Effective Training and Policy Takesthe Fear out of Social Networking Shawn Davis NETSECURE 2011
Presentation Goals:• To provide an overview of social networks and common attack vectors• Best practices for initial social media policy creation• Make the case for the need of an engaging and interesting end-user training program
What is a Social Network?• Is it a website designed to allow you to share pictures of your cat with the masses?• Or a means to post by the minute details of your dental appointment?
What is a Social Network?♦ A social network is like a “digital version of a relationship.”(Messmer, 2009)
Why is this important to realize?• Relationships offline are built on establishing trust.• Online relationships often skip this step. Q- Would you give a stranger on the street your home address, cell phone number, spouse’s name, your birth date, job title, and information on current projects at your work? A- Of course not!♦ However, people give out this information online EVERY DAY!
Top 4 Social Networking Sites:• Estimated unique monthly visitors: • 550 million • 90.5 million • 89.8 million • 50 million(eBizMBA, 2010)
What are the Main Risks?• Personally Identifiable Information (PII)• Social Engineering Attacks• Reputation Damage
Personally Identifiable Information (PII)• Social Networking profiles can display a wide range of PII.
Personally Identifiable Information (PII)• Main Risk to User = Identity Theft• Main Risk to Organization = Logon Credential Acquisition• Password guessing and narrowing down cracking parameters:• Password reset forms:
PII - Logon Credential Acquisition• Attackers will often circulate surveys and quizzes like this one:(Dinerman, 2010)
PII• Valuable PII for attackers is mostly found across Facebook, Myspace, and LinkedIn.• Real Life Example: - Hacker GMZ was able to guess the password of a Twitter support staffer ultimately taking control of 33 high profile accounts including Britney Spears, U.S. President Obama, and Fox News.• PII also aids another common type of attack that requires more creativity from an attacker:(McMillan, 2009)
What is Social Engineering?• Social Engineering – Threat that occurs when an an attacker uses social skills to trick a user into revealing their password or other confidential information.• Social Engineering attacks are widely used across all four of the top social networking sites
Social Engineering• The attacker will study PII, message posts, and friend lists in order to learn more about their target and develop a trust relationship.• It has been documented that many cyber criminals would rather engineer a user to uncover information than use their efforts to attack technology and controls for security.(Tiptop & Krause, 2007)
Social Engineering - Phishing• Phishing – Targets “a specific user or group of users and attempts to deceive the user into performing an action that launches an attack.”• This attack is usually carried out through Cross Site Scripting (XSS), keyloggers, worms, or other malware.• Distribution: 52% by a user opening an attachment 36% by a user clicking a link 9% by link redirect 3% unknown(FCIOC, 2009, p.9) & (Graham, 2009)
Social Engineering - Phishing• PII from social media sites make messages more believable.• Malware embedded links on wall posts of social media allow for greater distribution.• Shortened URL services such as http://tinyurl.com/ and http://bit.ly/ are used to hide these malicious sites.
Social Engineering - Phishing• What happens if an account is compromised as well?
Reputation Damage(Image used with permission from Chiron Inc.)
Reputation Damage• Users give a play-by-play of their life on social networking sites.• Possible threats to organizations include: - Embarrassment - Market share loss - Revenue losses - Legal liability♦ 74% of 2,008 employed adults surveyed by Deloitte agreed that it is easy to damage a company’s reputation on social media.http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_2009_ethics_workplace_survey_220509.pdf
Reputation Damage – Real Life Examples• Employee of a campground chain posts a spreadsheet showing reservation statuses for their campsites on Facebook that contains customer credit card numbers.• The former chief marketing officer at Eastman Kodak admits to accidentally posting a damaging tweet about a product they had worked six months to protect.• A worker at a major fried chicken chain posts, “I just posted a funny video of myself frying a rodent at the restaurant where I work.”(Mitchell, 2009, Dinerman, 2010)
Reputation Damage – Legal Liability• What if your employee at work posts a derogatory statement about a competitor or individual that is untrue? - Your organization could be sued for defamation from practically any country or state.♦ If no policy is in place preventing this action, your organization may even be pulled into litigation if an employee does this off hours from a home account.
Reputation Damage – Legal Liability• What happens if you try to terminate an employee after they damage the reputation of your organization or another party’s? - An employee fired for making the damaging posts could take legal recourse against their employer if the employee can prove that a policy was either not in place forbidding the action or that they were not made aware of it.
Legal Responsibility• An organization is legally responsible to exercise due care and due diligence in regards to social networking use by its employees.
