Risk Assessment of Social Media Use v3.01


Published on

This is a presentation slide deck from the ISC2 Congress 2012 Session 3283 about identifying the risks of using social media in the enterprise.

Published in: Internet, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Robert Shullich is a member of the professional staff of SystemExperts Corporation
    and is a Graduate student in the Forensics Computing program at John Jay College of
    Criminal Justice (CUNY). He holds a BS and MS in Computer Science from the College
    of Staten Island (CUNY), MBA from Baruch College (CUNY), and a MS in
    Telecommunications Networking from NYU/Polytechnic University. He serves on the
    SANS Advisory Board. With over 40 years in IT including disciplines of Mainframe
    Operations, Systems Programming, Program Application Development, LAN
    Administration, Networking, IT Risk Management, Security Architecture and
    Information Security, he holds many professional computer certifications including: CPP,
  • These technologies provide new attack vectors to attack the user, the organization, and data.
    Figure out where you are going.
    The landscape is very complex and confusing – it is on the innovative edge, and not enough guidance as Social Media is a work in progress.
  • No patch for the Human
    The Human becomes the weakest link
    Social Media becomes a large threat to security, SM ad Mobile are becoming the platform of choice for attacks.
  • If someone develops personal habits and exhibits certain behavior, will those habits and behavior carry over to the workplace?
    The boundaries between personal and work life also become blurred as companies make use of social media (originally designed for personal use) for business purposes, and likewise employees access personal sites while at work.
    A 2011 DLA Piper survey found social media is used for personal and work related activities by 95% of employees.

    Duty of Care
    Social media blurs the boundaries between personal and work life. When personal opinions expressed through social media (either on a personal profile or an online forum) refer to a company, it raises an ethical challenge. It is unclear what control, if any, the company has over comments communicated in this way and what action it can/should take.

  • Well, I guess not always a dog
    Can’t even trust that the dog is really a dog!
  • Also , in some cases technology behind the scenes, such as Web 2.0 software and interfaces.
  • Pazap.com – A student trading site for buying and selling on-campus books with other students.
    MyStore.com – A social market place for buyers and sellers.
    MicroBloggin (Twitter)

  • Drunken Pirate
    Woman claims teaching degree denied because of single MySpace photo

    Cisco Fatty Incident
    What You Post On Twitter Can Cost You The Job: The Cisco Fatty Incident
    Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.

    Teacher Loses Job After Commenting About Students, Parents on Facebook
  • Why are this guy’s tweets interesting?
    Interesting neighbor, 1 AM in the morning a big racket going on at his neighbor’s house (compound).

    Helicopter hovering above Abbottabad at 1AM (is a rare event). 1 May 2011 12:58pm
    Go away helicopter - before I take out my giant swatter :-/ 1 May 2011 1:05 pm
    A huge window shaking bang here in Abbottabad Cantt. I hope its not the start of something nasty :-S 1 May 2011 1:09pm
    @m0hcin all silent after the blast, but a friend heard it 6 km away too... the helicopter is gone too. 1 May 2011 1:44pm

    Loose lips sink ships

  • http://www.allfacebook.com/police-bikini-facebook-2010-09
    Cop Undone By Photos Of Bikini Girls On Facebook
    A word to the wise: If you are a cop, it’s probably not a good idea to allow photos of bikini-clad women draped over your official police vehicle to wind up on Facebook. One police officer in Moncks Corner, South Carolina did that and is now out of a job, according to The State newspaper. The photos were taken at a car wash last Sunday at Rockstar Tattoo Studio on Redbank Road. It’s understood the bikini-clad dancers were from Diamonds North night club in North Charleston

    Falsely Tagged Facebook Photo Gets Palestinian Jail Time And Trial
    Imagine someone else tagging you in a Facebook photo you don’t even appear in and then getting arrested because of it.  That’s  what  journalist Mamdouh Hamamreh is going through. He was falsely labeled in an image mocking Palestinian President Mahmoud Abbas by superimposing his likeness into a picture of a well-known Syrian soap opera villain.

