Social networks and security –can you have both?

Ben Rothke, CISSP, CISM CISASession SE-31May 12, 2011@benrothke

About me

• Ben Rothke, CISSP, CISM, CISA• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every

Employee Should Know (McGraw-Hill)• Write the Security Reading Room blog

– https://365.rsaconference.com/blogs/securityreading

Agenda

• Overview of social networks• Scary security risks associated with social

networks• Social network security strategies• Conclusion / Recommendations / Q/A

Security risks can’t be ignored

Twitter – corporate, mainstream

Facebook – corporate, mainstream

Business benefits

• enhanced collaboration• faster access to information within the

company• ability to get questions answered• shared workspaces• microblogs and chat• platform applications

Social networking reality

….is now social networking

• Your mission– find 20 design engineers based in the US at Boeing– build a rapport with them to get designs for new 737 derivative

• Time / Budget / Success– 1990 – Many people, many months, limited success, very

expensive– 2011 – One person, multiple Facebook accounts, can outsource to

India, near immediate results, extremely high success rate

• Facebook - easy to find out who they are– who their friends are– what they like, where they shop, daily habits, friends

• To block or not to block?– no longer the question

• Social media isn’t a choice anymore – it’s a business transformation tool– Natalie Petouhoff – Weber Shandwick

• Business and information security goal– Secure use and enablement of social

media

Reasons not to block• Don’t blame the game, blame the player• Smart companies control, not block

– Staff can use social media and be productive

• No longer a 9-5 world• Lose the benefits of social media• Abusers don’t suddenly become productive

– Social media abuse - HR issue. – Not a technical issue

New security ideas required

• Easy security tasks– Block all outbound ftp traffic– Use DLP to encrypt sensitive -mails– Block admission to network if host AV signatures are

not current– Use SIEM to correlate all logs

• Challenging security task– Stop end-users from inappropriate sharing of

confidential/proprietary data via social networks

Resistance is futile• Social networks are not a fad• Not only is resistance futile - it is a

negative business decision• Prepare a social networking strategy• Have a realistic understanding of the

risks and benefits of social software• Understand unique challenges and factor

them into on when and how to proceed

Try stopping this…

Security game-changer• Organizations and management are

struggling– to understand and deal with the numerous security

and privacy risks associated with social networks

• Traditional information security– firewalls and access control protected the perimeter.

Social networks open up that perimeter

• Focus shift– from infrastructure protection to data protection

Security issues• People will share huge amounts of highly

confidential personal & business information with people they perceive to be legitimate

• Numerous legitimate security risks with allowing uncontrolled access to social sites

• But…these risks can be mitigated via a comprehensive security strategy

Security and privacy risks• Malware

– Social networks as a malware distribution point

• Vulnerabilities– cross site scripting, cross site request forgery – 1 in 5 web attacks aimed at social networks

• Corporate espionage• Phishing / spear phishing• Bandwidth consumption

More security and privacy risks• Information leakage• Social engineering attacks• Geotagging / location-based social

networking– allows random people to track an individual’s

location and correlate it with other information– publishing business photos can be detrimental to

business– Content-based Image Retrieval (CBIR)

Cree.py is just the beginning

Infosec losing on social media?• Requires a combination of technical,

behavioral and organizational security controls– many information security groups clueless on

how to do that

• Arguing that social media presents a highly unmanageable set of security risks– gives the impression that the infosec group is

incompetent

Strategies and action items for enterprises to deal with

the security and privacy risks of social networks

Secure use of social media

1. Enablement– Awareness, education

2. Governance– Corporate social media strategy– Realistic policies

3. Management– Effective monitoring

Get in front of the wave

• Be proactive– dedicated team to deal with social networks– identify all issues around social networks

• Get involved and be engaged• Social networking is moving fast• Be flexible

– overall uncertainty about what strategies and tactics to adopt to security social media

Risk assessment

• for each social network community– vulnerabilities associated with each

community

• each social community has its own set of unique security and privacy concerns

• which users are the greatest risk?

