The document discusses how social networks pose risks like revealing personally identifiable information and social engineering attacks. It emphasizes that organizations need effective social media policies and engaging training programs to exercise due care and diligence. Without these, employees may unintentionally damage an organization's reputation or fall victim to attacks. The presentation argues that blocking social media access is not enough and that policies and training are needed to mitigate risks while allowing organizations to benefit from social networking.

1. Effective Training and Policy Takes
the Fear out of Social Networking
Shawn Davis
NETSECURE 2011

2. Presentation Goals:
• To provide an overview of social networks and common
attack vectors
• Best practices for initial social media policy creation
• Make the case for the need of an engaging and interesting
end-user training program

3. What is a Social Network?
• Is it a website designed to allow you to share pictures
of your cat with the masses?
• Or a means to post by the minute details of your dental
appointment?

4. What is a Social Network?
♦ A social network is like a “digital version of a
relationship.”
(Messmer, 2009)

5. Why is this important to realize?
• Relationships offline are built on establishing trust.
• Online relationships often skip this step.
Q- Would you give a stranger on the street your home
address, cell phone number, spouse’s name, your
birth date, job title, and information on current
projects at your work?
A- Of course not!
♦ However, people give out this information online
EVERY DAY!

6. Top 4 Social Networking Sites:
• Estimated unique monthly visitors:
• 550 million
• 90.5 million
• 89.8 million
• 50 million
(eBizMBA, 2010)

7. Top 4 Ranking of Greatest Security Risk:
• 2010 Sophos Survey:
• 61% reported
• 18% reported
• 17% reported
• 4% reported
(Sophos, 2010)

8. What are the Main Risks?
• Personally Identifiable Information (PII)
• Social Engineering Attacks
• Reputation Damage

9. Personally Identifiable Information (PII)
• Social Networking profiles can display a wide range of PII.

10. Personally Identifiable Information (PII)
• Main Risk to User = Identity Theft
• Main Risk to Organization = Logon Credential Acquisition
• Password guessing and narrowing down cracking
parameters:
• Password reset forms:

11. PII - Logon Credential Acquisition
• Attackers will often circulate surveys and quizzes like this
one:
(Dinerman, 2010)

12. PII
• Valuable PII for attackers is mostly found across
Facebook, Myspace, and LinkedIn.
• Real Life Example:
- Hacker GMZ was able to guess the password of a
Twitter support staffer ultimately taking control of
33 high profile accounts including Britney Spears,
U.S. President Obama, and Fox News.
• PII also aids another common type of attack that requires
more creativity from an attacker:
(McMillan, 2009)

13. Social Engineering

14. What is Social Engineering?
• Social Engineering – Threat that occurs when an
an attacker uses social skills to trick a user into
revealing their password or other confidential
information.
• Social Engineering attacks are widely used across all four
of the top social networking sites

15. Social Engineering
• The attacker will study PII, message posts, and friend lists
in order to learn more about their target and develop a
trust relationship.
• It has been documented that many cyber criminals
would rather engineer a user to uncover information than
use their efforts to attack technology and controls for
security.
(Tiptop & Krause, 2007)

16. Social Engineering - Phishing
• Phishing – Targets “a specific user or group of users and
attempts to deceive the user into performing
an action that launches an attack.”
• This attack is usually carried out through Cross Site
Scripting (XSS), keyloggers, worms, or other malware.
• Distribution: 52% by a user opening an attachment
36% by a user clicking a link
9% by link redirect
3% unknown
(FCIOC, 2009, p.9) & (Graham, 2009)

17. Social Engineering - Phishing
• PII from social media sites make messages more
believable.
• Malware embedded links on wall posts of social media
allow for greater distribution.
• Shortened URL services such as http://tinyurl.com/ and
http://bit.ly/ are used to hide these malicious sites.

