Interop 2011 las vegas - session se31 - rothke


Published on

My presentation from Interop 2011 on: Social networks and security – can you have both?

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Interop 2011 las vegas - session se31 - rothke

  1. 1. Social networks and security – can you have both? Ben Rothke, CISSP, CISM CISA Session SE-31 May 12, 2011 @benrothke
  2. 2. About me• Ben Rothke, CISSP, CISM, CISA• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)• Write the Security Reading Room blog –
  3. 3. Agenda• Overview of social networks• Scary security risks associated with social networks• Social network security strategies• Conclusion / Recommendations / Q/A
  4. 4. Security risks can’t be ignored
  5. 5. Twitter – corporate, mainstream
  6. 6. Facebook – corporate, mainstream
  7. 7. Business benefits• enhanced collaboration• faster access to information within the company• ability to get questions answered• shared workspaces• microblogs and chat• platform applications
  8. 8. Social networking reality
  9. 9. ….is now social networking• Your mission – find 20 design engineers based in the US at Boeing – build a rapport with them to get designs for new 737 derivative• Time / Budget / Success – 1990 – Many people, many months, limited success, very expensive – 2011 – One person, multiple Facebook accounts, can outsource to India, near immediate results, extremely high success rate• Facebook - easy to find out who they are – who their friends are – what they like, where they shop, daily habits, friends
  10. 10. • To block or not to block? – no longer the question• Social media isn’t a choice anymore – it’s a business transformation tool – Natalie Petouhoff – Weber Shandwick• Business and information security goal – Secure use and enablement of social media
  11. 11. Reasons not to block• Don’t blame the game, blame the player• Smart companies control, not block – Staff can use social media and be productive• No longer a 9-5 world• Lose the benefits of social media• Abusers don’t suddenly become productive – Social media abuse - HR issue. – Not a technical issue
  12. 12. New security ideas required• Easy security tasks – Block all outbound ftp traffic – Use DLP to encrypt sensitive -mails – Block admission to network if host AV signatures are not current – Use SIEM to correlate all logs• Challenging security task – Stop end-users from inappropriate sharing of confidential/proprietary data via social networks
  13. 13. Resistance is futile• Social networks are not a fad• Not only is resistance futile - it is a negative business decision• Prepare a social networking strategy• Have a realistic understanding of the risks and benefits of social software• Understand unique challenges and factor them into on when and how to proceed
  14. 14. Try stopping this…
  15. 15. Security game-changer• Organizations and management are struggling – to understand and deal with the numerous security and privacy risks associated with social networks• Traditional information security – firewalls and access control protected the perimeter. Social networks open up that perimeter• Focus shift – from infrastructure protection to data protection
  16. 16. Security issues• People will share huge amounts of highly confidential personal & business information with people they perceive to be legitimate• Numerous legitimate security risks with allowing uncontrolled access to social sites• But…these risks can be mitigated via a comprehensive security strategy
  17. 17. Security and privacy risks• Malware – Social networks as a malware distribution point• Vulnerabilities – cross site scripting, cross site request forgery – 1 in 5 web attacks aimed at social networks• Corporate espionage• Phishing / spear phishing• Bandwidth consumption
  18. 18. More security and privacy risks• Information leakage• Social engineering attacks• Geotagging / location-based social networking – allows random people to track an individual’s location and correlate it with other information – publishing business photos can be detrimental to business – Content-based Image Retrieval (CBIR)
  19. 19. is just the beginning
  20. 20. Infosec losing on social media?• Requires a combination of technical, behavioral and organizational security controls – many information security groups clueless on how to do that• Arguing that social media presents a highly unmanageable set of security risks – gives the impression that the infosec group is incompetent
  21. 21. Strategies and action itemsfor enterprises to deal with the security and privacy risks of social networks
  22. 22. Secure use of social media1. Enablement – Awareness, education2. Governance – Corporate social media strategy – Realistic policies3. Management – Effective monitoring
  23. 23. Get in front of the wave• Be proactive – dedicated team to deal with social networks – identify all issues around social networks• Get involved and be engaged• Social networking is moving fast• Be flexible – overall uncertainty about what strategies and tactics to adopt to security social media
  24. 24. Risk assessment• for each social network community – vulnerabilities associated with each community• each social community has its own set of unique security and privacy concerns• which users are the greatest risk?
  25. 25. Risk assessment• output will be used to create the social media policy and strategy – customized to your specific risk matrix• balance risks vs. benefits – US Marines – totally prohibited – Starbucks – totally embraced
  26. 26. Social network risk assessment• LinkedIn analysis – you can determine: • what technologies a company is using • corporate direction • vendors • partners • internal e-mail addresses and address formats• Facebook analysis – you can determine: • almost everything
