de

ce

mb

er

20

12 •  W

WW

.Sc

mA

GA

ZIN

e.c

Om

 

INcludING:P10 A vulnerable world It is a relatively simple matter for criminals to gather information from social media sites.

P14 Privacy in play There’s a battle brewing about privacy controls that can have consequences for online commerce.

P18 Winds of change Social media was useful during Hurricane Sandy, but data may never have been more vulnerable.

ShINING the “SPOtlIGht” ON:

Enterprise use of social networks brings convenience

and assists in marketing, but it also opens new routes

for cyber criminals.

Social Media

WEBSITE WWW.SCMAGAZINE.COM • EMAIL SCFEEDBACKUS@HAYMARKETMEDIA.COM

www.facebook.com/SCMag www.twitter.com/scmagazine

SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year on a monthly basis by Haymarket Media Inc., 114 West 26th Street, 4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax 646-638-6110. Periodicals postage paid at New York, NY 10001 and additional mailing offices. POSTMASTER: Send address changes to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2012 by Haymarket Media Inc. All rights reserved. Annual subscription rates: United States: $98; Canada and Mexico: $110; other foreign distribution: $208 (air service). Two-year subscription: United States: $175; Canada and Mexico: $195; other foreign distribution: $375 (air service). Single copy price: United States: $20; Canada, Mexico, other foreign: $30. Website: www.scmagazine.com.

In this special Spotlight edition of SC Magazine with a focus on social media, we examine how the use of social networks impact the security of the enterprise. Some argue that it augments productivity and helps marketing efforts, while others contend it places corporate assets in danger. We take a thorough look.

de

ce

mb

er

20

12 •  W

WW

.Sc

mA

GA

ZIN

e.c

Om

 

INcludING:P10 A vulnerable world It is a relatively simple matter for criminals to gather information from social media sites.

P14 Privacy in play There’s a battle brewing about privacy controls that can have consequences for online commerce.

P18 Winds of change Social media was useful during Hurricane Sandy, but data may never have been more vulnerable.

ShINING the “SPOtlIGht” ON:

Enterprise use of social networks brings convenience

and assists in marketing, but it also opens new routes

for cyber criminals.

Social Media

18

IS YOUR COMPANY PRACTICINGSAFE SOCIAL MEDIA?

Don’t take chances until you read this….

With Facebook reaching one billion users, Twitter at over 500 million and LinkedIn at 161 million and growing, trying to stop social media is like trying to stop a speeding train!

The good news? Companies who leverage social media tools are experiencing more efficient marketing, revenue growth and greater brand awareness.

The bad news? Unmanaged social media access exposes you to the risks of brand damage, employee productivity drain and confidential data loss.

The best news? EdgeWave Social Media Security creates safe social media with technology that seamlessly monitors filters and reports on end-user interactions on your network. Our revolutionary approach not only gives you granular, policy-driven control over social media interactions, it does so from within the application itself. Your user gets a transparent experience, and you get integrated, real-time visibility and control that no other solution can match.

See EdgeWave Social Media in action and download a free guide, Social Media without the Risks www.edgewave.com/safesocial

REGULARS

5 EditorialWelcome to our special Spotlight edition on social media.

6 DataBankSome statistics on social media use – and misuse.

8 UpdateNews briefs on how social media affects the workplace.

22 LastWord:Findingprivacyonadata-centricwebOnline data about a user can impact how that person is perceived, says Microsoft’s Brendon Lynch.

FEATURES

10 AvulnerableworldCriminals can easily gather information from social media sites that can then be used for social engineering and other attacks.

14 Privacyinplay?There’s a battle brewing about privacy controls that can have significant consequences for online commerce.

18 WindsofchangeSocial media proved useful in communications during Hurricane Sandy, but enterprise data may also have been vulnerable as a result.

14

Social networking is part of our everyday interactions.”