Risk assessment

• output will be used to create the social media policy and strategy– customized to your specific risk matrix

• balance risks vs. benefits– US Marines – totally prohibited– Starbucks – totally embraced

Social network risk assessment• LinkedIn analysis – you can determine:

• what technologies a company is using• corporate direction• vendors• partners• internal e-mail addresses and address formats

• Facebook analysis – you can determine: • almost everything

Social media strategy

• Based on your social media goals• Identify people or positions who will be the

online public face of the firm• Decide if/how employees may identify

themselves• Twitter strategy for Government

Departments– http://digitalengagement.cabinetoffice.gov.uk/blog

Social media strategy

• Draconian policies preventing the use of social media will most often not be effective

• Use a balanced approach– allow access– manage risk via technical controls, policies

and employee training

Blurred role boundaries

• who speaks for the company• border between the company and the

outside world is evaporating• management decision, not an IT decision• strategies: block, contain, disregard,

embrace• create user scenarios

– not all users need access

Social networking policy• Social networking policy is a must

– even if it prohibits everything, you still need a policy

• Employees will do stupid things• Rational, sensible use of social media

services– include photography and video– don’t reference clients, customers, or partners

without obtaining their express permission

Monitoring• Maintain control over content company

owns– monitor employee social networking participation– significant risk of loss of IP protection if not

monitored– inappropriate use of enterprise content occurred?

• notify employee - explain how their actions violated policy

– control where and how corporate content is shared externally

Security awareness• Social media is driven by social interactions• Most significant risks are tied to the behavior of

staff when they are using social software• Don't shun social media for fear of bad end-

user behavior – Anticipate it and formulate a multilevel approach to

policies for effective governance

• 3 C’s– clear, comprehensive, continuous

Security awareness

• Awareness and training program is critical– effectively communicated and customized– disseminate to everyone– ensure recurrent training– create topic taboo lists– define expectations of privacy

How to get fired in 3 tweets….• Let employees know they can lose their job

– policy violation– managers and executives - special responsibility

when blogging by virtue of their position– too much time on social network sites– perception that they are promoting themselves at

the expense of the company– especially if employer is not into social networking

End-user awareness• Curb your enthusiasm

– those with OCD/addictive personalities – be cognizant of addictive nature of social networking

– what is fun today is embarrassing tomorrow– expect that entire world will see your comments– consider carefully which images, videos and

information you publish– set daily time limits on social media

Awareness 101

• Ensure staff know about and are compliant with social media guidelines– post something corporate, ensure that it is

public information– be careful about posting customer

information, even if it is public

Awareness 101• Ensure staff know about and are

compliant with social media guidelines– breach of insider information can cost you your job– know the rules of using social networking sites

while at work– take extra care if you friend your boss on Facebook– Facebook is viral and addictive – don’t waste the

workday on it

Social media guidelines• Without guidelines, breaches are inevitable• Excellent sources:

– Intel Social Media Guidelines– IBM Social Computing Guidelines– Oracle Social Media Participation Policy

• Policies much have directives for blogs, wikis, social networks, virtual worlds, social media and more.

Regulatory compliance

• Regulatory framework should be reviewed and where necessary, revised

• Consider what specific laws, regulations, standards, breach notice laws apply

Reputation management• Traditional PR and legal responses to an

Internet-based negative reputation event can cause more damage than doing nothing

• establish, follow and update protocols can make social-media chaos less risky to enterprises

• Infosec coordinate activities with PR teams – expand monitoring and supplement monitoring with

investigations and evidence collection processes

Reputation management

Reputation management• Goal is to build and protect a positive

Internet-based reputation• Risks to reputation are significant and

growing with the increased use of social networks

• Create reputation management group with input from IT, legal, risk management, PR and marketing

Reputation management

• Coordinated approach– proactive / responsive

HR must be involved

• Social networks open up a huge can of HR worms

• What are disciplinary actions for non-compliance?

• Can candidate’s social network presence be a factor in hiring process?

• Create directives for managing personal and professional time

HR must be involved• Don’t be seen as encroaching on

employees’ free speech• Create reasonable guidelines • Explain how innocent postings can be

misconstrued• heavy-handed approach will often backfire

and result in lower morale and often bad publicity

HR & FCRA

• Via Facebook, you can know way too much about a candidate:– race, orientation, religion, politics, health, etc.– such information can be used to show bias

• EEOC and expensive litigation

References• Clearswift Security Awareness Research• New Media and the Air Force• ENISA position papers

– Security Issues and Recommendations for Online Social Networks

– Online as Soon as it Happens

• Parents’ Guide to Facebook

Conclusion• Social networks introduce security risks

– social networks & security can be compatible• Perform a comprehensive risk assessment

against all social networks to be used• Understand business & technical

requirements• Recognize these security and privacy risks

and take a formal approach to mitigate them

Contact info

• Ben Rothke, CISSP CISA • Senior Security Consultant• BT Professional Services• @benrothke

• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothke