Social media and security essentials.pptx

2,009 views

Published on

Published in: Technology

Social media and security essentials.pptx

  1. 1. Social Media & Security Essentials January 31, 2011 Troy DuMoulin AVP Strategic Solutions Pink Elephant Pink Elephant – Leading The Way In IT Management Best Practices
  2. 2. Welcome & Agenda   Agenda   The Impact & Growth of Social Media   The key risks of Web 2.0 and Social Media   Recent Example Case Studies for Facebook and Twitter   Social Media as an IT Service   Establishing Social Media Policies   Looking at 2011   Next Steps Objective: Practical guidance about how to effectively manage social networking security risks © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 2
  3. 3. The Flood Of Social Media NOW   Adoption has surged to staggering heights. While Facebook has over 500 million users (July 2010), MySpace has nearly 70 million in the U.S. (June 2010) and LinkedIn has around 75 million worldwide (August 2010). As for Twitter, 105,779,710 registered users (April 2010) account for approximately 750 tweets each second   Facebook platform houses over 550,000 active applications and is integrated with more than one million websites   Burson-Marsteller study showed that, “of the Fortune Global 100 companies, 65% have active Twitter accounts, 54% have Facebook fan pages, 50% have YouTube video channels and 33% have corporate blogs” Securing the Social Network – Websense Whitepaper © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 3
  4. 4. Managing vs. Blocking Social Media Not possible to ban the use of Social Media anymore than it was possible to ban the internet (both have been tried) © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 4
  5. 5. Websense Research Highlights 2010 Based on a sample size of 200,000 Facebook and Twitter Entries •  Websense Security Labs identified a 111.4% increase in the number of malicious websites from 2009 to 2010 •  79.9% of websites with malicious code were legitimate sites that have been compromised— an increase of 3% from the last previous period •  Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%) •  52% of data stealing attacks occurred over the Web Every hour Websense scans more than 40 million websites for malicious code and nearly 10 million emails for unwanted content and malicious code. Using more than 50 million real-time data collecting systems, it monitors and classifies Web, email, and data content. www.websense.com 2010 Threat Report – Websense © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 5
  6. 6. Websense Research Highlights 2010 Based on a sample size of 200,000 Facebook and Twitter Entries 40% of all Facebook status updates have links and 10% of those links are either spam or malicious. 2010 Threat Report – Websense © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 6
  7. 7. CISCO Annual Security Report   Consider social media. Its impact on computer security cannot be overstated, It is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter   The high levels of trust that users place in social networks – that is, users’ willingness to respond to information appearing within these networks – has provided ample opportunity for new and more effective scams. Instead of searching out technical vulnerabilities to exploit, criminals merely need a good lure to hook new victims   No longer does business take place solely behind network walls. The critical work of an organization is happening increasingly on social networks, on handheld devices, on Internet kiosks at airports, and at local cafes   Social Media “Were The Problem” Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 7
  8. 8. Social Media Risks – 1 Threat & Vulnerabilities Risks Lack of control •  Automated protection can only block or enable websites and domains. (On or OFF) •  Classic Anti Virus software is ineffective against social engineering or phishing attacks •  Engaging in Social Media does not require IT involvement or approvals •  Lack of a business policy or lack of enforcement of the policy Exposure growing on •  Malicious code “is not just coming from the legitimate websites dark corners of the web, “Some 79 percent is coming from legitimate sites” Data loss is often based on •  Social networking sites are all about trusted exploiting implicit trust (Trust communities collaboration and data sharing conditioning) •  Most malware, scams and phishing attacks are successful since they are based on preying upon trusted relationships © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 8
  9. 9. Social Media Risks – 2 Threats & Vulnerabilities Risks Customer or Employee exposure •  Loss or exposure of customer information leading to liability or loss of trust •  Reputational damage •  Targeted marketing to your customers •  Targeted head hunting of your employees Unclear or loss of content •  Enterprise’s loss of control/legal rights of rights for information posted to information posted to the social media social media sites sites •  Privacy violations Mis-directed surfing on •  Shortened URL Spoofing legitimate sites •  Identity theft •  Search Engine Optimization (SEO) poisoning •  Cross site scripting attacks •  Trojan & Botnet proliferation © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 9
  10. 10. Early Adoption – Risk & Reward Look for prior Success Interested in cost & cost control Embrace New Technology Luddites Social Media Innovators Early Early Late Laggards 2.5 % Adopters Majority Majority 16 % 13.5 % 34 % 34 % Companies are driven by growth. Growth often comes from innovation. Many companies get a leg on competition by being willing to take a managed risk. © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 13
  11. 11. Recent Social Media Attacks CASE STUDY EXAMPLES © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
