copyright ©2012 infinitive 1 governance of social media & e-mobility risks #cpesox 1
TRANSCRIPT
Copyright ©2012 Infinitive 2
DISCLAIMER
As a matter of their respective company policies our panelists today are expressing their views and perspectives as professionals in their respective industries. These views are their own, and do not necessarily reflect the views of their respective Companies.
Copyright ©2012 Infinitive 3
Agenda
Introduction ……………………………………………..………..(5 Minutes)
Opening Remarks.………………………………………..….….(10 Minutes)
Panelist Remarks………………………………..……………….(50 Minutes)
Question & Answer………………………………….………….(25 Minutes)
Copyright ©2012 Infinitive 4
IntroductionsDouglas Miller, Vice President and Global Privacy Leader, AOL - Douglas Miller, CIPP, is Global Privacy Leader at AOL Inc., overseeing a full range of privacy operations, guidance, education, and planning. Prior to becoming a full-time privacy professional in 1998, his AOL duties included child and teen protection, online conduct, content and advertising guidelines, anti-spam initiatives, and consumer safety and security. Before joining AOL, he led government affairs for the Software Publishers Association. From 2004-07, he taught courses in Internet Policy and Computer Ethics at Old Dominion University. He serves on the Board of Directors for the Network Advertising Initiative, the Advisory Board of the Future of Privacy Forum, and the Education Advisory Board of the International Association of Privacy Professionals.
Copyright ©2012 Infinitive 5
IntroductionsDino Tsibouris - Tsibouris & Associates, LLC Tsibouris & Associates concentrates in technology and intellectual property law with a focus in electronic commerce, online financial services, licensing, and privacy law. In addition, the practice includes the implementation of electronic signatures, records management, and information security. Mr. Tsibouris was previously an attorney with Thompson Hine LLP and a Vice President and Counsel for eCommerce and Technology at Bank One Corporation (now JPMorganChase). He has presented at CLE and trade association presentations on various e-banking and e-commerce matters and participated in regulatory and industry task forces addressing new legislation. Listed in The Best Lawyers in America in the area of Technology Law 2007-2011.
Copyright ©2012 Infinitive 6
Introductions
Angelos Stavrou, Associate Professor, George Mason University - Angelos is associate Professor in the Computer Science Department and an associate director of the Center forSecure Information Systems at George Mason University, Fairfax, Virginia. He received his M.Sc. in Electrical Engineering, M.Phil. and Ph.D. (withdistinction) in Computer Science all from Columbia University. He also holds an M.Sc. in theoretical Computer Science from University of Athens, and a B.Sc. in Physics with distinction from University of Patras, Greece. Dr Stavrou has published over 40 papers on large systems security & survivability in major international journals and conferences. Dr. Stavrou’s research interests are focused in security for Mobile Devices and Mobile Applications. His research has been funded by DARPA, IARPA, NSF, NIST, ARO, AFOSR, AFRL, and Google among others.
Copyright ©2012 Infinitive 7
Session Objectives
Social media and mobile applications are the modern day gold rush for companies. The velocity of information and products are creating new risks and financial reporting challenges. This session will cover the emerging risks and considerations for internal control specialists.• Identify and document current and intended social media use• Perform a risk assessment for the use of social media and mobile devices• Implement security policies that address the use of social media and mobile devices• Provide social media training• Monitor social media channels
Copyright ©2012 Infinitive 9
Governance
Social Media platforms such as Facebook and Twitter blend personal and professional lives into a seamless ecosystem. Companies must navigate the policies, procedures and a complex risk environment in order to answer the following:• Who are your clients • Who are your friends • What’s a professional position• What’s a personal point of view• What’s secret and what’s public?• What can you monetize and what would violate your privacy
policies?