  27. 27. Social media strategy• Based on your social media goals• Identify people or positions who will be the online public face of the firm• Decide if/how employees may identify themselves• Twitter strategy for Government Departments –
  28. 28. Social media strategy• Draconian policies preventing the use of social media will most often not be effective• Use a balanced approach – allow access – manage risk via technical controls, policies and employee training
  29. 29. Blurred role boundaries• who speaks for the company• border between the company and the outside world is evaporating• management decision, not an IT decision• strategies: block, contain, disregard, embrace• create user scenarios – not all users need access
  30. 30. Social networking policy• Social networking policy is a must – even if it prohibits everything, you still need a policy• Employees will do stupid things• Rational, sensible use of social media services – include photography and video – don’t reference clients, customers, or partners without obtaining their express permission
  31. 31. Monitoring• Maintain control over content company owns – monitor employee social networking participation – significant risk of loss of IP protection if not monitored – inappropriate use of enterprise content occurred? • notify employee - explain how their actions violated policy – control where and how corporate content is shared externally
  32. 32. Security awareness• Social media is driven by social interactions• Most significant risks are tied to the behavior of staff when they are using social software• Donshun social media for fear of bad end- t user behavior – Anticipate it and formulate a multilevel approach to policies for effective governance• 3 C’s – clear, comprehensive, continuous
  33. 33. Security awareness• Awareness and training program is critical – effectively communicated and customized – disseminate to everyone – ensure recurrent training – create topic taboo lists – define expectations of privacy
  34. 34. How to get fired in 3 tweets….• Let employees know they can lose their job – policy violation – managers and executives - special responsibility when blogging by virtue of their position – too much time on social network sites – perception that they are promoting themselves at the expense of the company – especially if employer is not into social networking
  35. 35. End-user awareness• Curb your enthusiasm – those with OCD/addictive personalities – be cognizant of addictive nature of social networking – what is fun today is embarrassing tomorrow – expect that entire world will see your comments – consider carefully which images, videos and information you publish – set daily time limits on social media
  36. 36. Awareness 101• Ensure staff know about and are compliant with social media guidelines – post something corporate, ensure that it is public information – be careful about posting customer information, even if it is public
  37. 37. Awareness 101• Ensure staff know about and are compliant with social media guidelines – breach of insider information can cost you your job – know the rules of using social networking sites while at work – take extra care if you friend your boss on Facebook – Facebook is viral and addictive – don’t waste the workday on it
  38. 38. Social media guidelines• Without guidelines, breaches are inevitable• Excellent sources: – Intel Social Media Guidelines – IBM Social Computing Guidelines – Oracle Social Media Participation Policy • Policies much have directives for blogs, wikis, social networks, virtual worlds, social media and more.
  39. 39. Regulatory compliance• Regulatory framework should be reviewed and where necessary, revised• Consider what specific laws, regulations, standards, breach notice laws apply
  40. 40. Reputation management• Traditional PR and legal responses to an Internet-based negative reputation event can cause more damage than doing nothing• establish, follow and update protocols can make social-media chaos less risky to enterprises• Infosec coordinate activities with PR teams – expand monitoring and supplement monitoring with investigations and evidence collection processes
  41. 41. Reputation management
  42. 42. Reputation management• Goal is to build and protect a positive Internet-based reputation• Risks to reputation are significant and growing with the increased use of social networks• Create reputation management group with input from IT, legal, risk management, PR and marketing
  43. 43. Reputation management• Coordinated approach – proactive / responsive
  44. 44. HR must be involved• Social networks open up a huge can of HR worms• What are disciplinary actions for non- compliance?• Can candidate’s social network presence be a factor in hiring process?• Create directives for managing personal and professional time
  45. 45. HR must be involved• Don’t be seen as encroaching on employees’ free speech• Create reasonable guidelines• Explain how innocent postings can be misconstrued• heavy-handed approach will often backfire and result in lower morale and often bad publicity
  46. 46. HR & FCRA• Via Facebook, you can know way too much about a candidate: – race, orientation, religion, politics, health, etc. – such information can be used to show bias • EEOC and expensive litigation
  47. 47. References• Clearswift Security Awareness Research• New Media and the Air Force• ENISA position papers – Security Issues and Recommendations for Online Social Networks – Online as Soon as it Happens• Parents’ Guide to Facebook
  48. 48. Conclusion• Social networks introduce security risks – social networks & security can be compatible• Perform a comprehensive risk assessment against all social networks to be used• Understand business & technical requirements• Recognize these security and privacy risks and take a formal approach to mitigate them
  49. 49. Contact info• Ben Rothke, CISSP CISA• Senior Security Consultant• BT Professional Services• @benrothke•••