What is sCWC 24/7SC Magazine has created a free virtual environment that is open year-round. Each month we host an event focused on a subject that you as an IT security professional face on a regular basis.

this MOnth

Dec. 11 esymposium: hackingCommunications giant T-Mobile was just the latest in a series of assaults on corporate websites by cyber gangs whose

intention is not necessarily to gain financially from their activity, but to wreak havoc on targets they deem offensive.

These vigilante-style attacks are meant to embarass executives by publicizing their secret dealings. However, as well-intentioned as these actions might be, there is still a transgression of laws in the exposure of personal, corporate or military information. What can authorities do to go after those behind these activities, and how can corporations better protect themselves so incidents – such as those that happened at RSA, Twitter, PayPal, Sony, Pfizer, the FBI, a number of police forces, the U.S. military and many other entities – don’t happen to them? We’ll take a deep dive.

On DeManDVulnerability managementCyber criminals take advantage of vulnerabilities in web and other apps to gain entrance to corporate infrastructures. With breaches now happening on a regular basis using these methods, critical information of all kinds is being exposed. We learn from experts what companies can do to mitigate against these threats.

FOr MOre inFOFor information on SCWC 24/7 events,

please contact Natasha Mulla at natasha.mulla@haymarketmedia.com.

For sponsorship opportunities, contact Mike Alessie at mike.alessie@haymarketmedia.com. Or visit www.scmagazineus.com/scwc247.

EDITORIAL VP, Editorial dirEctor Illena Armstrong illena.armstrong@haymarketmedia.comExEcutiVE Editor Dan Kaplan dan.kaplan@haymarketmedia.com managing Editor Greg Masters greg.masters@haymarketmedia.com digital contEnt coordinator Marcos Colón marcos.colon@haymarketmedia.comrEPortEr Danielle Walker danielle.walker@haymarketmedia.com tEcHnologY Editor Peter Stephenson peter.stephenson@haymarketmedia.comSc laB managEr Mike Stephenson mike.stephenson@haymarketmedia.comdirEctor oF Sc laB oPErationS John Aitken john.aitken@haymarketmedia.comSc laB Editorial aSSiStant Judy Traub judy.traub@haymarketmedia.comProgram dirEctor, Sc congrESS Eric Green eric.green@haymarketmedia.comCONTRIBUTORS Stephen Lawton, Deb Radcliff, Karen Epper HoffmanDESIGN AND PRODUCTION art dirEctor Michael Strong michael.strong@haymarketmedia.comVP audiEncE dEVEloPmEnt & oPErationS John Crewe john.crewe@haymarketmedia.comProduction managEr Krassi Varbanov krassi.varbanov@haymarketmedia.comSC EVENTS

EVEntS dirEctor Natasha Mulla natasha.mulla@haymarketmedia.comSEnior EVEntS coordinator Anthony Curry anthony.curry@haymarketmedia.comEVEntS coordinator Maggie Keller maggie.keller@haymarketmedia.com

U.S. SALES

VP, SalES dirEctor David Steifman (646) 638-6008 david.steifman@haymarketmedia.com rEgional SalES dirEctor Mike Shemesh (646) 638-6016 mike.shemesh@haymarketmedia.comWESt coaSt SalES dirEctor Matthew Allington (415) 346-6460 matthew.allington@haymarketmedia.comEVEnt SalES dirEctor Mike Alessie (646) 638-6002 mike.alessie@haymarketmedia.comaccount managEr Dennis Koster (646) 638-6019 dennis.koster@haymarketmedia.com account managEr Samantha Amoroso samantha.amoroso@haymarketmedia.comSalES/Editorial aSSiStant Roo Howar (646) 638-6104 roo.howar@haymarketmedia.comACCOUNT ExECUTIVE, LICENSING AND REPRINTS Elton Wong (646) 638-6101 elton.wong@haymarketmedia.com EMAIL LIST RENTAL Email SEnior account managEr Frank Cipolla, Edith Roman Associates (845) 731-3832 frank.cipolla@epostdirect.com

