Infotec 2010 Ben Rothke - social networks and information security


Published on

Presentation by Ben Rothke from Infotec 2010- Social Networks and Information Security - Oxymoron or can you have both?

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Infotec 2010 Ben Rothke - social networks and information security

  1. 1. Social Networks and Information Security - Oxymoron or can you have both? Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services April 13, 2010
  2. 2. About me • Ben Rothke, CISSP CISM PCI QSA • Security Consultant – BT Professional Services • Full-time information security since 1994 • Frequent writer and speaker • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) 2
  3. 3. BT in North America • Operating since 1988 • More than 4,000 employees in the US and Canada • Network Operations and Customer Service Centers in Atlanta GA, Boston MA, Los Angeles CA, Princeton NJ, Oakdale MN and Nutley NJ • Seven of the more than 30 BT acquisitions during recent years are HQ in the US, Infonet, Radianz, Counterpane, INS, Comsat, Wire One, Ribbit • More than 3,500 customers in the US and Canada, including 75% of F500 and 50% Fortune 1000 • Serving Canadian enterprises in 32 cities serving hundreds of major customer sites across the country • Of BT’s top 2,000 customers, 50%+ are headquartered or have major operations in the Americas
  4. 4. Why BT for Security? Industry-leading resources 1,400 global practitioners Comprehensive event Operating 9 world Over 100 registered patents, with over 125 accredited correlation platforms and class SOCs globally 190 security papers and security professionals reporting tools 24/7/365 numerous books in the US With proven experience 6,000 security BT has delivered Monitoring 550 Filters over 75,000 security services to Over 1,500 firewalls networks with data engagements in the viruses from client over 75% of the under management from over 150 countries US since 1994 networks each month Fortune 500 and 335,000 devices Delivering an integrated services portfolio Incorporating industry- From assessment to leading technology & mitigation, on a global services, with Counterpane basis at the core Third party validation Many accreditations, including Leadership position in Highest capability BS 27001/ISO 17799, SAS70-II, Gartner’s 2007 North American maturity rating FIPS 140-2, CERT, FIRST, MSSP Magic Quadrant from NSA CLAS, SANS GIAC and CHECK
  5. 5. Agenda • How can enterprises effectively use social networks while not putting their security and data at risk? • Understanding and dealing with the security risks of social networks • Making the security focus shift from infrastructure protection to data protection • Social network security strategies for enterprises • Social network security strategies for individuals • Q/A 5
  6. 6. Why are enterprises interested in social networking? 6
  7. 7. Why this is a very cool information security topic • Easy security tasks – Block all outbound ftp traffic – Require disclaimers on all outbound emails – Block admission to network if host AV signatures are not current – Require encryption on all outbound file to Moscow office • Challenging security tasks – Stop end-users from inappropriate sharing of confidential and proprietary data via social networks 7
  8. 8. Why are people interested in social networking? 8
  9. 9. Social networking - then and now Computer Associates • 1990’s – President Charles Wang limits employees email usage • to 1 hour in the morning & afternoon • to emphasize face-to-face interaction rather than sending e-mails • 2010 – Computer Associates is now on Twitter • 9
  10. 10. Social networks huge - getting larger • 75% of US online adults use social tools – up from 56% in 2007 – The Growth Of Social Technology Adoption - Josh Bernoff, Forrester 10
  11. 11. The social web • Social web is about communities, collaboration, peer production and user-generated content • Business reputations are defined by customer opinions and ratings • Press is delivered by independent bloggers • Product development and insight is driven by customers • Digital natives who have grown up with the Internet flood the workplace • Your employees will likely expect to be part of the social web and they'll have a lot to contribute • Source: Joshua-Michéle Ross 11
  12. 12. Today’s social networking reality 12
  13. 13. Resistance to social networks is futile • Social networks are not a fad • Prepare a strategy and have a realistic understanding of the risks and benefits of social software • Understand the unique challenges with social networks and factor them into decision on when and how to proceed • Gartner - Major Challenges Organizations Face Regarding Social Software BT Professional Services 13
  14. 14. Social networks are major news stories 14
  15. 15. But the security risks can’t be ignored 15
  16. 16. Social networks - security game-changer • Organizations and management are struggling – to understand and deal with the security risks of social networks • Traditional information security – firewalls and access control protected the perimeter – social networks open up that perimeter • Focus shift – from infrastructure protection to data protection • DLP (data loss prevention) tools – becoming the new firewall for the social web • Bypass corporate services – Facebook for email – Skype as a telephone system – Gmail for instant messaging 16
  17. 17. Security issues • There are legitimate risks with allowing uncontrolled access to social networking sites – risks can be mitigated via a comprehensive security strategy • Security and trust – social networks require a full taxonomy of security – people are much more trusting of a message from a friend or colleague on a social network than they are of an e-mail – people are used to e-mails being forged • People will share extraordinary amounts of highly confidential personal and business information with people they perceive to be legitimate 17