Due Care and Due Diligence:• To demonstrate due care, an organization must take measures to ensure that every employee is aware of what is and is not acceptable in the workplace as well as the consequences of actions that are illegal or unethical.• To demonstrate due diligence, an organization needs to partake in continual activities to protect others.(Whitman & Mattord, 2010)
How to exercise Due Care?♦ A social media policy MUST be in place and actively updated for EVERY organization.♦ An engaging social media training program MUST be in place for ALL employees (including executives.)♦ Policy compliance documentation♦ Training completion documentation
Due Care (cont)♦ Short quiz to demonstrate comprehension.♦ Clear consequences to violations must be listed in your social media policy.♦ These consequences must be enforced company-wide (including executives.)♦ Don’t forget about policy review and training for subsequent new hires!
How to exercise Due Diligence?♦ Annual review of your social media policy with IT, HR, and your legal department♦ Annual refresher training for all employees and executives.♦ Short annual refresher quiz.♦ Again, keep records of all training and signatures.
If a simple policy and training program can mitigate thismuch risk, then all organizations probably already havetheir own in place… Right?
How often is a Social Media policy not inplace?• Two surveys from 2009 that asked employers and executives if their organization has a formal policy in place for social media use: Manpower Survey of 11,000 Deloitte Survey of 500 Employers Business Executives 2% 6% 29% Yes 22% Yes No No 69% Unsure Unsure 72%
♦ A 2009 survey by ad agency Russell Herder and law firm Ethos Business Law asked 438 respondents these questions:Do you have concerns about socialmedia and its implications for bothcorporate security and reputation Have you implemented damage? social media guidelines? No Yes 19% 33% No Yes 81% 67%
If this is so important, why the low numbers?1. Lack of engagement from upper management towards information security. -C-Level financial and administrative support is vital for any information security department to function.2. Some organizations only focus on technological solutions Technology based solutions need to complement policy and training, not replace.
If this is so important, why the low numbers?3. An organization may just block all access to social media and hope for the best. -Blocking these sites without instilling policy will not protect an organization from potential litigation. -Blocking would also take away all of the benefits that social media has to offer such as: -Increased collaboration -Greater interactive relationship with customers -Sales and marketing strategies -Incentivized working conditions for employees
Another large benefit - New CustomerAcquisition: Organizations that have acquired new customers through social networking: Small Business 26% 41% Medium Companies Large Firms 33%• Regus survey of 15,000 business owners of all sizes worldwidehttp://www.regus.presscentre.com/imagelibrary/downloadMedia.ashx?MediaDetailsID=463
How to take the fear out of social media?♦ An effective social media policy in combination with an effective end user training program is the best way to prevent threats from: -PII -Social Engineering / Phishing -Reputation Damage -Potential Litigation
Social Media Policy Creation:• A social media policy is really just an extension of an organization’s acceptable use and other existing policies.• The creation of this document should be a joint effort by: -Information Security -Information Technology -Human Resources -Legal -End Users
Social Media Policy Creation: (Cont)• Led by a team leader employed in an Information Security or Risk Management function.• Project champion with the ear of upper management to ensure financial and administrative support. (Whitman & Mattord, 2010)• A good first step is to review policies of other organizations.
Social Media Governance Database• http://socialmediagovernance.com/policies.php
Social Media Governance Database• http://socialmediagovernance.com/studies
Social Media Policy Creation: (Cont)• Each organization will likely have different philosophies on social media use.• For example: A liberal arts college, a global corporation, and a government agency will mostly likely not all be able to use the same social media policy.
A Liberal Arts College:• Unrestricted information sharing and allow open access to all social networking.• Policy may focus on guidelines for posting but will still need to cover all potential threats.
A Liberal Arts College: (Cont)• University of Michigan’s social media policy starts with general rules to follow and then has separate guidelines for posting as an individual versus posting on behalf of the University.• They end with safety and privacy tips that cover the topics of privacy, PII, liabilities, and malware.
A Global Corporation:• May utilize social media for brand management as well as a sales and marketing tool.• Policy will need to cover all possible threats and may focus on reputation damage and data leaks.
A Global Corporation: (Cont)• Coca-Cola Company’s social media policy starts with their company vision and commitments and then delves into principals and expectations.• They also have guidelines on posting for individual use versus company business use.