CIRCULATIONaudiEncE dEVEloPmEnt dirEctor Sherry Oommen (646) 638-6003 sherry.oommen@haymarketmedia.comcuStomEr data managErJoshua Blair (646) 638-6048 joshua.blair@haymarketmedia.comSUBSCRIPTION INqUIRIEScuStomEr SErVicE: (800) 558-1703Email: Haymarket@cambeywest.comWEB: www.scmagazine.com/subscribeMANAGEMENTcEo oF HaYmarkEt mEdia Lee ManiscalcoExEcutiVE VicE PrESidEnt Tony Keefe

rich Baich, chief information security officer, Wells Fargo & Co.; former principal, security and privacy, Deloitte and Touche

Greg Bell, global information protection and security lead partner, KPMG

Christopher Burgess, chief security officer and president, public sector, Atigeo

Jaime Chanaga, managing director, CSO Board Consulting

rufus Connell, research director - information technology, Frost & Sullivan

Dave Cullinane, CEO, Security Starfish; former chief information security officer, eBay

Mary ann Davidson, chief security officer, Oracle

Dennis Devlin, assistant vice president, information security and compliance services, George Washington University

Gerhard eschelbeck, chief technology officer and senior vice president, Sophos

Gene Fredriksen, chief information security officer, Tyco International

Maurice hampton, technical account manager, qualys

Paul Kurtz, partner and chief operating officer, Good Harbor Consulting

Kris Lovejoy, vice president of IT risk, office of the CIO, IBM

tim Mather, director, information protection, KPMG

stephen northcutt, president, SANS Technology Institute

randy sanovic, former general director, information security, General Motors

* howard schmidt, former cyber security coordina-tor, White House; former president and chief executive officer, Information Security Forum

ariel silverstone, former chief information security officer, Expedia

Justin somaini, chief information security officer, Yahoo

Craig spiezle, chairman, Online Trust Alliance; former director, online safety technologies, Microsoft

W. hord tipton, executive director, (ISC)2; former CIO, U.S. Department of the Interior

amit Yoran, chief executive officer, NetWitness; former director, U.S. Department of Homeland Security’s National Cyber Security Division

* emeritus

11

15

sC MaGaZine eDitOriaL aDVisOrY BOarD 2012

WhO’s WhO at sC MaGaZine

Editorial

A special “Spotlight” on social media

Twitter, Facebook, Tumblr and other social networking sites have been mak-ing plenty of headlines lately – both

good and bad (But, let’s face it, mostly bad). Just recently, a group engaging in an “anti-

blogging” campaign attacked various major sites, like CNN, along with the microblogging platform and social media site Tumblr. The assault spread a pretty passionate, yet rather aggressive diatribe blasting “self-indulgent” bloggers, which packed along with it a nasty little worm that enabled the group’s state-ment to post itself onto victims’ pages, as well as onto the pages of those who visited them. Some 8,000 Tumblr users reportedly were affected – only this time it was just by inflammatory post, rather than compromised accounts and personal information.

Meanwhile, it was discovered just this week that users sending and receiving Twitter messages via text message on their mobile phones could fall victim to spoofing attacks. Apparently, a flaw in the system could allow attackers to spoof the user’s account to tweet whatever they wish via text. After reports of the vulnerability, Twitter issued a fix.

Still other attacks have persisted through social media, both those that result in havoc on the networking sites themselves, as well as those aimed at particular companies or government agencies that social media sites often facilitate. After all, one gullible end-user can mean a host of problems for organizations and CSOs like you.

Then there are all the privacy-related issues surrounding social media. Not only do cyber criminals harness the power of these sites to reach their aims, but government entities across the globe have used them, for example, to spy on unsuspecting individuals or, in many a recent conflict, taken them offline to squelch the communications of protesters.

On the flipside, social networking sites aren’t all pain. Of course, we all have experienced various departments using them to help market new product launches or stay in touch with cus-tomers.

But there’s more. During Super-storm Sandy, folks everywhere turned to social media to get in touch with loved ones. Companies of all sizes used sites to account for staff and keep some form of busi-ness continuity.