  12. 12. URL Shortening – Boon & Risk Warning! | There might be a problem with the requested link 10-12-28 7:10 PM STOP - there might be a problem with the requested link The link you requested has been identified by bit.ly as being potentially problematic. We have detected a link that has been shortened more than once, and that may be a problem because: Some URL-shorteners re-use their links, so bit.ly cant guarantee the validity of this link. Some URL-shorteners allow their links to be edited, so bit.ly cant tell where this link will lead you. Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for. The link you requested may contain inappropriate content, or even spam or malicious code that could be downloaded to your computer without your consent, or may be a forgery or imitation of another website, designed to trick users into sharing personal or financial information. Bit.ly suggests that you Change the original link, and re-shorten with bit.ly Close your browser window Notify the sender of the URL Or, continue at your own risk to http://su.pr/4SzLwj You can learn more about harmful content at www.StopBadware.org You can find out more about phishing from www.antiphishing.org For more information about our policy please contact support%2Bspam@bit.ly Read more about bit.lys spam and antiphishing partners here Publish with bit.ly and protect your links Security vendor McAfee Inc. is warning of a rising security risk in 2011 in the 3,000 shortened URLs generated per minute for use on social media sites such as Twitter. http://bit.ly/a/warning?url=http%3a%2f%2fsu%2epr%2f4SzLwj&hash=huUyr5 © Pink Elephant, 2011. All Rights Reserved. Page 1 of 1Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 12
  13. 13. Short URL Checkers Short URL Checker - RESULTS 10-12-28 7:12 PM Short URL Checker Results Home > Tinyurl Checker URL as entered: http://su.pr/4SzLwj http://www.good.is/post/12-year-old-girl-runs-make-shift-school-for- village-children/ Enter Another URL or read more information about this link: Safe Browsing Information About This Site Safe Browsing information for this link (source: Google.com) WHOIS Whois Information (source: Domaintools.com) Blog Search Blogs (source: Google Blog Search) Social Media Analysis Social Internet Search (source: SocialMention) Brought to you by: http://pcistools.com/tinyurlchecker.php © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 13 http://www.pcistools.com/process_tURL.php Page 1 of 2
  14. 14. Facebook Email Scam © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 14
  15. 15. Awkward (haha) Video Facebook Scam Exposed URL’s not Always hidden Click-Jacking Rapid spread of Malware SPAM © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 15
  16. 16. Instant Messenger Attacks www.securelist.com/en/blog © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 16
  17. 17. Password There are two “free toolbars” circulating around the web that pretend to enable users to cheat at Zynga games on Facebook, but actually attempt to steal Facebook login credentials. TheFacebook Toolbar Phishing false toolbars were spotted by Sunbelt researchers and should be avoided at all cost. See below for more details. The images below were provided courtesy of Help Net Security and detail the method of operation of the deceitful toolbars. At first glance, the toolbars look legitimate and appear at the top of your browser, along with a legitimate Facebook logo. The buttons have features that allow for cheating on “Zynga Games” along with other links as well. The problem is, when users click on the “Facebook” logo in the top left corner of the bar (they layout sometimes changes), they are taken to a false Facebook page that asks you to login but actually steals your credentials instead! www.securelist.com/en/blog © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 17
  18. 18. Facebook Survey Scams Nakedsecurity.sophos.com/category/social-networks © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 18
  19. 19. Malware Infection Example Nakedsecurity.sophos.com/category/social-networks © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 19
  20. 20. Leveraging Twitter Trends www.securelist.com/en/blog © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 20
  21. 21. Fake Adobe Attack From Twitter www.securelist.com/en/blog © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 21
  22. 22. Using Frameworks To Manage Social Media Strategy SERVICE LIFECYCLE & RISK MANAGEMENT © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 22
  23. 23. Service Management & Social Media? In this world there are four kinds of people:   Those who make things happen   Those who watch things happen   Those who have things happen to them   Those who wonder what happened "In its simplest terms, there is anarchy in the absence of social media policy and training," says John Pironti, ISACA board member and president of IP Architects, LLC. © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 23
  24. 24. IT Service Lifecycle & Social Media Manage Business Requirement •  Business Engagement •  Social Media Strategy Manage •  Business Risk Assessment Plan •  Service Analysis •  Estimate business and technical resources •  Customer Value Realization Assessment •  Define Governance & Monitoring •  Continual Service Improvement •  Establish Social Media Measures •  Establish Risk Mitigation plan •  Establish financial budgets and funding Report Source /build •  Summary, drill down, analysis •  Insource / Outsource •  KPIs •  Choose Social Media platforms •  Communication strategy •  Training strategy Cost / Recovery Provision •  Track Planned vs Actual cost •  Build / Publish Services •  Accounts Payable •  Define change approval process Deliver/ •  Service Testing Operate •  Transition to production •  Content Development •  Content Management Plan / Build •  Incident Management Operate •  Security Management •  Change Management © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 24
  25. 25. Service Management Integration SERVICE STRATEGY SERVICE DESIGN •  Service Strategy •  Service Catalog Management •  Financial Management •  Service Level Management •  Service Portfolio Management •  Capacity Management •  Demand Management •  Availability Management •  IT Service Continuity Management •  Information Security Management •  Supplier Management © Crown copyright 2007 Reproduced under license from OGC Figure 1.2 Service Strategy 1.2.3 SERVICE OPERATION SERVICE TRANSITION •  Event Management •  Transition Planning & Support •  Incident Management •  Change Management •  Request Fulfillment •  Service Asset & Configuration •  Problem Management Management •  Access Management •  Release & Deployment Management Functions •  Service Validation & Testing •  Service Desk •  Evaluation •  Technical Management CONTINUAL SERVICE IMPROVEMENT •  Knowledge Management •  IT Operations Management •  Seven Step Improvement •  Application Management •  Service Measurement •  Service Reporting © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
