with metadata • Enable Facebook security controls – 10 Privacy Settings Every Facebook User Should Know 47
  • 48. Action items – individual user • Limited security capabilities – don’t assume social networks sites will give you privacy or confidentiality – especially over the long-term when items are cross-posted/shared • Ensure you know about and are compliant with employer’s social media guidelines – if you post something corporate, ensure that it is public information – be careful about posting customer information, even if it is public – breach of insider information can cost you your job – know the rules of using social networking sites while you’re at work – take extra care if you friend your boss on Facebook – Facebook is viral and addictive – don’t waste your workday on it 48
  • 49. Action items – individual user • Bad social networking can lead to career suicide • Use and maintain anti-virus software • HR is looking – 45% of employers now screen social media profiles • Realize the inherent tension in social networks – know your limits – social networks are like a party – point is to have fun without humiliating yourself • Choose good passwords – follow password creation rules – don’t use the same password across multiple social networks 49
  • 50. Action items – individual user • Don’t accept every Facebook invitation • Realize you are a target for social engineers • Be aware of friends asking for salami • What does your friends’ list say about you? • Something you post today, or a YouTube video you appear in, can haunt you for the rest of your life • Trust but verify all invitations • Limit the amount of personal information you post – do you really need to post your birthday? – get in the habit of not sharing personal data 50
  • 51. Action items – individual user • Be careful when taking surveys – especially on Facebook – answers can be aggregated by bogus surveys to launch social engineering attack – password recovery answers • Not everything needs to be commented on – Think twice before posting about • interviews • complaints about long/boring meetings • complaints about coworkers, management, bosses, etc. • off the cuff remarks 51
  • 52. Children • Especially susceptible to social network threats – kids misrepresent their age to join sites that have age restrictions – kids post more information in their pictures than was intended, such as hobbies, interests, location of their school • Teach your kids about Internet safety – be aware of their online habits, guide them to appropriate sites – they should never meet in person anyone they met online • Parents must ensure that their children become safe and responsible users • National Cyber Alert System Cyber Security Tip ST05-002 – Keeping Children Safe Online – http://www.us-cert.gov/cas/tips/ST05-002.html 52
  • 53. Conclusions / Q&A • Social networks introduce significant security risks • Companies must recognize these risks and take a formal approach to deal with them • Individuals can’t be naïve about their responsibilities • Social networks and security - - not an oxymoron – as long as social network security is part of a comprehensive corporate information security program – and end-users and individuals are aware of the risks and their responsibilities 53
  • 54. Contact information Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services ben.rothke@bt.com www.linkedin.com/in/benrothke www.twitter.com/benrothke 54