Social networking is part of our everyday interactions. They’re a bane to some and a boon to others. An unavoidable truth is that the many vulnerabilities social networking intro-duces must be addressed. Cyber criminals obvi-ously love social media sites given the variety of ideas for attacks they have spawned. Indi-vidual users of them must ponder their own relationships with social networking sites and the privacy and security issues that plague them. And, for the purposes of this last SC Spotlight of the year, busi-ness executives must figure out just how to marry business-related social media use with all the risks that they embody, and then decide if social net-working is friend or foe.

Illena Armstrong is VP, editorial director of SC Magazine.

4 • sC sPOtLiGht • www.scmagazine.com

DataBank

SocialMediaGauge

6 • SC SPOTLIGHT • www.scmagazine.com SC SPOTLIGHT • www.scmagazine.com • 7

1 Social media accounts for only 16% of customer engagement today, but is expected to increase to 57% — the second-most used

channel, behind only face-to-face interac-tion — within five years. (Source: Marketing Pilgrim)

Percentage of people who use social networks

Source: Browser Media, Socialnomics, MacWorld

Top ten most engaged countries for social networking Israelis use social media nearly twice as much as Americans

Israel 11.1

Argentina 10.7

Russia 10.4

Turkey 10.2

Chile 9.8

The Philippines 8.7

Colombia 8.5

Peru 8.3

Venezuela 7.9

Canada 7.7

United States 7.6

Average hours per month per person

Source: Browser Media, Socialnomics, MacWorld

What do people want from brands on social media?

Deals and promotions

83%

Rewards programs

70%

Exclusive content

58%

Feedback on new products

55%

Source: AllTwitter

Social media stats and demographics

2 30% of the world’s popula-tion is now online, and social networking is the most popular and time-consuming online activity

— with users spending more than one-fifth (22%) of their time engaging on social media channels. This means that more than 250 million tweets and 800 million Facebook status updates are now published every single day. (Source: MindJumpers)

3 Brazilians have the highest number of online friends of any country, averaging 481 friends per user, while the Japanese

average only 29 friends. (Source: MindJumpers)

4 56% of Americans have a profile on at least one social network-ing site. And it’s not just millenials: 55% of

those aged 45-54 have at least one social network profile. (Source: Convince & Convert)

5 Social networks and blogs in the United States reach 80% of active internet users and represent the majority of

Americans’ time online. (Source: MediaPost)

6 60% of people who use three or more digital means of research for product purchases learned about a specific

brand or retailer from a social networking site. 48% of these consumers responded to a retailer’s offer posted on Facebook or Twitter. (Source: MediaPost)

Every minute of the day:

100,000 tweets are sent

684,478 pieces of content are shared on Facebook

2 million search queries are conducted on Google

48 hours of video are uploaded to YouTube

3,600 photos are shared on Instagram

571 websites are created

$272,000 is spent by consumers online

Source: AllTwitter

Twitter by the numbers

Twitter has more than 500 million registered users, but just 140 million active users (compared to Facebook’s 950 million active users and likely more than two billion registered users)

The United States, with 141.8 million accounts, represents 27.4 percent of all Twitter users, finishing ahead of Brazil, Japan, and the U.K.

Kuwait sent almost 60 million tweets in March

15% of online adults use Twitter

28% of black online internet users use Twitter

14% of Hispanic internet users are active on Twitter

12% of white internet users are active on Twitter

The 18-29 demographic is most represented on Twitter, at 29% of the user base, ahead of those aged 30-49 (14%) and 50-64 (9%)

14% of online men use Twitter versus 15% of online women

40% of Twitter accounts have never sent a single tweet

18% of Twitter users tweet once or more a day (Source: AllTwitter)

Any social network 56%

Facebook 54%

LinkedIn 13%

Twitter

10%

Google+ 8%

Spam migration

Maybe Bill Gates was on to something when he predicted that the scourge of spam would be “solved” by 2006. According to security firm Symantec’s first-quarter threats report, published in April, unwanted email accounted for roughly 75 percent of all messages sent in 2011, sharply down from 89 percent in 2010. Experts attribute the decline to a number of develop-ments, notably growing resistance by spammers to the high cost of sending large batches of unsolicited email, stronger fil-ters and built-in browser protection mechanisms, and smarter consumers who are less likely than ever before to click on an email lure.

