interop 2011 las vegas - session se31 - rothke
TRANSCRIPT
Social networks and security –can you have both?
Ben Rothke, CISSP, CISM CISASession SE-31May 12, 2011@benrothke
About me
• Ben Rothke, CISSP, CISM, CISA• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every
Employee Should Know (McGraw-Hill)• Write the Security Reading Room blog
– https://365.rsaconference.com/blogs/securityreading
Agenda
• Overview of social networks• Scary security risks associated with social
networks• Social network security strategies• Conclusion / Recommendations / Q/A
Security risks can’t be ignored
Twitter – corporate, mainstream
Facebook – corporate, mainstream
Business benefits
• enhanced collaboration• faster access to information within the
company• ability to get questions answered• shared workspaces• microblogs and chat• platform applications
Social networking reality
….is now social networking
• Your mission– find 20 design engineers based in the US at Boeing– build a rapport with them to get designs for new 737 derivative
• Time / Budget / Success– 1990 – Many people, many months, limited success, very
expensive– 2011 – One person, multiple Facebook accounts, can outsource to
India, near immediate results, extremely high success rate
• Facebook - easy to find out who they are– who their friends are– what they like, where they shop, daily habits, friends
• To block or not to block?– no longer the question
• Social media isn’t a choice anymore – it’s a business transformation tool– Natalie Petouhoff – Weber Shandwick
• Business and information security goal– Secure use and enablement of social
media
Reasons not to block• Don’t blame the game, blame the player• Smart companies control, not block
– Staff can use social media and be productive
• No longer a 9-5 world• Lose the benefits of social media• Abusers don’t suddenly become productive
– Social media abuse - HR issue. – Not a technical issue
New security ideas required
• Easy security tasks– Block all outbound ftp traffic– Use DLP to encrypt sensitive -mails– Block admission to network if host AV signatures are
not current– Use SIEM to correlate all logs
• Challenging security task– Stop end-users from inappropriate sharing of
confidential/proprietary data via social networks
Resistance is futile• Social networks are not a fad• Not only is resistance futile - it is a
negative business decision• Prepare a social networking strategy• Have a realistic understanding of the
risks and benefits of social software• Understand unique challenges and factor
them into on when and how to proceed
Try stopping this…
Security game-changer• Organizations and management are
struggling– to understand and deal with the numerous security
and privacy risks associated with social networks
• Traditional information security– firewalls and access control protected the perimeter.
Social networks open up that perimeter
• Focus shift– from infrastructure protection to data protection
Security issues• People will share huge amounts of highly
confidential personal & business information with people they perceive to be legitimate
• Numerous legitimate security risks with allowing uncontrolled access to social sites
• But…these risks can be mitigated via a comprehensive security strategy
Security and privacy risks• Malware
– Social networks as a malware distribution point
• Vulnerabilities– cross site scripting, cross site request forgery – 1 in 5 web attacks aimed at social networks
• Corporate espionage• Phishing / spear phishing• Bandwidth consumption
More security and privacy risks• Information leakage• Social engineering attacks• Geotagging / location-based social
networking– allows random people to track an individual’s
location and correlate it with other information– publishing business photos can be detrimental to
business– Content-based Image Retrieval (CBIR)
Cree.py is just the beginning
Infosec losing on social media?• Requires a combination of technical,
behavioral and organizational security controls– many information security groups clueless on
how to do that
• Arguing that social media presents a highly unmanageable set of security risks– gives the impression that the infosec group is
incompetent
Strategies and action items for enterprises to deal with
the security and privacy risks of social networks
Secure use of social media
1. Enablement– Awareness, education
2. Governance– Corporate social media strategy– Realistic policies
3. Management– Effective monitoring
Get in front of the wave
• Be proactive– dedicated team to deal with social networks– identify all issues around social networks
• Get involved and be engaged• Social networking is moving fast• Be flexible
– overall uncertainty about what strategies and tactics to adopt to security social media
Risk assessment
• for each social network community– vulnerabilities associated with each
community
• each social community has its own set of unique security and privacy concerns
• which users are the greatest risk?
