Bridging the Social Media Implementation/Audit Gap

  • 2,154 views
Uploaded on

It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social …

It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,154
On Slideshare
0
From Embeds
0
Number of Embeds
7

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Bridging the Social Media Implementation/Audit Gap Jerod Brennen, CISSP CTO and Principal Security Consultant, Jacadis
  • 2. Agenda • • • • • Perspective Preparation Implementation Monitoring Resources
  • 3. The Five W’s • • • • • • Who? What? When? Where? Why? How? [Image courtesy of Master Isolated Images / FreeDigitalPhotos.net]
  • 4. Strategy (Who + Why + When) • Risk vs. Reward ▫ ▫ ▫ ▫ Customer interaction Revenue streams Malware attack vectors Legal and HR concerns • While revenue may be on the rise… ▫ … so are social engineering attacks Image from http://www.isaca.org/About-ISACA/Pressroom/News-Releases/2010/PublishingImages/SocialMedia-Business-Risks.JPG
  • 5. Risk vs. Reward Risks • • • • • • • Disclosure of corporate assets and sensitive (privileged) information accessible to unauthorized parties Violations of legal and regulatory requirements Loss of competitive advantage Loss of customer confidence Loss of reputation Dissemination of false or fraudulent information Inappropriate or unapproved use of company intellectual property such as logos or trademarked material Rewards • • • • • • Increasing brand recognition Increasing sales Immediately connecting with perspective customers Exploring new advertising channels Monitoring competition Researching perspective employees FromWAPSM-Social-Media-Research-1Feb2011.doc, pages 11-12
  • 6. Regulatory Concerns • FINRA (Financial Industry Regulatory Authority) ▫ Regulatory Notice 10-06 ▫ Regulatory Notice 11-39 • Advertisements ▫ Public websites & banner ads • Sales Literature ▫ Email or IM to 25+ prospective retail customers ▫ Password-protected websites • Correspondence ▫ Email or IM to 1 customer ▫ Email or IM to 1+ existing customers and/or <25 prospective retail customers • Public Appearances ▫ “Content posted in a real-time interactive electronic forum” From http://www.finra.org/industry/issues/advertising/p006118
  • 7. Scope (What + Where)
  • 8. Scope, per ISACA • Current social media tools include: ▫ Blogs (e.g., WordPress, Drupal™, TypePad®) ▫ Microblogs (e.g., Twitter, Tumblr) ▫ Instant messaging (e.g., AOL Instant Messenger [AIM™], Microsoft® Windows Live Messenger) ▫ Online communication systems (e.g., Skype™) ▫ Image and video sharing sites (e.g., Flickr®, YouTube) ▫ Social networking sites (e.g., Facebook, MySpace) ▫ Professional networking sites (e.g., LinkedIn, Plaxo) ▫ Online communities that may be sponsored by the company itself (Similac.com, “Open” by American Express) ▫ Online collaboration sites (e.g., Huddle) FromWAPSM-Social-Media-Research-1Feb2011.doc, page 11
  • 9. Implementation (How) • Begin at the beginning ▫ Meet with Marketing, HR, Legal, and IT to discuss risks and benefits • Define policy ▫ More on this later… • Document training requirements ▫ Employees ▫ Consultants & Contractors ▫ Vendors & Partners • Document procedures and controls ▫ Access Requests ▫ Monitoring ▫ Assessing
  • 10. Audit/Assurance Program (1 of 3) • Available at http://www.isaca.org/Knowledge-Center/ITAF-ITAssurance-Audit-/Audit-Programs/Documents/WAPSM-SocialMedia-Research-1Feb2011.doc • Aligned with COBIT (cross-references) • Planning and Scoping the Audit ▫ ▫ ▫ ▫ ▫ ▫ ▫ ▫ Define the audit/assurance objectives Define the boundaries of the review Identify and document risk Define the change process Define assignment success Define the audit/assurance resources required Define deliverables Communicate
  • 11. Audit/Assurance Program (2 of 3) • Strategy and Governance ▫ Risk Management ▫ Policies • People ▫ HR Function ▫ Training/Awareness ▫ Staffing
  • 12. Audit/Assurance Program (3 of 3) • Processes ▫ Social Media Alignment With Business Processes ▫ Social Media Brand Protection ▫ Access Management of Social Media Data • Technology ▫ Social Media Technology Infrastructure ▫ Monitoring Social Media and Effect on Technology