But don’t raise those Champagne glasses just yet. Spammers haven’t yet forfeited their trade – they’ve simply moved the operation to a more viable and cost- effective channel, namely

social media. By their very nature, social media websites, such as Facebook, provide fraudsters with a platform that is funda-mentally built on sharing things – with the hope they spread like wildfire.

Troy Hunt, a software architect, recently studied a common Facebook gift card spam that was propagating across news feeds, this one promising users a $400 free voucher at Wool-worths, an Australian supermarket chain. Clicking on the link, which is shared by a trusted “friend” who already has fallen for the con, brings users to a site that feigns urgency (the free vouchers are almost gone!) and encourages victims to share the offer with their friends on Facebook.

Then, they are taken on a wild ride of redirects, finally land-ing on a survey page that offers the fake possibility of winning an Apple iPhone, iPad or iMac. The spammers get paid a small amount of cash for every person they can trick into completing one of the surveys. Many of these scams take a similar form, but sometimes the miscreants behind them are even more pernicious and may be looking to harvest personal information or serve malware.

Once victims catch on to the deception, they often take their angst to the Facebook or Twitter pages of the very companies whose names are being abused by the scam-mers, causing them reputational harm. “Their Facebook wall [is] littered with very unhappy customers,” Hunt says in a recent SC Magazine podcast. “It’s not a good look for them.”

What makes hoaxes like these so effective is unsus-pecting users are likely to fall for them because a person

they trust already has.“It’s endorsement, right?” Hunt says.

“You’re seeing someone who you know, someone who you trust, and they’re recommend-ing something. For the most part, email spam – even the very clever

phishing scams that try to look as official as they can, brand themselves, use the company imagery— you can normally dissect those as a scam pretty

quickly…So short of someone having their email account hacked and

having large volumes of spam mail sent [from] their address book, it was really hard to give this level

of endorsement and credibility, but now with social media, it’s just extremely easy to do that.”

He advises platforms like Facebook to implement better controls, like heuristics, to identify these threats. Hunt also encourages internet marketing companies to institute a code of conduct so certain affiliates aren’t permitted to do business through them. And finally, for users, if the bait seems too good to be true, it almost always is. – Dan Kaplan

Social sprawl

As brands continue to recognize the power of using social media to connect with customers and clients and improve their competitive advantage, the number of accounts they own is on a meteoric rise. Many of these accounts may not even be permitted, but are stood up by groups of employees who, for instance, are working on a specific project for the company.

According to a report this year from the Altimeter Group, the average enterprise operates 178 corporate-owned social media accounts across properties such as Facebook, Twitter and YouTube.

But herein lies a serious risk. Much like the astonishing pro-liferation of data with which most businesses are dealing, social media sprawl is challenging organizations to institute controls that allow them to manage this unprecedented growth. And in many instances, companies are failing.

Take KitchenAid, for example. During one of this year’s presidential debates, an employee, thinking he was using his personal account, delivered an offensive tweet: “Obama’s gma [grandma] even knew it was going 2 b [be] bad! She died 3 days b4 he became president.” KitchenAid rushed to apologize, according to reports, but the damage had already been done.

Incidents like this present legitimate reputational harm to a brand. The problem in combating them is that most companies lack visibility, and the ability to monitor content is a tedious task, especially when done manually, says Devin Redmond, co-founder of start-up Social iQ Networks, which helps organiza-tions manage their social media infrastructure.

And, a lack of control over social media can render injury to a brand’s good name through many ways other than inappro-priate tweets, including the exposure of proprietary informa-tion, or if an account is compromised by a hacker to spew malware or spam. Account sprawl also brings with it signifi-cant compliance exposure, considering some of the data that

appears on a company’s social media channels may be regu-lated – or necessary for legal discovery reasons.