    Facebook Tagging
    Facebook tagging, even in the case where it is a true picture can get you into trouble.
    Someone may have taken a photo that includes you in the picture, and maybe you are doing something you should not be.
    What happens if they TAG you? You are linked to the picture, you are identified in the picture.
    Now, what happens if the tagging becomes automatic, i.e. through Facial Recognition – Tagging on autopilot.
  • If the Health Department rated a restaurant as a B or even a C, would you still consider eating there?
    And if you did, would you at least be concerned?
    Sometimes negative press is to shame someone or a company.
  • Data loss can include sending of confidential information, leaking trade secrets
    Piracy – sharing of music, videos, images, ebooks, file lockers
    Corporate Espionage - stealing information, stealing trade secrets
    Recon – Getting intelligence to launch an attack
    Financials – getting insider information for stock manipulation, getting info on M&A, information on contract bidding, client lists, pricing lists, etc
  • Blog owner controls own blog
    Can also control and edit any posted comments (moderate) on blog and delete anything they don’t like or agree with.
  • Using Social Media for background checks require the same notice as if you pulled a credit report.
  • Supposed it was your bat cave?
  • Rule 17a-3 -- Records to Be Made by Certain Exchange Members, Brokers and Dealers
    Rule 17a-4 -- Records to Be Preserved by Certain Exchange Members, Brokers and Dealers
    FINRA Issues Guidance to Firms, Brokers on Communications with Public Through Social Networking Web Sites
    FINRA Provides Guidance Regarding the Review and Supervision of Electronic Communications

  • Discrimination – mentioned before, including background checks
    Unfair competition –hacking your competitor, espionage, posting untrue information about your competitor
  • The difficulty in Blocking Social Media
    BYOD aggravates the situation
    But what about assets not company owned and managed – used outside of the office – outside of the network and outside the physical perimeter?
  • A notice on the NVIDIA Developer Zone website has reminded users of the importance of ensuring that you do not use the same passwords on multiple websites.
    Can you trust these social media sites to keep your data safe if they can’t protect their own site.
  • Productivity works both ways.
    Social Media can improve productivity, think of collaboration, through e-mail and chat.
    But a lot of game playing may be unproductive.

    All of this, plus social media must be monitored.
    Resource usage may involve machine cycles, internet bandwidth, and when used on mobile, extra cell phone usage charges.
  • Risk Assessment of Social Media Use v3.01