18. Social Engineering - Phishing
• What happens if an account is compromised as well?

19. Reputation Damage
(Image used with permission from Chiron Inc.)

20. Reputation Damage
• Users give a play-by-play of their life on social networking
sites.
• Possible threats to organizations include:
- Embarrassment
- Market share loss
- Revenue losses
- Legal liability
♦ 74% of 2,008 employed adults surveyed by Deloitte agreed
that it is easy to damage a company’s reputation on social
media.
http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_2009_ethics_workplace_survey_220509.pdf

21. Reputation Damage – Real Life Examples
• Employee of a campground chain posts a spreadsheet
showing reservation statuses for their campsites on
Facebook that contains customer credit card numbers.
• The former chief marketing officer at Eastman Kodak admits
to accidentally posting a damaging tweet about a product
they had worked six months to protect.
• A worker at a major fried chicken chain posts, “I just posted
a funny video of myself frying a rodent at the restaurant
where I work.”
(Mitchell, 2009, Dinerman, 2010)

22. Reputation Damage – Legal Liability
• What if your employee at work posts a derogatory
statement about a competitor or individual that is untrue?
- Your organization could be sued for defamation
from practically any country or state.
♦ If no policy is in place preventing this action, your
organization may even be pulled into litigation if an
employee does this off hours from a home account.

23. Reputation Damage – Legal Liability
• What happens if you try to terminate an employee after
they damage the reputation of your organization or
another party’s?
- An employee fired for making the damaging posts
could take legal recourse against their employer if
the employee can prove that a policy was either
not in place forbidding the action or that they were
not made aware of it.

24. Legal Responsibility
• An organization is legally responsible to exercise due care
and due diligence in regards to social networking use by
its employees.

25. Due Care and Due Diligence:
• To demonstrate due care, an organization must take
measures to ensure that every employee is aware of
what is and is not acceptable in the workplace as well
as the consequences of actions that are illegal or unethical.
• To demonstrate due diligence, an organization needs to
partake in continual activities to protect others.
(Whitman & Mattord, 2010)

26. How to exercise Due Care?
♦ A social media policy MUST be in place and actively
updated for EVERY organization.
♦ An engaging social media training program MUST be in
place for ALL employees (including executives.)
♦ Policy compliance documentation
♦ Training completion documentation

27. Due Care (cont)
♦ Short quiz to demonstrate comprehension.
♦ Clear consequences to violations must be listed in your
social media policy.
♦ These consequences must be enforced company-wide
(including executives.)
♦ Don’t forget about policy review and training for
subsequent new hires!

28. How to exercise Due Diligence?
♦ Annual review of your social media policy with
IT, HR, and your legal department
♦ Annual refresher training for all employees
and executives.
♦ Short annual refresher quiz.
♦ Again, keep records of all training and signatures.

29. If a simple policy and training program can mitigate this
much risk, then all organizations probably already have
their own in place…
Right?

30. Unfortunately, not.

31. How often is a Social Media policy not in
place?
• Two surveys from 2009 that asked employers and
executives if their organization has a formal policy
in place for social media use:
Manpower Survey of 11,000 Deloitte Survey of 500
Employers Business Executives
2% 6%
29% Yes 22% Yes
No No
69% Unsure Unsure
72%

32. ♦ A 2009 survey by ad agency Russell Herder and law firm
Ethos Business Law asked 438 respondents these questions:
Do you have concerns about social
media and its implications for both
corporate security and reputation Have you implemented
damage? social media guidelines?
No Yes
19% 33%
No
Yes
81% 67%

33. If this is so important, why the low numbers?
1. Lack of engagement from upper management towards
information security.
-C-Level financial and administrative support is vital for
any information security department to function.
2. Some organizations only focus on technological solutions
Technology based solutions need to complement policy
and training, not replace.