  18. 18. Social media risks Risk Description Security? Type? Malware Infection of desktops, propagation of malware through staff or corporate profiles on Yes Technology social-media services. Chain of providers Mashups of applications within a social-media service enable the untraceable Yes Technology movement of data. Interface weaknesses Public application interfaces are not sufficiently secured, exposing users to cross-site Yes Technology scripting and other exploits. Reputation damage Degradation of personal and corporate reputations through posting of inappropriate No Content content. Exposure of confidential Loose lips sink ships, breach of IP or other trade secrets, breach of copyright, public Yes Content information posting or downloading of private or sensitive personal information. Legal exposure Legal liabilities resulting from posted content and online conversations or failure to Yes Content meet a regulatory requirement to record and archive particular conversations. Revenue loss For organizations in the information business, making content freely available may Yes Content undercut fee-based information services Staff productivity Workers failing to perform due to the distraction of social media No Behavior Hierarchy subversion Informal social networks erode authority of formal corporate hierarchy and defined No Behavior work processes Social engineering Phishing attacks, misrepresentation of identity and/or authority to obtain Yes Behavior information illicitly or to stimulate damaging behaviors by staff. Identity fraud Profiles and postings that are erroneously attributed to a staff member or corporate Yes Behavior office. 18 Source: Gartner – Report G00173953 - February 2010
  19. 19. How information security groups lose the social media war • Social media security requires a combination of technical, behavioral and organizational security controls – Many information security groups are clueless on how to do that • Arguing that social media presents unmanageable security risks gives the impression that the information security group is incompetent • Too much use of the FUD (fear, uncertainty and doubt) factor as part of their argument 19
  20. 20. Social network postings are immortal • Physics 101 - Law of conservation of energy – total amount of energy in an isolated system remains constant – energy can’t be destroyed - can only change form • Social networks physics 101 – Internet - huge database of unstructured content with an infinite life – once confidential data is made public, it can never be made confidential again – once data is posted in a Web 2.0 world, it exists forever, somewhere • RSS feeds can’t be unfed – difficulty of complete account deletion • users wishing to delete accounts from social networks may find that it’s almost impossible to remove secondary information linked to their profile such as public comments on other profiles 20
  21. 21. Security issues - aggregation • Aggregation – process of collecting content from multiple social network services – consolidates multiple social networking profiles into one profile • Google OpenSocial – defines common API for social applications across multiple websites – with standard JavaScript and HTML, developers can create apps that access a social network’s friends and update feeds • Long-term anonymity is nearly impossible – users leave traces, IP addresses, embedded links, IDs in files, photos, etc. – no matter how anonymous one tries to be, eventually, with enough traces, aggregation will catch up 21
  22. 22. Security and privacy risks • Malware • Social networks used as a malware distribution point • Vulnerabilities – cross site scripting (XSS), cross site request forgery (CSRF) – 1 in 5 web attacks aimed at social networks • Corporate espionage • Phishing / spear phishing • Bandwidth consumption • Information leakage • Social engineering attacks • Content-based Image Retrieval (CBIR) – emerging technology that matches features, such as identifying aspects of a room (e.g. a painting) in very large databases, increasing the possibilities for locating users 22
  23. 23. Mission Impossible 1999 is social networking 2010 • Your mission – find 20 divorced/single female design engineers based in the US at Boeing Integrated Defense Systems – build a rapport with them – get critical data or designs for new fighter under development • Time / Budget / Success – 1999 – Many people, many months, limited success, very expensive – 2009 – One person, multiple Facebook accounts, can outsource to India, near immediate results, extremely high success rate • Facebook makes it easy to find out who these women are – who their friends are (likely other single women at Boeing) – what they like, where they shop, their daily habits, their friends, entertainment, and much more 23
  24. 24. Social networks and information security • Social networks and security are compatible – requires effort, staff, and a formalized plan of action • Formalized, comprehensive social networking strategy – there are no social network security appliances • Public corporations – subject to SEC disclosure obligations, must deal with fair disclosure rules – inside information on a social network is a regulatory violation – must have formal logging and archiving in place for social networks 24
  25. 25. Strategies and action items for enterprises to deal with the security and privacy risks of social networks 25
  26. 26. Get in front of the social network wave • Organizations must be proactive – dedicated team to deal with social networks – ability to identify all issues around social networks • Get involved and be engaged • Social networking is moving fast – dynamic technology – requires a proactive protection approach • Be flexible – overall uncertainty about what strategies and tactics to adopt to security social media 26
  27. 27. Risk assessment • Social media create new opportunities for fraud and abuse • Enables a wide range of abuses – Must be anticipated and evaluated to construct appropriate security plans and controls • Perform social network risk assessment – create risk assessment for each social network community – vulnerabilities associated with specific sites – which users are the greatest risk? – output will be used to create the social media policy and strategy – customized to your specific risk matrix – balance the risks vs. benefits • US Marines – totally prohibited • Starbucks – totally embraced 27