    1. 1. Risk Assessment of Social Media Use Robert Shullich, CPP, CISSP
    2. 2. Agenda • Who Am I • Rules of Engagement • Social Media • Risk • Case Studies • Recommendations • Q&A 2
    3. 3. Who Am I • About a year in current job • 8 years in Corporate Security • 16 years at the Stock Exchanges (NYSE/AMEX) • 8 years at a software company • 3+ years in CUNY • IT security for more than 20 years • In IT for 40 years 3
    4. 4. Disclaimer • I am not a lawyer, any information presented here is not meant to be legal advice. If you need legal advice, please seek counsel with a qualified and licensed professional who practices law in the subject matter and jurisdiction that applies. • Opinions expressed here are my own, and are not meant to be opinions of ASIS, ISC2, or anyone I work for. 4
    5. 5. Rules of Engagement • Pure Risk, Not Opportunist • Chicken Little – The Sky is Falling • Objective is to Protect • No Recommendation on Block v. Allow • Legal and Regulatory compliance is focused on USA • This is NOT legal advice • Suggestions, but Not Solutions 5
    6. 6. Disruptive Technologies • Social Media • Consumerization of IT (BYOD, BYOT, BYOB) – Bring Your Own • Devices, Technology • Disaster, Toys, Botnet • Cloud Computing • Mobile 6
    7. 7. Research (Old Way) 7
    8. 8. Research (Today) 8
    9. 9. Social Media Social Engineering • Two different concepts • Both have the adjective “Social” • Social Media can be used as platform for Social Engineering • Social means “Human” • Largest threat “Human” • No Brain Patches 9
    10. 10. Threat: Humans 10
    11. 11. Early E-Mail FAIL 11
    12. 12. Separation 12
    13. 13. Discretion 13
    14. 14. Behavior It has long been accepted that online behavior differs from the behavior people would exhibit in the real world due, largely, to the anonymity it allows. 14
    15. 15. Digital Gen Z “With all of the social media outlets out there- from Facebook and Myspace to Twitter to Instagram to cell phone texting-kids today are communicating and challenging each other in a completely new way, doing and saying things they wouldn't if they were talking face-to- face”. 15
    16. 16. Anonymity 16
    17. 17. Anonymity 17
    18. 18. Lack of Common Sense • Are people getting dumber? 18
    19. 19. Info-Sec Warning 19
    20. 20. The Dark Knight’s Secrets 20
    21. 21. Where You Are 21
    22. 22. What is Social Media? • One of the key ingredients is: – User Generated Content • Earlier Applications – Collaboration – Instant Message – E-Mail – Forums 22
    23. 23. Social Media Not New • Prior to Internet • BBS • Services 23
    24. 24. Social Media is Big 24
    25. 25. One Stop Shopping 25
    26. 26. Rise of Social Networks RANK Category Share of Time June 2010 Share of Time June 2009 % Change in Share of Time 1 Social Networks 22.7% 15.8% 43% 2 Online Games 10.2% 9.3% 10% 3 E-mail 8.3% 11.5% -28% 4 Portals 4.4% 5.5% -19% 5 Instant Messaging 4.0% 4.7% -15% 6 Videos/Movies** 3.9% 3.5% 12% 7 Search 3.5% 3.4% 1% 26
    27. 27. Social Media Uses • Media – Sharing of Photos, Videos – Flickr, YouTube • Networking – Staying Connected – Linkedin, Facebook, Friendster • Publishing – Blogging, Wikis, MicroBlogging • Commerce – eBay, Pazap.com, MyStore.com • Collaboration – Google Apps 27
    28. 28. To Ban or Not to Ban • Decision should be based on: – Risk and Risk Appetite – Business Need – Business Culture – Business Regulatory Requirements – Other business factors In the end - It is a business decision 28
    29. 29. What does Block Mean? 29
    30. 30. Blocking Outcome 30
    31. 31. Who is at Risk? • Each Individual – Shoot yourself in the foot • Organizations – Employee puts organization at risk – Insider • Third-Party Observers – Put target at risk – Outsider 31
    32. 32. Individual • Write Blog entry about themselves – Teacher Loses Job After Commenting About Students, Parents on Facebook • Post Picture about themselves – Drunken Pirate – Student can’t get Teaching License • Tweet about themselves – Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work 32
    33. 33. Drunken Pirate 33
    34. 34. WeinerGate 34
    35. 35. Tweeting 35
    36. 36. Organizations • Tweet Gives up Location – IT Consultant tweet’s Osama Bin Laden Raid • Linkedin – Company’s Configuration exposed – Spam attacks with malicious code to linkedin communities (Spear Phishing) – Know who is looking for job, ready to jump ship 36
    37. 37. Third-Party Observers • Drive by paparazzi – Cop Undone By Photos Of Bikini Girls On Facebook – Falsely Tagged Facebook Photo Gets Palestinian Jail Time And Trial • Rodney King • Occupy Movements • Hacktivism • Facial Recognition 37
    38. 38. Objective 38
    39. 39. Risk Management • Can’t Assess unless Threats are Known • Have to keep up with the news • Social Media Policy has to be customized 39
    40. 40. How to Address Risk • Avoid • Mitigate • Transfer • Accept 40
    41. 41. Reputation 41
    42. 42. Scarlet Letter 42
    43. 43. Negative Brand 43
    44. 44. I have been burned • Forums for unsatisfied customers to report their negative experiences • If a company is running a scam, it is a good way to get the word out 44
    45. 45. Information Leakage • Data Loss • Piracy and Infringement, IP • Corporate Espionage • Reconnaissance • Organizational Financials 45
    46. 46. VIP Protection • Also Executive Protection • Movement sometimes restricted 46
    47. 47. Credential Leakage • ID Cards for Olympic Village, no special protection, standard bar codes, tweet your safety away! 47
    48. 48. Content • Printed word • Photographs • Images • Music • Video • Content imbedded in Content 48
    49. 49. Content Management • Litigation Lawyers looking for the Smoking Gun • Social Media rich in discoverable information (e-discovery) and the courts are willing to accept it 49
    50. 50. Public Relations • Who Speaks for the Corporation? • 1/3 Employees Disciplined for Inappropriate comments about company made on personal social media sites. 50
    51. 51. Content Management • Permanence • Stale or Outdated Information 51
    52. 52. Content Censorship “Everyone is entitled to his own opinion but not his own facts” (Daniel Patrick Moynihan) 52