34. If this is so important, why the low numbers?
3. An organization may just block all access to social media
and hope for the best.
-Blocking these sites without instilling policy will not
protect an organization from potential litigation.
-Blocking would also take away all of the benefits that
social media has to offer such as:
-Increased collaboration
-Greater interactive relationship with customers
-Sales and marketing strategies
-Incentivized working conditions for employees

35. Another large benefit - New Customer
Acquisition:
Organizations that have acquired new
customers through social networking:
Small Business
26%
41%
Medium
Companies
Large Firms
33%
• Regus survey of 15,000 business owners of all sizes
worldwide
http://www.regus.presscentre.com/imagelibrary/downloadMedia.ashx?MediaDetailsID=463

36. How to take the fear out of social media?
♦ An effective social media policy in combination with an
effective end user training program is the best way to
prevent threats from:
-PII
-Social Engineering / Phishing
-Reputation Damage
-Potential Litigation

37. Social Media Policy Creation:
• A social media policy is really just an extension of an
organization’s acceptable use and other existing policies.
• The creation of this document should be a joint effort by:
-Information Security
-Information Technology
-Human Resources
-Legal
-End Users

38. Social Media Policy Creation: (Cont)
• Led by a team leader employed in an Information Security or
Risk Management function.
• Project champion with the ear of upper management to
ensure financial and administrative support.
(Whitman & Mattord, 2010)
• A good first step is to review policies of other organizations.

39. Social Media Governance Database
• http://socialmediagovernance.com/policies.php

40. Social Media Governance Database
• http://socialmediagovernance.com/studies

41. Social Media Policy Creation: (Cont)
• Each organization will likely have different philosophies on
social media use.
• For example: A liberal arts college, a global corporation,
and a government agency will mostly likely not all be able
to use the same social media policy.

42. A Liberal Arts College:
• Unrestricted information sharing and allow open access to
all social networking.
• Policy may focus on guidelines for posting but will still
need to cover all potential threats.

43. A Liberal Arts College: (Cont)
• University of Michigan’s social media policy starts with
general rules to follow and then has separate guidelines
for posting as an individual versus posting on behalf of the
University.
• They end with safety and privacy tips that cover the topics
of privacy, PII, liabilities, and malware.

44. A Global Corporation:
• May utilize social media for brand management as well as
a sales and marketing tool.
• Policy will need to cover all possible threats and may focus
on reputation damage and data leaks.

45. A Global Corporation: (Cont)
• Coca-Cola Company’s social media policy starts with their
company vision and commitments and then delves into
principals and expectations.
• They also have guidelines on posting for individual use
versus company business use.

46. A Global Corporation: (Cont)
• Certified online spokespeople: These certified
spokespeople are the only employees allowed to speak on
behalf of Coca-Cola online.
♦ This is a great idea!
• Their online spokespeople are also expected to follow 10
specific principles:

47. A Global Corporation: (Cont)
1. Be Certified in the Social Media Certification Program.
2. Follow our Code of Business Conduct and all other Company
polices.
3. Be mindful that you are representing the Company.
4. Fully disclose your affiliation with the Company.
5. Keep records.
6. When in doubt, do not post.
7. Give credit where credit is due and don’t violate others’
rights.
8. Be responsible to your work.
9. Remember that your local posts can have global significance.
10. Know that the internet is permanent.

48. A Government Agency:
• The government agency will often have the strictest
requirements in regards to social media use.

49. A Government Agency: (Cont)
• The Federal CIO council created a document in 2009
entitled Guidelines for Secure Use of Social Media by
Federal Departments and Agencies.
• “The decision to embrace social media technology is a risk-
based decision, not a technology based decision.”

50. A Government Agency: (Cont)
• Sections on risk, social media traits, and recommendations
for controls.
• Assists an agency in making a business case for social
media use based on a risk management approach.
• Mentions spear phishing, social engineering, and web
applications attacks as main risks to a government agency.