  • 13. Policy and Training • Personal use in the workplace: ▫ ▫ ▫ ▫ Whether it is allowed The nondisclosure/posting of business-related content The discussion of workplace-related topics Inappropriate sites, content or conversations • Personal use outside the workplace: ▫ ▫ ▫ The nondisclosure/posting of business-related content Standard disclaimers if identifying the employer The dangers of posting too much personal information • Business use: ▫ ▫ ▫ ▫ ▫ Whether it is allowed The process to gain approval for use The scope of topics or information permitted to flow through this channel Disallowed activities (installation of applications, playing games, etc.) The escalation process for customer issue From http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper26-May10-Research.pdf?id=c1f7b9d8-516d-40c1-8087-e3b0e6cd138c
  • 14. Recurring Assessments • Risk Assessment ▫ SOX, PCI, HIPAA, etc. ▫ Did your previous assessment(s) include social media? • Penetration Test ▫ Is social engineering in-scope?
  • 15. Preventative Controls • Antivirus > Endpoint Security ▫ Prevent devices from being infected with malware ▫ Also, host-based firewall and URL filtering • URL Filtering ▫ Prohibit access to certain websites from corporate devices • Training ▫ How to use social media responsibly ▫ How to identify and respond to social engineering attacks • Data Loss/Leakage Prevention ▫ Prevent sensitive corporate information from being transmitted via email, instant messaging, file uploads, etc.
  • 16. Detective Controls • Content Filtering ▫ Configure email and web security solution to monitor for patterns in outbound messages • Google Hacking ▫ Using powerful customized Google search queries to gather information • Monitoring Tools (e.g., Maltego) ▫ Open source intelligence and forensics tool • Monitoring Services (e.g., RiskIQ) ▫ Monitor web-based content for threats and fraud
  • 17. Resources • ISACA documents ▫ Social Media Audit/Assurance Program  http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/AuditPrograms/Documents/WAPSM-Social-Media-Research-1Feb2011.doc ▫ Social Media: Business Benefits and Security, Governance, and Assurance Perspectives  http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-WhPaper-26-May10-Research.pdf • Related Documents ▫ CDC – Social Media Security Mitigations  http://www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf ▫ Ponemon – Global Survey on Social Media Risks  http://www.websense.com/content/ponemon-institute-research-report-2011.aspx ▫ Social Media Standard, State of California  http://www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66B.pdf ▫ Wikipedia – List of Active Social Networking Sites  http://en.wikipedia.org/wiki/List_of_social_networking_websites
  • 18. Resources • FINRA ▫ Regulatory Notice 10-06  http://www.finra.org/Industry/Regulation/Notices/2010/P120760 ▫ Regulatory Notice 11-39  http://www.finra.org/Industry/Regulation/Notices/2011/P124187 ▫ Advertising Information  http://www.finra.org/Industry/Issues/Advertising/index.htm • Securing Social Media Profiles ▫ Facebook  http://slandail.posterous.com/four-steps-to-secure-your-facebook-profile ▫ Twitter  http://www.mediabistro.com/alltwitter/twitter-security-101_b11985 ▫ LinkedIn  http://www.cio.com/article/485489/LinkedIn_Privacy_Settings_What_ You_Need_to_Know
  • 19. Resources • Securing Corporate Blogs ▫ Hardening WordPress  http://codex.wordpress.org/Hardening_WordPress ▫ 11 Best Ways to Improve WordPress Security  http://www.problogdesign.com/wordpress/11-best-ways-to-improvewordpress-security/ • Tools and Services ▫ Google Hacking Database (GHDB)  http://www.hackersforcharity.org/ghdb/ ▫ Maltego  http://www.paterva.com/web5/ ▫ Risk IQ  http://www.riskiq.com/ ▫ Jacadis  http://www.jacadis.com/
  • 20. Questions? Jerod Brennen, CISSP contact@jacadis.com 614.819.0151 http://www.linkedin.com/in/slandail http://twitter.com/#!/slandail