    53. 53. Content Management • Ownership • Control • Moderation • Forensics 53
    54. 54. Recording & Archiving • Various regulations require archiving and retention of communications • This has included e-mail and instant messenger • Social Media is all about communications • Example: Facebook has a chat feature and e- mail offering – How do you capture those communications? 54
    55. 55. Privacy 55
    56. 56. Privacy Issues • Lack of Awareness • Trust • Application (games) 56
    57. 57. Background Checks • A lot of Information on a lot of sites • Easily Collected through search engines • But – Due Diligence v. Discrimination – Information not vetted – may not be accurate – Martin Gaskell – University of Kentucky • $125K out of court settlement 57
    58. 58. Hiring Practices • NLRB stepping in and saying FCRA Notice is required if Social Media used in hiring decision 58
    59. 59. Geotagging • Wikipedia: Geotagging (also written as GeoTagging) is the process of adding geographical identification metadata to various media such as photographs, videos, websites, SMS messages, or RSS feeds and is a form of geospatial metadata 59
    60. 60. Geotagging • Photo taken inside factory (or outside) with GPS coordinates, uploaded to social networking where metadata might not be stripped • Anyone downloading the photo, and gets metadata has location also • Can find out where your secret factory is located • Photo might be taken by someone you don’t have control over 60
    61. 61. GPS Tracking • Each day device collects and stores data of where the device was located • GPS devices used in cars can track at intervals where the device has been. Used in GPS forensics to get Travel history • All of a sudden people were surprised that Apple and Google did the tracking in phones as well. 61
    62. 62. Facebook Places • Lets you share where you are • And you can find out where friends are as well • Are you at risk because someone knows where you are? • Are you at risk because you are not where you are supposed to be? • If they know where you are, then they know where you aren’t – like your house is empty! • Facebook Timeline – where have you been? • Is a badge on Foursquare worth your life? 62
    63. 63. Please Rob Me dot Com 63
    64. 64. Legal 64
    65. 65. Regulatory Compliance • Payment Card Industry (PCI) • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 • Securities and Exchange Commission (SEC) Rule 17-a • Financial Industry Regulatory Authority (FINRA) Notice 10-06 and Notice 07-59 • Sarbanes-Oxley Act • The Federal Energy Regulatory Commission (FERC) • The Gramm-Leach-Bliley Act (GLBA) • 21 CFR Part 11 (FDA) 65
    66. 66. Facebook Pictures 66
    67. 67. More HIPAA • Nurses Fired Over Cell Phone Photos Of Patient • Shark Attack Victim Photos Put Hospital Employees in Hot Water • Photos taken in ER room of dying man • Patient-Doctor Facebook “Friends” Could Be A HIPAA Violation 67
    68. 68. Illegal Activities • Harassment – Bullying, Stalking, Sexting, Extortion, Blackmail • Discrimination • Unfair Competition • Criminal Activity (Cybercrime) • Civil Unrest, Riots, Demonstrations • Click Fraud 68
    69. 69. Get out of Jail Free Card • Applies to Social Media Sites, ISP’s and Cloud Computing Storage Providers • Copyright Infringement – Digital Millennium Copyright Act (DCMA) – Block or remove (Take-downs) • Third Party Posted Content – Communications Decency Act – Not responsible for content posted by third party 69
    70. 70. Block Social Media? • How do you block at the office? – BYOD (Bring your own device – Consumerization of IT) • Cell Phone with Internet • Tablet with Internet • How do you block outside of the office? – Can control company issued assets – Can’t control personal non-company assets – Can’t control outsiders 70
    71. 71. Attack Vectors • Viruses and Malware • Scams • Phishing • Account Hijacking (Evil Twin) • Shortened URLs • Password Breaches of SM Sites • Search Engine Poisoning • Technology Moves Fast, Crime too Widespread • Blended Attacks 71
    72. 72. Scams 72
    73. 73. Shortened URL • URL posted in tweets and also used in other social networking sites are shortened • Example: Tinyurl.com, Bit.ly, Cli.gs, Zi.ma • Some provide tracking services as well • Shortened URL’s can direct anywhere: – Porn Sites – Malware Sites – Spam Sites – Phishing sites 73
    74. 74. FB SPAM - Virus • OMG! Its unbeliveable now you can get to know who views your facebook profile.. i can see my top profile visitors and i am so shocked that my EX is still creeping my profile every hour. click below • 21 hours ago via Reviews ·LikeUnlike · · See Friendship · CLICK 2 SEE YOUR STALKERS 74
    75. 75. Passwords Hacked • Linkedin – 6M (June 2012) • Formspring – 420K (July 2012) • eHarmony – 1.5M (June 2012) • Yahoo 400K – July 2012 • Phandriod’s AndroidForums 1M – (July 2012) • Dropbox (Aug 2012) • Battle.net (Aug 2012) (Blizzard’s multiplayer) • NVIDIA Developer Forum (July 2013) • Twitter – 55K (May 2012) 75
    76. 76. Firesheep • Simple Firefox browser plug-in • Wireless sniffer to pick up social media passwords. 76
    77. 77. Operational 77
    78. 78. Operations • Employee Productivity • Resource Usage • Monitoring Costs 78
    79. 79. What is the Solution? • Assume it can’t be blocked effectively • The damage may be caused by someone NOT in the company – a third party outsider • For the employees, contractors, and temporary workers – a Social Media Policy, and Security Awareness Training • For anyone else – monitoring and surveillance • Moderation of Publication for SM Posts 79
    80. 80. Data Loss Prevention • Data Loss (Leak) Prevention can be used to detect data leaving the site • Most Web 2.0 data is unstructured • May provide some protection for company issued assets, but does not provide protection for employee owned assets not under the company’s control 80
    81. 81. What is Needed • May require software • May require a service • Requires Policy! • Requires Awareness Training! 81
    82. 82. Q&A 82
    83. 83. Contact Info • E-mail: Robert.Shullich@SystemExperts.com • Twitter: rshullic • Related whitepaper: http://www.sans.org/reading_room/whitepaper s/privacy/risk-assessment-social-media_33940 83