Copyright ©2012 Infinitive 10
Camouflaged Fraud: Mobile Devices
Mobile Fraud• The power of mobile is breaking the speed of business by opening
new markets and allowing even the smallest companies to play big• The increase use of mobile applications has lead to a rise in fraud
targeted at the mobile space• Mobile fraud schemes are successful when companies are operating
in silos and not sharing their view of risks across the organizationRogue Mobile Apps Defined:• Created by non-authorized individuals or entities• Seek to confuse consumer to believe it is published from an
authorized source – similar name, use of logo, or similar publisher• Similar to other applications but its objectives are to compromise
other apps on the device
Copyright ©2012 Infinitive 14
Governance
Francesca’s CFO terminated for “improperly communicated company information through social media” – 05/14/12BMW salesman posting pictures about Costco hot dogs served at a new model release – (Protected Concerted Activity because others had complained)Social media coordinator fired and would not surrender passwords (Ardis Health, Phonedog)Social media consultant fired for posting “F-Bomb” on Chrysler’s official Twitter feed
Copyright ©2012 Infinitive 15
Governance
Challenges abound:• C-suite• Sales and Marketing• In house-social media coordinators• Vendor social media coordinators
Copyright ©2012 Infinitive 16
Governance
Legal Implications of Social Media• Brand image• E-Discovery and litigation• Human resources/Employment• Privacy• Regulatory• Security• Torts
Copyright ©2012 Infinitive 17
Governance
Example 1: Sarbanes-Oxley Section 409• Must “disclose to the public on a rapid and
current basis such additional information concerning material changes in the financial condition or operations of the [company], in plain English”
• Events requiring Form 8-K or Regulation FD disclosure
• How to harmonize with social media strategy?
Copyright ©2012 Infinitive 18
Governance
Example 2: The NLRB• Concerted action by employees is protected• Cannot prohibit employees from blogging
about work or criticizing it• Can’t prohibit them from using company
contact information on personal sites• Memorandum OM 11-74 08/1/11• Is current company policy overbroad?
Copyright ©2012 Infinitive 19
Governance
Social Media Policy should address: • Permissible activity• Consequences of violations• Required employee agreement• No reasonable expectation of privacy• Personal responsibility for actions
Copyright ©2012 Infinitive 20
Governance
• Require confidentiality of trade secrets, company strategies, product development, and all financial information
• Authorization required to share copyrighted materials
• Address “official” social media use (Official voice of company)
.
Copyright ©2012 Infinitive 21
Governance
• Encourage employees to link to the company website when possible
• Clear and conspicuous disclosure of any relationship or connection an employee has with the company
• Disclose and any compensation or gift received from any company mentioned
Copyright ©2012 Infinitive 22
Governance
Create a policy that addresses your company’s unique business goalsTrain employees and contractors MonitorArchive content – even if third party, when neededTake remedial action for violationsIncorporate changes into policy periodicallyRepeat…
Copyright ©2012 Infinitive 26
The real picture: Malicious Apps exist...
Analyzed ~267,000 Applications from the Google Android Market
• Thousands with incorrect/permissive manifest• Hundreds with excessive functionality that can
be constituted as malicious• Hundreds of Trojans (i.e. take over existing,
legitimate applications)• Who will download these apps?• People who use SEARCH to find apps• Virtually everyone…• Two infection vectors:
- Regular Web Search- Search inside the Mobile App Market
Copyright ©2012 Infinitive 27
The real picture: Malicious Apps exist...
A multifaceted problem:
Developers maybe well-intended but… They do not necessarily understand the mission
or the security/policy requirements They make mistakes They use third-party libraries and code
The Android permission model is neither sound nor complete
Intentions, Reflection, JNI, Webkit, others… Android permissions are enforced inside
Dalvik not everywhere in the device
Copyright ©2012 Infinitive 28
What about existing Analysis Tools?
Commercial application testing tools cover regular, non-Android specific Bugs:• No Security Analysis of the Code Functionality• No Power Analysis of the Application components
and code• No Profiling of the resource consumption of
individual applications• Cannot Regulate/Deny the access and use of
phone subsystems (Camera, Microphone, GPS..)
Existing tools do not cover Program Functionality• We reveal the application capabilities and access
28