  26. 26. A Risk Management Effort Includes:   Identifying risks related to social media use   Assessing these risks to ascertain the probability of these risks occurring and the potential impact to the business if they do occur   Planning a mitigation strategy to deal with the higher impact, higher priority risks   Managing & Monitoring the risks through communication and the implementation of risk mitigation and avoidance strategies © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 26
  27. 27. Establishing A Social Media Strategy   When creating a social media strategy, some questions to consider are:   What are the strategic benefits/goals for leveraging Social Media?   Are all appropriate stakeholders involved in social media strategy development?   What platforms will be used when, by whom and for what objectives?   What are the risks and how will they be mitigated?   What policies need to be established?   What are the new legal issues associated with the use of social media?   How will customer privacy issues be addressed?   How can positive brand recognition be ensured?   How will awareness training be communicated to employees and customers?   How will inquiries and concerns from customers be handled?   Does the enterprise have the resources to support such an initiative? Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 27
  28. 28. Establishing Policies EXAMPLE SOCIAL MEDIA POLICES © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 28
  29. 29. Social Media Policy Categories   Personal use in the workplace:   Whether it is allowed   The nondisclosure/posting of business-related content   The discussion of workplace-related topics   Inappropriate sites, content or conversations   Personal use outside the workplace:   The nondisclosure/posting of business-related content   Standard disclaimers if identifying the employer   The dangers of posting too much personal information   Business use:   Whether it is allowed   The process to gain approval for use   The scope of topics or information permitted to flow through this channel   Disallowed activities (installation of applications, playing games, etc.)   The escalation process for customer issues Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 29
  30. 30. Example General Guidelines   Be respectful to the company, other employees, customers, partners, and competitors   Social media activities should not interfere with other work commitments or impact productivity   Your online presence reflects the company. Be aware that your actions captured via images, posts, or comments can reflect that of our company   Do not reference or site company clients, partners, or customers without their express consent. In all cases, do not publish any information regarding a client during the engagement   Company logos and trademarks may not be used without written consent © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
  31. 31. Policy Statement Examples   Personal blogs should have clear disclaimers that the views expressed by the author in the blog is the author’s alone and do not represent the views of the company   Information published on social networking sites should comply with the company’s confidentiality and disclosure of proprietary data policies. This also applies to comments posted on other blogs, forums, and social networking sites   Watching videos or reading blogs are invaluable sources of inspiration and information. Please refrain from reading personal or non-industry blogs during company time   Please refrain from personal online shopping during company time © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
  32. 32. Resources & Policies Examples   Harvard Law Blogging Policy http://blogs.law.harvard.edu/terms-of-use/   Oracle Social Media Participation Policy http://www.sun.com/communities/guidelines.jsp   IBM Social Computing Guidelines http://www.ibm.com/blogs/zz/en/guidelines.html   30 Tips to Manage Employees Online http://ariwriter.com/30-tips-to-manage-employees-online/   Baker and Daniels Law http://www.bakerdstreamingvid.com/publications/ Baker_Daniels_Social-Media-Policy.pdf © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 32
  33. 33. Looking Forward – Discussion   McAfee Labs Predicts December 28, Emerging Threats in 2011   Exploiting Social Media: URL-shortening services   Exploiting Social Media: Geolocation services   Mobile: Usage is rising in the workplace, and so will attacks   Apple: No longer flying under the radar   Applications: Privacy leaks—from your TV   Hacktivism: Following the WikiLeaks path   Advanced Persistent Threat: Cyberespoinage   Your Thoughts ??? www.mcafee.com © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 33
  34. 34. Next Steps When You Go Back   Within 30 days:   Conduct an assessment of corporate and personal Social Media use   Within 60 days:   Conduct risk assessment for Social Media   Established policies that addresses social media use covering both business and personal use   Conduct policy training for all users   Within 90 days:   Define service strategy for Social Media   Service Design (functional and non functional requirements)   Define Transition plans   Define operational processes and resources   Define Management and CSI activities and measures © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 34
  35. 35. References   Securing Social Network – Websense   Social Media: Business Benefits and Security – ISACA   CISCO Annual Report on Security 2009   Social Networking & Security – Infosec.co.uk   2010 Threat Report – Websense © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 35
  36. 36. Questions? Troy DuMoulin t.dumoulin@pinkelephant.com http://blogs.pinkelephant.com/troy http://twitter.com/TroyDuMoulin Thank You PINK ELEPHANT www.pinkelephant.com © Pink Elephant, 2011. All Rights Reserved.Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 36

×