Risk assessment
• output will be used to create the social media policy and strategy– customized to your specific risk matrix
• balance risks vs. benefits– US Marines – totally prohibited– Starbucks – totally embraced
Social network risk assessment• LinkedIn analysis – you can determine:
• what technologies a company is using• corporate direction• vendors• partners• internal e-mail addresses and address formats
• Facebook analysis – you can determine: • almost everything
Social media strategy
• Based on your social media goals• Identify people or positions who will be the
online public face of the firm• Decide if/how employees may identify
themselves• Twitter strategy for Government
Departments– http://digitalengagement.cabinetoffice.gov.uk/blog
Social media strategy
• Draconian policies preventing the use of social media will most often not be effective
• Use a balanced approach– allow access– manage risk via technical controls, policies
and employee training
Blurred role boundaries
• who speaks for the company• border between the company and the
outside world is evaporating• management decision, not an IT decision• strategies: block, contain, disregard,
embrace• create user scenarios
– not all users need access
Social networking policy• Social networking policy is a must
– even if it prohibits everything, you still need a policy
• Employees will do stupid things• Rational, sensible use of social media
services– include photography and video– don’t reference clients, customers, or partners
without obtaining their express permission
Monitoring• Maintain control over content company
owns– monitor employee social networking participation– significant risk of loss of IP protection if not
monitored– inappropriate use of enterprise content occurred?
• notify employee - explain how their actions violated policy
– control where and how corporate content is shared externally
Security awareness• Social media is driven by social interactions• Most significant risks are tied to the behavior of
staff when they are using social software• Don't shun social media for fear of bad end-
user behavior – Anticipate it and formulate a multilevel approach to
policies for effective governance
• 3 C’s– clear, comprehensive, continuous
Security awareness
• Awareness and training program is critical– effectively communicated and customized– disseminate to everyone– ensure recurrent training– create topic taboo lists– define expectations of privacy
How to get fired in 3 tweets….• Let employees know they can lose their job
– policy violation– managers and executives - special responsibility
when blogging by virtue of their position– too much time on social network sites– perception that they are promoting themselves at
the expense of the company– especially if employer is not into social networking
End-user awareness• Curb your enthusiasm
– those with OCD/addictive personalities – be cognizant of addictive nature of social networking
– what is fun today is embarrassing tomorrow– expect that entire world will see your comments– consider carefully which images, videos and
information you publish– set daily time limits on social media
Awareness 101
• Ensure staff know about and are compliant with social media guidelines– post something corporate, ensure that it is
public information– be careful about posting customer
information, even if it is public
Awareness 101• Ensure staff know about and are
compliant with social media guidelines– breach of insider information can cost you your job– know the rules of using social networking sites
while at work– take extra care if you friend your boss on Facebook– Facebook is viral and addictive – don’t waste the
workday on it
Social media guidelines• Without guidelines, breaches are inevitable• Excellent sources:
– Intel Social Media Guidelines– IBM Social Computing Guidelines– Oracle Social Media Participation Policy
• Policies much have directives for blogs, wikis, social networks, virtual worlds, social media and more.
Regulatory compliance
• Regulatory framework should be reviewed and where necessary, revised
• Consider what specific laws, regulations, standards, breach notice laws apply
Reputation management• Traditional PR and legal responses to an
Internet-based negative reputation event can cause more damage than doing nothing
• establish, follow and update protocols can make social-media chaos less risky to enterprises
• Infosec coordinate activities with PR teams – expand monitoring and supplement monitoring with
investigations and evidence collection processes
Reputation management
Reputation management• Goal is to build and protect a positive
Internet-based reputation• Risks to reputation are significant and
growing with the increased use of social networks
• Create reputation management group with input from IT, legal, risk management, PR and marketing
Reputation management
• Coordinated approach– proactive / responsive
HR must be involved
• Social networks open up a huge can of HR worms
• What are disciplinary actions for non-compliance?
• Can candidate’s social network presence be a factor in hiring process?
• Create directives for managing personal and professional time
HR must be involved• Don’t be seen as encroaching on
employees’ free speech• Create reasonable guidelines • Explain how innocent postings can be
misconstrued• heavy-handed approach will often backfire
and result in lower morale and often bad publicity
HR & FCRA
• Via Facebook, you can know way too much about a candidate:– race, orientation, religion, politics, health, etc.– such information can be used to show bias
• EEOC and expensive litigation
References• Clearswift Security Awareness Research• New Media and the Air Force• ENISA position papers
– Security Issues and Recommendations for Online Social Networks
– Online as Soon as it Happens
• Parents’ Guide to Facebook
Conclusion• Social networks introduce security risks
– social networks & security can be compatible• Perform a comprehensive risk assessment
against all social networks to be used• Understand business & technical
requirements• Recognize these security and privacy risks
and take a formal approach to mitigate them
Contact info
• Ben Rothke, CISSP CISA • Senior Security Consultant• BT Professional Services• @benrothke
• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothke