bridging the social media implementation/audit gap
DESCRIPTION
It's one thing to embrace social media, but it's another thing entirely to embrace it securely. This presentation helps organizations understand what steps should be taken to ensure that their social media properties aren't abused or exploited to attack the organization.TRANSCRIPT
Bridging the Social Media
Implementation/Audit Gap Jerod Brennen, CISSP CTO and Principal Security Consultant, Jacadis
Agenda
• Perspective
• Preparation
• Implementation
• Monitoring
• Resources
The Five W’s
• Who?
• What?
• When?
• Where?
• Why?
• How?
[Image courtesy of Master Isolated Images / FreeDigitalPhotos.net]
Strategy (Who + Why + When)
• Risk vs. Reward ▫ Customer interaction ▫ Revenue streams ▫ Malware attack vectors ▫ Legal and HR concerns
• While revenue may be on the rise… ▫ … so are social engineering
attacks
Image from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/PublishingImages/Social-Media-Business-Risks.JPG
Risk vs. Reward
FromWAPSM-Social-Media-Research-1Feb2011.doc, pages 11-12
Risks Rewards
• Disclosure of corporate assets and sensitive (privileged) information accessible to unauthorized parties
• Violations of legal and regulatory requirements
• Loss of competitive advantage • Loss of customer confidence • Loss of reputation • Dissemination of false or fraudulent
information • Inappropriate or unapproved use of
company intellectual property such as logos or trademarked material
• Increasing brand recognition • Increasing sales • Immediately connecting with
perspective customers • Exploring new advertising
channels • Monitoring competition • Researching perspective
employees
Regulatory Concerns
• FINRA (Financial Industry Regulatory Authority) ▫ Regulatory Notice 10-06 ▫ Regulatory Notice 11-39
• Advertisements ▫ Public websites & banner ads
• Sales Literature ▫ Email or IM to 25+ prospective retail customers ▫ Password-protected websites
• Correspondence ▫ Email or IM to 1 customer ▫ Email or IM to 1+ existing customers and/or <25 prospective retail
customers • Public Appearances
▫ “Content posted in a real-time interactive electronic forum”
From http://www.finra.org/industry/issues/advertising/p006118
Scope (What + Where)
Scope, per ISACA
• Current social media tools include: ▫ Blogs (e.g., WordPress, Drupal™, TypePad®) ▫ Microblogs (e.g., Twitter, Tumblr) ▫ Instant messaging (e.g., AOL Instant Messenger [AIM™],
Microsoft® Windows Live Messenger) ▫ Online communication systems (e.g., Skype™) ▫ Image and video sharing sites (e.g., Flickr®, YouTube) ▫ Social networking sites (e.g., Facebook, MySpace) ▫ Professional networking sites (e.g., LinkedIn, Plaxo) ▫ Online communities that may be sponsored by the
company itself (Similac.com, “Open” by American Express) ▫ Online collaboration sites (e.g., Huddle)
FromWAPSM-Social-Media-Research-1Feb2011.doc, page 11
Implementation (How)
• Begin at the beginning ▫ Meet with Marketing, HR, Legal, and IT to discuss risks and benefits
• Define policy ▫ More on this later…
• Document training requirements ▫ Employees ▫ Consultants & Contractors ▫ Vendors & Partners
• Document procedures and controls
▫ Access Requests ▫ Monitoring ▫ Assessing
Audit/Assurance Program (1 of 3)
• Available at http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc
• Aligned with COBIT (cross-references)
• Planning and Scoping the Audit ▫ Define the audit/assurance objectives ▫ Define the boundaries of the review ▫ Identify and document risk ▫ Define the change process ▫ Define assignment success ▫ Define the audit/assurance resources required ▫ Define deliverables ▫ Communicate
Audit/Assurance Program (2 of 3)
• Strategy and Governance
▫ Risk Management
▫ Policies
• People
▫ HR Function
▫ Training/Awareness
▫ Staffing
Audit/Assurance Program (3 of 3)
• Processes
▫ Social Media Alignment With Business Processes
▫ Social Media Brand Protection
▫ Access Management of Social Media Data
• Technology
▫ Social Media Technology Infrastructure
▫ Monitoring Social Media and Effect on Technology
Policy and Training • Personal use in the workplace:
▫ Whether it is allowed ▫ The nondisclosure/posting of business-related content ▫ The discussion of workplace-related topics ▫ Inappropriate sites, content or conversations
• Personal use outside the workplace:
▫ The nondisclosure/posting of business-related content ▫ Standard disclaimers if identifying the employer ▫ The dangers of posting too much personal information
• Business use:
▫ Whether it is allowed ▫ The process to gain approval for use ▫ The scope of topics or information permitted to flow through this channel ▫ Disallowed activities (installation of applications, playing games, etc.) ▫ The escalation process for customer issue
From http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf?id=c1f7b9d8-516d-40c1-8087-e3b0e6cd138c
Recurring Assessments
• Risk Assessment
▫ SOX, PCI, HIPAA, etc.