A Global Corporation: (Cont)• Certified online spokespeople: These certified spokespeople are the only employees allowed to speak on behalf of Coca-Cola online.♦ This is a great idea!• Their online spokespeople are also expected to follow 10 specific principles:
A Global Corporation: (Cont)1. Be Certified in the Social Media Certification Program.2. Follow our Code of Business Conduct and all other Company polices.3. Be mindful that you are representing the Company.4. Fully disclose your affiliation with the Company.5. Keep records.6. When in doubt, do not post.7. Give credit where credit is due and don’t violate others’ rights.8. Be responsible to your work.9. Remember that your local posts can have global significance.10. Know that the internet is permanent.
A Government Agency:• The government agency will often have the strictest requirements in regards to social media use.
A Government Agency: (Cont)• The Federal CIO council created a document in 2009 entitled Guidelines for Secure Use of Social Media by Federal Departments and Agencies.• “The decision to embrace social media technology is a risk- based decision, not a technology based decision.”
A Government Agency: (Cont)• Sections on risk, social media traits, and recommendations for controls.• Assists an agency in making a business case for social media use based on a risk management approach.• Mentions spear phishing, social engineering, and web applications attacks as main risks to a government agency.
Social Media Policy Creation: (Cont)• After reviewing various policies, choose a few that are similar to your organization’s mission as a reference point.• The next step – Evaluate your own organization’s social networking use. -Involve end users -Find out what future plans sales, marketing, etc has for using social media. -InfoSec should analyze likely threats from organizational use as well as personal use from end users at work and at home.
Social Media Policy Creation: (Cont)• Start the creation process and involve HR. (Refer the end user to review their employment agreement and handbook early on in the new policy.)• The employee handbook and acceptable use policy should be updated to list the consequences of not abiding by the guidelines of the new social media policy.• Guidelines in the new policy should be based on information and feedback from end users, IS, and HR.
Social Media Policy Creation (Cont)• Issue specific policies need to be rewritten to account for social media use.• Once all sections and guidelines are complete, your legal department should review the final draft of the new social media policy and any changes to other existing policies to cover all potential legal liabilities.• Once a final draft is approved by all parties involved, it should be submitted for approval by upper management.
Social Media Policy Distribution• A step that is often missed is distribution of the new policy!• A Deloitte survey of 2,008 employees found that: - 24% didn’t know if they had a policy - 11% said there is a policy but don’t know what it is.• You spent all of this time making the policy, don’t forget to distribute it!
Social Media Policy Distribution (Cont)• Distribution can be in paper or electronic form: (Needs to document that the user has agreed to the terms and conditions with a signature and date.)• This is to protect an organization from a user stating that they were not aware of the policy from a liability stand- point.• Be sure to file a copy as well as present a copy to the end user.
Social Media Training: Social Media Training 3/24/11
Social Media Training:• Training program should be designed during the policy creation process.• It is very difficult for an employee to state in court that they were unaware of a policy when it can be documented that they have completed a training program.• All employees from the CEO down are required to attend for compliance and to reflect a company-wide effort.
Social Media Training: (Cont)• Training should be interesting, interactive and engaging!♦ Goal of the training should be to gain the buy-in of your end-users.♦ First step is to prove to end-users that damage from PII, Social Engineering, and Reputation Damage can actually happen very easily.
Convinced that this could happen to you now?• Show end-users that poor security habits not only affect their company but could affect them personally as well:
Social Media Training (Cont)• Also go over: -What PII is okay and what should be removed. -More examples of Reputation Damage. -How to defend against Social Engineering attempts. -How to avoid falling for Phishing attempts. -Examples of current malware schemes -Using very difficult password reset questions. -Not using the same password for all sites. -Not friending anyone unless you know them well.
Social Media Training (Cont)• It only takes one random friending to erase privacy controls!
Social Media Training (Cont)• Great time to revisit strong password creation!
Social Media Training (Cont)• A quick side note about rainbow tables: -1 PC can crack even a strong password in seconds. -Most rainbow tables are not currently calculated out past fourteen places at the moment.
Social Media Training (Cont)• After the training is over don’t forget to retain that signed completion document for each end-user.• Also, don’t forget about new hires at their orientation and follow-up trainings for all users.
Just think if after the training… -Users finally saw the value of strong passwords and no longer minded mandatory password changes… -Malware infections on client systems decreased 70% from users truly understanding which attachments not to open… -Users took a moment to think before they post… -Executives appreciated the value of your job role…
Accomplish all of that and…You have then increased security awareness and startedto develop that coveted security conscious culture withinyour organization!
What else?You have also started to take the FEAR out of socialnetworking!
Research:My paper and list of sources:http://www.itm.iit.edu/data/IIT-ITMwhitepaperTrainingAndPolicyForSocialNetworking.pdfShawn Davis’ email – firstname.lastname@example.org Questions?