According to another study from Altimeter, only 60 percent of companies either coach their employees about social media policies, or do so only upon hiring. The report suggests that companies must implement more effective strategies, specifi-cally assessing, prioritizing and evaluating social media risk.

A recent Forrester Research report supports these conclu-sions. The study contends that technical controls can be used to meet some of these risk management requirements – for example, an existing data leakage prevention tool may be able to be customized for use for social media.

“While this may not be a sustainable model, you may be surprised what you can accomplish through ‘archaic,’ but free methods, such as performing ad-hoc web searches at daily or weekly intervals to identify information leaks or breaches of policy,” the report says. “This approach certainly won’t catch everything, but it will at least provide a glimpse into the num-ber and types of issues your organization faces. It might also help you justify budget for vendor tools.” – Dan Kaplan

Looking in the mirror

Some companies are including social media awareness training as part of their overall end-user security education programs. But one might be surprised to learn that Facebook workers are undergoing similar treatment.

According to a recent story on news website Mashable, each October, the social networking behemoth runs an event called “Hacktober” during which engineers bombard employees with bogus cyber attacks, like phishing scams, to ensure they won’t click on a rogue link or attachment, which could invite malware into the organization. The company purposely avoids traditional teaching methods, like PowerPoint presentations, to stay in line with Facebook’s hip culture.

And, it seems, the event has been a triumph, with a majority of users detecting the threats. Each time they do, they win a prize, like a shirt or bandana. Employees who fail to discern an attack are required to take additional training.

“We launched a worm to simulate some of the spam cam-paigns we see on Facebook and other sites, and this was our grand finale,” Ryan McGeehan, a director on the security team, told Mashable. “Within minutes, we were overwhelmed with reports from employees and it was a wild success.” – Dan Kaplan

News Update

SC SPOTLIGHT • www.scmagazine.com • 9

75%of the Fortune 100 are on Facebook.

– Burston-Marstellar

8 • SC SPOTLIGHT • www.scmagazine.com

SC SPOTLIGHT • www.scmagazine.com • 11

Social media

10 • SC SPOTLIGHT • www.scmagazine.com

When filmmakers put togeth-er The Social Network – a movie based on the story of

Facebook’s early years – their cho-sen subtitle was, “You don’t get to 500 million friends without making a few enemies.”

Today, in an ironic twist, as the number of Facebook users soars past the one billion mark, the social net-working site is collecting “enemies” in droves – attracted by its limitless cache of personal data and what many say are inadequate security provisions, especially for individual users. Indeed, according to many industry observers, hackers and others with malicious intent now see social media as the most fertile place to practice their wiles.

“From a malicious perspective, social media is the best thing that has ever happened,” says Caitlin Johanson, a former hacker and now customer support and training manager at Core Security, a Boston-based maker of predictive security intelligence solutions. “People have turned a blind eye to the implica-tions of social media in terms of privacy, and the sites have done little to encourage users to secure their accounts and information.” As a consequence, she says, it is a rela-tively simple matter for criminals to gather information that can be used for social engineering and other more sophisticated forms of attacks.

And it is now happening on an industrial scale. Johanson says

botnets can be programmed to scour social media sites for keyword com-binations that can “spit out profiles” of individuals primed for exploita-tion. Likewise, botnets can comb through metadata and “every single part of the internet” to find comple-mentary information to further assist in exploits.

In fact, there are hundreds of ongoing discussions and threads in hacker chat rooms and forums focused on this topic, says Rob Rachwald, director of security strategy for Imperva, a Redwood Shores, Calif.-based security firm that recently published a study on the social media threat. His com-pany’s study examined the chatter on a wide range of forums, one of

a vulnerable

worldHackers, for good reason, have turned their

attention to social media sites. But companies don’t need to wave the white flag, reports Alan Earls.

but there are many reasons why social media is important for business today,” he says. One potential, in his view, is more pervasive and sophisticated monitoring, which should be able to catch many of the harvesting and information-theft activities by the bad guys.

