Social Media: Infiltrating The Enterprise

404 views

Published on

This presentation was given on June 27th at the 2011 MidTech IT Summit at the Red Rock Resort/Casino in Las Vegas, NV.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
404
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 1. 500 Million active users 2. 250 Million mobile users 700 Billions minutes per month users spend 300,000 businesses have a presence on Facebook - Socialnomics;
  • 1. 6939 tweets per second 2. 319 signups per second / 300,000 per day 3. 140 Million tweets per day
  • Websites lag for information sharing, but using Twitter, businesses now have access to hundreds/thousands/millions of followers through a system designed to reach people across the globe in real time in a matter of seconds. 
  • 1. 100 Million professional users 2. 2 Million companies have LinkedIn company pages 3. 4.3 Billion initial value for IPO
  • Q-The ROI is often raised - how do we measure? A-The ROI of doing it is that you ’ re company will be in business in five yrs...
  • Why are we trying to measure social media like a traditional channel?  Social media can touch every facet of business and is more an extension of good business.  When asked what the ROI of social media, he responds, "what's the ROI of your phone?"- What is the cost of doing nothing?  - Do you really want to take that risk?
  • Basically, by the end of this year, 4 out of 5 businesses will adopt in some form.
  • 1-Taco Bell - 2 million views on YouTube when NYC restaurant infested with rats 2-The microphone is always on! if you wouldn ’ t say something to everyone, don ’ t say it at all. 3-American Red Cross - accidental mixup by employee thinking he was posting a personal tweet
  • This past February, Southwest Airlines kicked director Kevin Smith off a flight from San Francisco headed to Los Angeles for being too fat. Southwest was quick to respond — 16 minutes after Smith ’ s first tweet regarding the incident. TechCrunch - heavily followed tech blog - experience slowness which impacted site visitors. After tweeting, they received a call from a Comcast manager that and the problem was resolved within 20 minutes.
  • 1-Identify the collaboration hot-spots 2-Select technologies that will improve or accelerate existing process workflows 3-Identify the high-value business outcomes you want to achieve 4-The benefits and employments of social media tools are different for every organization. The ROI may not be as identifiable for your company.
  • Not having a policy is no longer optional. And it is a good place to start. You need to give your employees a guide on how to successfully engage online. These guidelines should be supported by training on how to use social media tools effectively.
  • Social media demands new technology and a fresh business approach. IT must make sure any traffic generated doesn ’ t bring the business applications your organization depends on to its knees. Your network needs to be told to give ‘ real work ’ the priority it deserves.
  • the Genetic Information Nondiscrimination Act ("GINA") that went into effect on November 21, 2009, prohibits employers from utilizing genetic tests or considering an applicant or employee's genetic background in hiring, firing, or promotions. with the explosion in the use of social media, the EEOC is worried that health insurers and employers will data mine an applicant or employee's social media accounts and utilize the information obtained to discriminate against them -- may result in expensive litigation!
  • 1-Although this practice is common, employers that rely on social media websites to obtain information regarding applicants ’ employment histories and personal lives should proceed with caution. 2-failure to hire the applicant because of his or her race, ethnicity, gender, or any other protected classification that might be perceived from the picture. 4-What are the employee ’ s rights?  Visiting  www.privacyrights.org ,which is a self-proclaimed Privacy Rights Clearinghouse, doesn ’ t mention social sites.  There is no precedence.
  • Social networking is a haven for marketers AND a collaboration between colleagues. But it can put corporate information assets and reputations at risk. Social networking platforms, such as Facebook, Twitter and LinkedIn, are becoming an integral part of people's personal and business worlds. The lines are blurring…
  • 1-Recent study by Symantec 2-We need to educate - example - when reading emails they're kind of aware of looking out for in unsafe looking attachments or spelling or grammar mistakes 3-Corporations are increasingly being exposed to hacking by savvy attackers who glean information about their employees from social networks. 4-HTTPS at the point of authentication, then the connection is switched to HTTP
  • 1-Lack of SSL - recommend using ForceTLS to obtain a secure connection when offered 1-HTTPS at the point of authentication, then the connection is switched to HTTP 3-Critical XSS vulnerability that would make it possible for attackers to infect users with spyware, adware, and just maybe anything else they want. 3-One in five web-based attacks are aimed at social networks 4-Automatic infection without intentional user request
  • Anyone clicking the link would get the same code executed on their account.
  • The report found a steady increase in social engineering attacks and an influx of rogue security software, designed to trick users into installing phony antivirus programs containing keyloggers, backdoors and other nasty malware...why? There is an increased level of trust people have on SNs.
  • More attacks targeting the username and passwords of social networking users..why? These are passwords that they might be using for other sites, such as financial sites. A Social Network Fraud survey in 2010 by Harris Interactive showed that nearly 75% (sample of 1,103) of Americans use the same password for their social sites and email.
  • Requires a combination of technical, behavioral and organizational security controls
  • Social Media: Infiltrating The Enterprise