▫ Did your previous assessment(s) include social media?
• Penetration Test
▫ Is social engineering in-scope?
Preventative Controls
• Antivirus > Endpoint Security ▫ Prevent devices from being infected with malware ▫ Also, host-based firewall and URL filtering
• URL Filtering ▫ Prohibit access to certain websites from corporate devices
• Training ▫ How to use social media responsibly ▫ How to identify and respond to social engineering attacks
• Data Loss/Leakage Prevention ▫ Prevent sensitive corporate information from being transmitted
via email, instant messaging, file uploads, etc.
Detective Controls
• Content Filtering ▫ Configure email and web security solution to monitor for
patterns in outbound messages
• Google Hacking ▫ Using powerful customized Google search queries to gather
information
• Monitoring Tools (e.g., Maltego) ▫ Open source intelligence and forensics tool
• Monitoring Services (e.g., RiskIQ) ▫ Monitor web-based content for threats and fraud
Resources • ISACA documents
▫ Social Media Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-
Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc ▫ Social Media: Business Benefits and Security, Governance, and Assurance
Perspectives http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-
Paper-26-May10-Research.pdf
• Related Documents ▫ CDC – Social Media Security Mitigations
http://www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf ▫ Ponemon – Global Survey on Social Media Risks
http://www.websense.com/content/ponemon-institute-research-report-2011.aspx ▫ Social Media Standard, State of California
http://www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66B.pdf ▫ Wikipedia – List of Active Social Networking Sites
http://en.wikipedia.org/wiki/List_of_social_networking_websites
Resources
• FINRA ▫ Regulatory Notice 10-06
http://www.finra.org/Industry/Regulation/Notices/2010/P120760 ▫ Regulatory Notice 11-39
http://www.finra.org/Industry/Regulation/Notices/2011/P124187 ▫ Advertising Information
http://www.finra.org/Industry/Issues/Advertising/index.htm
• Securing Social Media Profiles
▫ Facebook http://slandail.posterous.com/four-steps-to-secure-your-facebook-profile
▫ Twitter http://www.mediabistro.com/alltwitter/twitter-security-101_b11985
▫ LinkedIn http://www.cio.com/article/485489/LinkedIn_Privacy_Settings_What_
You_Need_to_Know
Resources
• Securing Corporate Blogs ▫ Hardening WordPress
http://codex.wordpress.org/Hardening_WordPress ▫ 11 Best Ways to Improve WordPress Security
http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/
• Tools and Services
▫ Google Hacking Database (GHDB) http://www.hackersforcharity.org/ghdb/
▫ Maltego http://www.paterva.com/web5/
▫ Risk IQ http://www.riskiq.com/
▫ Jacadis http://www.jacadis.com/
Questions? Jerod Brennen, CISSP
614.819.0151
http://www.linkedin.com/in/slandail
http://twitter.com/#!/slandail