Social Networks - The Good and the Bad

13,649 views

Published on

This presentation gives an overview of how social networks are used in companies and what are the risks associated with them. Some actions points are proposed to mitigate those risks.

Published in: Technology, Business
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,649
On SlideShare
0
From Embeds
0
Number of Embeds
4,867
Actions
Shares
0
Downloads
0
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Social Networks - The Good and the Bad

    1. 1. Social NetworksThe Good and The Bad Beltug Security SIG 2012 - Xavier Mertens
    2. 2. $ whoami• Xavier Mertens (@xme)• Security Consultant• CISSP, CISA, CeH• Security Blogger• Volunteer for security projects:
    3. 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not reflectthose of past, present or future employers,partners or customers”
    4. 4. Agenda• Definitions & Common Usages• Nightmare Stories• Risks• Actions!
    5. 5. Definition &Common Usages
    6. 6. Some Facts• Technology changed the way people communicate• “Usage of social networks by the Fortune 500 companies has seen an explosive growth in 2010 with 83% of the companies using at least one of the social media sites”• The usage of blogs has also increased by 50% (corporate blogs)• Around 34% have developed policies to govern blogging by their employees (Source: socialtimes.com)
    7. 7. Nothing New! (Source: idfive.com)
    8. 8. Do You Know Them?
    9. 9. In Belgium? (Source: google.com/addplanner)
    10. 10. Definition?“Social network sites are defined as web-based services that allow individuals ororganizations to construct a public or semi-public profile within a bounded system,articulate a list of other users with whomthey share a connection, and view andtraverse their list of connections and thosemade by others within the system. ”
    11. 11. Common Usages• Communication about company & brands (marketing)• Live support• Technology & competition follow-up• Human Resources
    12. 12. Marketing• Social Networks give a sense of “dynamic” company• Direct Reach / Close to customers.• Extended circle of contacts at low costs• Personal touch
    13. 13. Live Support• Close contact with customers• Low Costs• Give a sense of “Real time”
    14. 14. Follow Up• What are doing my competitors?• What’s new in my field of activity?• Almost real-time news trending
    15. 15. Human Resources• “Hire” & “Fire”• Online recruiting• Employees screening
    16. 16. And you as individual?• Split your personal and professional activities• Use a disclaimer: “My Tweets reflect my personal opinion”
    17. 17. Nightmare Stories
    18. 18. Barbara StreisandThe “Streisand Effect” is aprimarily online phenomenonin which an attempt to hide orremove a piece of informationhas the unintendedconsequence of publicizing theinformation more widely.
    19. 19. The Belgian JewelerIn 2009, a Belgian Jeweler made a buzz withBelgian Twitter users with a completemisunderstanding of the social networksimpacts.
    20. 20. Domino’s PizzaA Domino’s Pizza employee inserted nasalmucus on pizza’s. He was fired but video wasposted on Youtube. 250.000+ views!
    21. 21. Koobface• Multi-platform worm that targeted Facebook users• First reported in 2009• Botnet, DNS filter, Proxy feature
    22. 22. Risks
    23. 23. Malware & Viruses• Corporate devices used to access Social Networks• They are based on Web technologies. All known attacks are usable (see the OWASP Top-10)• URL shorteners / QRcodes (“click”- generation)
    24. 24. Wasted Resources• In big companies, usage of Social Network can waste a lot of bandwidth! Example: Facebook on a network of 10000+ users: 200GB/day• Waste of time by employees• Peak of wasted resources during popular events
    25. 25. “Users”• Users remain the weakest link• Facebook password same as Active Directory password?• Attackers use breaking news• How many “friends” are really friends?
    26. 26. Mobiles & Apps• People use mobile devices to access Social Networks• Suspicious browser extensions or 3rd party apps
    27. 27. Data Leak• People might post confidential information• Intentional or not!• Data Extrusion• Bypass regular communication channels (Skype)
    28. 28. Fake Accounts• Typo-squatting• Cyber-squatting
    29. 29. Social Engineering• All information to conduct a social engineering attack is already online• Google is your best friend• Tools like Maltego are gold mines
    30. 30. Degraded Brand Image• It takes years to build a brand image• It takes minutes to kill it!
    31. 31. Data Resilience• Once posted, it’s indexed!• Are removed data really deleted?
    32. 32. Reputation & LegalLiability• Disgruntled employees• “My boss is a bastard!”• “I’m pissed off by this f*cking job...”• Employers could be held responsible for failing to protect employees from accessing “sensitive” material.
    33. 33. Actions!
    34. 34. Official Support• Information can’t be published by employee self-initiative• Social Media must be defined as a regular communication channel with rules & guidelines
    35. 35. Monitor Your Brand• Even if not used immediately, register your account (if not too late!)• Google Alerts• Commercial services (buzzcapture.com)• Monitoring tools
    36. 36. Local Policies• No Social Networks access from business critical environments.• Restrict Social Networks access (“read-only”).• Modern firewalls may filter based on domains
    37. 37. Remote Policies• Read carefully the Social Networks policies• Follow updates & fix your profiles (Ex: LinkedIn can use your profile picture)• Similarities with cloud services
    38. 38. Security Awareness• Add Social Networks to your existing security awareness program.• “What employers and employees need to know.”
    39. 39. pastebin.com• pastebin.com is a website where people can anonymously post “pasties” (data)• Track monitoring about your company (Example: IP’s, domain names)
    40. 40. Thank You! Q&A?http://blog.rootshell.behttp://twitter.com/xme

    ×