  28. 28. Social media strategy • Strategy and policy should be based on your social media goals • Take into account any special laws or rules • Identify people or positions who will be the online public face of the firm • Decide if and how employees may identify themselves • Involve risk managers in your planning • Draconian policies preventing the use of social media will not be effective • Use a balanced approach – allow access – manage risk via technical controls, policies and employee training 28
  29. 29. Monitoring • Maintain control over content company owns – monitor employee participation on social networking sites – significant risk of loss of IP protection if not monitored – when inappropriate use of enterprise content occurs, notify employee and explain how their actions violated policy – control where and how corporate content is shared externally 29
  30. 30. Social network assessments • Perform a LinkedIn analysis • From LinkedIn you can tell: – what technologies a company is using – corporate direction – vendors – partners – internal email addresses and address formats • Perform a Facebook analysis • From Facebook you can tell: – almost everything 30
  31. 31. Define corporate social media policy and strategy • Social networks blur boundary between company roles – who speaks for the company on a blog, Twitter, Facebook – border between the company and the outside world is evaporating – this is a management decision, not an IT decision – strategies: block, contain, disregard, embrace – create user scenarios • not all users need access – see Twitter strategy for Government Departments – ensure your corporate social media strategy is realistic – view webinar by Joshua-Michele Ross on how to do this 31
  32. 32. Corporate social networking policy • Social networking policy is a must – even if it prohibits everything, you still need a policy • Policies are needed because employees do stupid things • Define a rational, sensible use of social media services – include photography and video – don’t reference clients, customers, or partners without obtaining their express permission • Data classification – create a data classification program – users need to be able to know precisely the different data classification levels 32
  33. 33. Security awareness • Social media is driven by social interactions • Most of the significant risks are tied to the behavior of staff when they are using social software • Governance of staff behavior must take into account both the technical capabilities of the social software and the relative tendency of staff to engage in risky behavior in social media • Don't shun social media for fear of bad end-user behavior. – Anticipate it and formulate a multilevel approach to policies for effective governance. • 3 C’s: clear, comprehensive, continuous 33
  34. 34. Security awareness • Awareness and training program is critical – must be effectively communicated and customized – disseminate to everyone – ensure recurrent training – create topic taboo lists – define expectations of privacy • Link social networking training to other related training – business ethics, standards of conduct, industry-specific regulations • Public companies – at risk for disclosure of insider information – even if not at fault, assertion of insider disclosure is expensive, embarrassing and time consuming 34
  35. 35. Guidelines • Without clear guidelines, breaches are inevitable • Excellent sources: – Intel Social Media Guidelines – IBM Social Computing Guidelines • directives for blogs, wikis, social networks, virtual worlds and social media 35
  36. 36. Regulatory • Regulatory compliance must be considered – social networks present numerous scenarios which weren’t foreseen when current legislation and data protection laws were created – regulatory framework governing social networks should be reviewed and, where necessary, revised – consider what specific laws/regulations/standards apply – all breach notice laws are relevant • if customer or employee PII is posted, breach response plans would likely need to be followed and notices would need to be sent • HIPAA and expanded responsibilities under ARRA HITECH • newly released final breach response rules from the HHS 36
  37. 37. EU and social networks • EU Data Privacy Directives – EU Directive on Data Protection 95/46/EC – Data Protection Working Party Opinion 5/2009 – EU countries take personal privacy very seriously • tagging of images with personal data without the consent of the subject of the image violates the user’s right to informational self determination • blanket monitoring and logging is unacceptable in EU • many more privacy details need to be considered • Review ENISA position paper – Security Issues and Recommendations for Online Social Networks – Online as Soon as it Happens 37
  38. 38. Human resources • Human resources must be involved – social networks open up a huge can of HR worms – what are disciplinary actions for non-compliance? – candidate’s social network presence as a factor in the hiring process? – create directives for managing personal and professional time – don’t be seen as encroaching on your employees’ free speech rights – put out reasonable guidelines – explain how innocent postings can be misconstrued – but…a too heavy-handed approach will often backfire and result in lower morale and often bad publicity 38
  39. 39. Hardware and software solutions • Gartner – Market for security controls for social media is relatively immature – Security managers need to develop control environments that incorporate new tools and techniques to monitor and control user activity and data movement – IT organizations have concentrated for too long on using technical controls to ensure that IT and business resources are used appropriately – In some situations, social guidelines can be more effective than technical controls 39