    1. 1. SOCIAL MEDIA: INFILTRATING THE ENTERPRISE MIDTECH IT Summit June 27th, 2011 JAY A. MCLAUGHLIN, CISSP SVP, CHIEF INFORMATION OFFICER
    2. 2. DISCLAIMER The materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts oropinions of my employer (past or present).
    3. 3. AGENDA •  Defining social media •  Embracing the Inevitable •  Understanding the Benefits Risks •  Friending your Customers •  Preventing social media disasters •  Building a strategy
    4. 4. : forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content What is Social Media? Social media is media for social interaction using highly accessible and scalable communication techniques. Social media is the use of web-based and mobile technologies to turn communication into interactive dialogue.
    5. 5. •  500 Million •  250 Million •  700 Billion Source: Facebook.com April 2011
    6. 6. It s Corporate
    7. 7. •  6939 •  319 •  140 Million Source: Twitter. com March 2011
    8. 8. It s Mainstream
    9. 9. •  100 Million •  2 Million •  4.3 Billion Source: LinkedIn.com May 2011
    10. 10. WHY SHOULD WE CARE? •  Its where your customers are •  Its where your prospects are •  Its reach stretches further broader than any marketing channel •  Its relevant to be in the game
    11. 11. We don t have a choice on whether we will DOsocial media, the question is how WELL we DO it. - Erik Qualman, Author Socialnomics http://www.youtube.com/user/Socialnomics09?blend=1ob=5
    12. 12. * companies that have 100 or more employees Source: eMarketer, Nov 2010
    13. 13. Enhanced Collaboration Shared Faster access toBUSINESS Workspaces Information BENEFITS Extended Organizational Reach Compete Ability to
    14. 14. • When leveraged effectively, social networks become an THE equalizer, leveling the playing EQUALIZER field • Itallows organizations both large and small to compete and be relevant in their space • Ability to influence with little or not cost
    15. 15. UNANTICIPATED DISASTERS
    16. 16. PREVENTING DISASTERS
    17. 17. IS YOUR ORGANIZATION PREPARED FOR...? • Employees posting opinions about the organization • Managing brand reputation and public opinion/exposure • Responding to positive and negative feedback fromcustomers • Standing by the decision NOT to get engaged....?
    18. 18. SOCIAL MEDIA SWOT •  Strength - ability to build •  Weakness - silo-ed as a relationships with your business function and not target audience like never integrated in overall before. business strategy. •  Opportunities - its •  Threat - fear of losing where our customers control. Seeks risk aversion. are. Integration with the Non-innovative. business is key.
    19. 19. ESTABLISHING A POLICY ?
    20. 20. THE BASICS • Doyour employees know what is acceptable or permitted? • How may (or not) employees identify themselves? • To what degree can corporate content be used? • Hasyour organization determined what is can do with information obtained through social media? Establishing a policy is critical!  
    21. 21. ESTABLISH A STRATEGY • Governance required implement and enforce acceptable usage policy covering social networking sites • It is key that all staff receive security awareness training covering your acceptable usage policy for social networking • Promote good practices to help improve users behavior ultimately reducing and/or mitigating some of the risks • Permit access only to social networking sites that have obvious business benefits only to users with a business need
    22. 22. ESTABLISH A STRATEGY • Institute processes to manage and monitor activity • Be flexible - overall uncertainty about what strategies and tactics to adopt to security social media • Understand and identify which users create the most amount of risk? • Create reasonable guidelines that can be followed • Review sites terms and conditions to understand risks associated with each site
    23. 23. REGULATION is coming For regulated industries, whatrequirements do you face? ex. FINRA Employers know ALOT abouttheir employees/candidates
    24. 24. HR: OBTAINING INFORMATION FROM SOCIAL NETWORKS • HRis tempted to peak at these sites to gather information about employees and potential candidates • Consider discrimination lawsuits! Proceed with caution. - ex: viewing the online photo/picture of a candidate • Consistency is KING - it will minimize your risk. - ex: if conducting a search for ONE candidate, then do so for ALL • Evenif employers have the technical capability to gain access to social networking information of their employees or candidates, it does not imply the legal right to do so.
    25. 25. consider ALL risks Is there a need to address how to evaluate the risk ofsharing too much information online in relation to the value it brings to the business?
    26. 26. Security Concerns • There is a continued growth in social networking sites being used as an attack distribution platform • Users are less likely to see malware when it is passed on by a friend as it has a certain level of authenticity and a level of trust • Social networks give attackers a potentially powerful point of leverage, sometimes allowing them to launch sophisticated attacks against businesses • Known weaknesses exist in the security of the networks themselves, which limit our control
    27. 27. Threatscape of sites •  Session-hijacking / authentication weaknesses •  Profile harvesting leading to social engineering -  ex: phishing / spear-phishing •  Cross-site scripting (XSS) / Cross-site request forgery (CSRF) •  Malicious code / Malware -  ex: drive-by downloads
    28. 28. XSS Example iframe id= CrazyDaVinci style= display:none; src= http:// m.facebook.com/connect/prompt_feed.php? display=wapuser_message_prompt= script window.onload=function(){document.forms [0].message.value= Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!! ;document.forms[0].submit();}/ script /iframe• this bit of HTML/Javascript would be included in a viral page. • the code sets the content of the wall post to a message thatincludes a link to a viral page, then submits the prompt automatically.
    29. 29. Microsoft has documented asteady rise in the number ofattacks targeting social networks Primary vectors: • Phishing attempts • Social engineering tactics Instances of Phishing impressions increased from 8.3% to 84.5%
    30. 30. Verizon highlighted in its 2011DBIR, that malware and socialengineering to have been theculprit for 60% of all reportedattacks/breaches Contribution of malware: • 49% of breaches • 79% of records stolen
    31. 31. PROTECT SERVE Policing Social Media: How do we protect the usage of social networks?
    32. 32. Policing Social Media •  Is it possible to establish and implement a standard set of guidelines for enterprise users? •  ...that would help to not only prevent data leaks, but also keep emerging social networking malware at bay? •  It requires a combination of technical, behavioral and organizational security controls
    33. 33. CONCLUSION • Social media isn t a choice anyone….recognize it is a business transformation tool • Perform a comprehensive risk assessment against all social networks that will be considered for use • Social networks DO introduce new security risks - take a formal approach to mitigate them through policy enforcement and user education • Doing nothing is not an option...will you take that risk?
    34. 34. QUESTIONS? Contact Info: linkedin.com/ jaymclaughlin @jaymclaughlin

    ×