51. Social Media Policy Creation: (Cont)
• After reviewing various policies, choose a few that are
similar to your organization’s mission as a reference point.
• The next step – Evaluate your own organization’s social
networking use.
-Involve end users
-Find out what future plans sales, marketing, etc has
for using social media.
-InfoSec should analyze likely threats from
organizational use as well as personal use from end
users at work and at home.

52. Social Media Policy Creation: (Cont)
• Start the creation process and involve HR.
(Refer the end user to review their employment
agreement and handbook early on in the new policy.)
• The employee handbook and acceptable use policy should
be updated to list the consequences of not abiding by the
guidelines of the new social media policy.
• Guidelines in the new policy should be based on
information and feedback from end users, IS, and HR.

53. Social Media Policy Creation (Cont)
• Issue specific policies need to be rewritten to account for
social media use.
• Once all sections and guidelines are complete, your legal
department should review the final draft of the new
social media policy and any changes to other existing
policies to cover all potential legal liabilities.
• Once a final draft is approved by all parties involved, it
should be submitted for approval by upper management.

54. Social Media Policy Distribution
• A step that is often missed is distribution of the new
policy!
• A Deloitte survey of 2,008 employees found that:
- 24% didn’t know if they had a policy
- 11% said there is a policy but don’t know what it is.
• You spent all of this time making the policy, don’t forget to
distribute it!

55. Social Media Policy Distribution (Cont)
• Distribution can be in paper or electronic form:
(Needs to document that the user has agreed to the
terms and conditions with a signature and date.)
• This is to protect an organization from a user stating that
they were not aware of the policy from a liability stand-
point.
• Be sure to file a copy as well as present a copy to the end
user.

56. Social Media Training:
Social Media Training
3/24/11

57. Social Media Training:
• Training program should be designed during the policy
creation process.
• It is very difficult for an employee to state in court that
they were unaware of a policy when it can be documented
that they have completed a training program.
• All employees from the CEO down are required to attend
for compliance and to reflect a company-wide effort.

58. Social Media Training: (Cont)
• Training should be interesting, interactive and engaging!
♦ Goal of the training should be to gain the buy-in of
your end-users.
♦ First step is to prove to end-users that damage from
PII, Social Engineering, and Reputation Damage can
actually happen very easily.

87. Convinced that this could happen to you now?
• Show end-users that poor security habits not only affect
their company but could affect them personally as well:

90. Social Media Training (Cont)
• Also go over:
-What PII is okay and what should be removed.
-More examples of Reputation Damage.
-How to defend against Social Engineering attempts.
-How to avoid falling for Phishing attempts.
-Examples of current malware schemes
-Using very difficult password reset questions.
-Not using the same password for all sites.
-Not friending anyone unless you know them well.

91. Social Media Training (Cont)
• It only takes one random friending to erase privacy
controls!

92. Social Media Training (Cont)
• Great time to revisit strong password creation!

93. Social Media Training (Cont)
• A quick side note about rainbow tables:
-1 PC can crack even a strong password in seconds.
-Most rainbow tables are not currently calculated out
past fourteen places at the moment.

94. Social Media Training (Cont)
• After the training is over don’t forget to retain that signed
completion document for each end-user.
• Also, don’t forget about new hires at their orientation and
follow-up trainings for all users.

95. Just think if after the training…
-Users finally saw the value of strong passwords and
no longer minded mandatory password changes…
-Malware infections on client systems decreased 70%
from users truly understanding which attachments
not to open…
-Users took a moment to think before they post…
-Executives appreciated the value of your job role…

96. Accomplish all of that and…
You have then increased security awareness and started
to develop that coveted security conscious culture within
your organization!

97. What else?
You have also started to take the FEAR out of social
networking!

98. Research:
My paper and list of sources:
http://www.itm.iit.edu/data/IIT-
ITMwhitepaperTrainingAndPolicyForSocialNetworking.pdf
Shawn Davis’ email – sdavis17@iit.edu
Questions?

99. Thanks for attending!