  40. 40. Reputation management • Traditional PR and legal responses to an Internet-based negative reputation event can cause more damage than doing nothing • Understanding how to establish, follow and update protocols can make social-media chaos less risky to enterprises • Information security should coordinate activities with PR teams to expand monitoring and supplement monitoring with investigations and evidence collection processes 40
  41. 41. Dealing with reactive chaos • Rare for companies to have tools and skills to conduct investigation into origins of inappropriate material and the identity of the individuals involved in social media breaches • CSIRT are called on to provide investigation support. – but often contacted late • Optimal approach – monitoring and managing social media and incident response requires approach that combines efforts and capabilities of the PR, HR and information security teams 41
  42. 42. Reputation management 42
  43. 43. Reputation management • Goal is to build and protect a positive Internet-based reputation • Risks to reputation are significant and growing with the increased use of social networks • Create reputation management group with input from IT, legal, risk management, PR and marketing • Coordinated approach – proactive / responsive 43
  44. 44. Strategies and action items for individuals to deal with the security and privacy risks of social networks 44
  45. 45. Let’s be careful out there • You can lose your job – policy violation – managers and executives - special responsibility when blogging by virtue of the position – too much time on social network sites – perception that you are promoting yourself at the expense of the company – especially if your employer is not into social networking • Don’t embarrass yourself, friend, family, coworkers • Be aware of the dark side of social networks – divorce – cyberbullies – see MySpace suicide case 45
  46. 46. Action items – individual user • Curb your enthusiasm – those with OCD/addictive personalities must ensure they know the addictive nature of social networking – what is fun today is embarrassing tomorrow – don’t post comment that you don’t want the entire world to see – consider carefully which images, videos and information you publish – set daily time limits on how much time you will spend • When at work – you are being paid to work when you are at work – don‘t abuse the trust your employer had in hiring you 46
  47. 47. Social incrimination • Everything you post may be used against you – be judicious when posting, especially photos/videos • copyright issue – camcorders now have Direct Upload to YouTube capabilities • Don’t post photo that you don’t want the world to see • Watch that pose – the world will see you in that photo – images give away private data about other people, especially when tagged with metadata • Enable Facebook security controls – 10 Privacy Settings Every Facebook User Should Know 47
  48. 48. Action items – individual user • Limited security capabilities – don’t assume social networks sites will give you privacy or confidentiality – especially over the long-term when items are cross-posted/shared • Ensure you know about and are compliant with employer’s social media guidelines – if you post something corporate, ensure that it is public information – be careful about posting customer information, even if it is public – breach of insider information can cost you your job – know the rules of using social networking sites while you’re at work – take extra care if you friend your boss on Facebook – Facebook is viral and addictive – don’t waste your workday on it 48
  49. 49. Action items – individual user • Bad social networking can lead to career suicide • Use and maintain anti-virus software • HR is looking – 45% of employers now screen social media profiles • Realize the inherent tension in social networks – know your limits – social networks are like a party – point is to have fun without humiliating yourself • Choose good passwords – follow password creation rules – don’t use the same password across multiple social networks 49
  50. 50. Action items – individual user • Don’t accept every Facebook invitation • Realize you are a target for social engineers • Be aware of friends asking for salami • What does your friends’ list say about you? • Something you post today, or a YouTube video you appear in, can haunt you for the rest of your life • Trust but verify all invitations • Limit the amount of personal information you post – do you really need to post your birthday? – get in the habit of not sharing personal data 50
  51. 51. Action items – individual user • Be careful when taking surveys – especially on Facebook – answers can be aggregated by bogus surveys to launch social engineering attack – password recovery answers • Not everything needs to be commented on – Think twice before posting about • interviews • complaints about long/boring meetings • complaints about coworkers, management, bosses, etc. • off the cuff remarks 51
  52. 52. Children • Especially susceptible to social network threats – kids misrepresent their age to join sites that have age restrictions – kids post more information in their pictures than was intended, such as hobbies, interests, location of their school • Teach your kids about Internet safety – be aware of their online habits, guide them to appropriate sites – they should never meet in person anyone they met online • Parents must ensure that their children become safe and responsible users • National Cyber Alert System Cyber Security Tip ST05-002 – Keeping Children Safe Online – 52
  53. 53. Conclusions / Q&A • Social networks introduce significant security risks • Companies must recognize these risks and take a formal approach to deal with them • Individuals can’t be naïve about their responsibilities • Social networks and security - - not an oxymoron – as long as social network security is part of a comprehensive corporate information security program – and end-users and individuals are aware of the risks and their responsibilities 53
  54. 54. Contact information Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services 54