Security: An impossible dream?For businesses, protection from the misuse of social networking sites is very difficult at best, says Irvine. First, com-panies have little if any control over the content users place within their individ-ual account. Additionally, there are many state laws prohibiting employers from viewing or using information contained within these social networking accounts for any employment reasons (i.e., hir-ing, termination, performance reviews and more). In some situations – such as when there is a suspicion of corporate espionage – employers cannot even view information on social media sites without involvement of law enforcement.

Additionally, technologies that scan, monitor and alert on social network-ing use are “not fully baked.” Irvine says there are solutions that can do keyword searches and services, which will scan individual social platforms for fees. However, he says he has not come across a completely automated solu-tion that can scan, monitor and alert 24x7x365 across multiple platforms to detect positive or negative comments, inappropriate use and malicious activity or intent.

Large companies may use multiple platforms, services and internal web content filtering to monitor employ-ees’ social network access while using corporate devices, or while they are on corporate premises. On the other hand, small to midsize businesses, for the most part, are limited to either allowing access – and hoping for the best – or blocking usage, says Irvine. Addition-ally, they may have a “social network appropriate usage” policy and some level of training, but the lack of author-ity or ability to control content placed

on social environments limits their abilities to protect themselves.

Possible, maybeEven with all the challenges posed by social media, this is no time to roll over and play dead. Andrew Walls, a research vice president at the Grass Valley, Calif. office of research firm Gartner, says offshoring and tech-nology have enable attackers to find success targeting social media sites. For example, he says, hackers have developed ways to “forward” CAPT-CHA challenges – typically a request to rekey the images of a distorted word or character combination – to porn sites where visitors are required to repeat-edly “solve” them in order to maintain access. It is a tidy and economical, if

bizarre, means of bypassing an impor-tant element in site protection.

Fortunately, Walls says, more sophis-ticated security products are coming to market for platform providers, as well as for individuals who focus on areas such as credit monitoring and reputation man-agement. Collectively these might help hold the line against hackers.

Irvine, too, says there are steps companies can take to become more secure. For instance, he says, data leak-age prevention and information rights management (DLP/IRM) solutions can help to provide improved protection for proprietary and confidential data. Spe-cific functions of DLP/IRM applica-tions that could help minimize security risks of social networking applications include limiting the ability of data to be copied, modified, transferred to another location, emailed or printed.

Additionally, web content and proto-

col filtering solutions can be configured to monitor, filter, block and report on specific sites and content. Finally, he says, traditional anti-virus and mali-cious application detection solutions can offer protection from users being infected by malicious attachments, applications, plug-ins and URLs.

Webber says corporations also need to build a “solid listening platform” so they can understand what people are saying about a company – from a brand man-agement perspective, as well as regarding whether an attack is in progress. “The fact of the matter is that your competi-tors are probably being attacked, too, so what you learn by monitoring them also can help you,” he says.

Along with specific tools and tech-niques, Webber says companies should

also “triangulate,” using risk manage-ment tools to identify and focus on areas of greatest vulnerability.

However, Johanson adds that “there is still no patch for stupidity.” Orga-nizations should continue to educate users, though that still may not be good enough to protect against the most sophisticated of threats. That’s where tools come in to play – backing up processes and helping to predict where problems will occur, so to identify them before they become full-blown crises.

Finally, Angel Grant, principal prod-uct manager at RSA Security, says com-panies need to revisit access controls and make sure they are appropriately aligned with social media threats. “Believe it or not, many companies forget about taking away access to a company social media site when an employee leaves a company, and that can be a gaping security gap,” she says. n

SC SPOTLIGHT • www.scmagazine.com • 13

which has a quarter-million members, as well as on sites targeting more nar-row geographic or language groups. But the conclusion, he says, is inescapable: Social media – particularly Facebook, with its huge user base – has reached critical mass, and hackers aim to exploit its latent power.

Variations on a themeRachwald says he has seen two differ-ent “hack” focuses. On the consumer side, some intruders work to manipu-

late Facebook rankings as a means of attracting even more “friends,” and then spread malware to them by, for example, encouraging visitors to click on a link or a photo. To further this kind of activity, other cyber criminals offer “bulk” Facebook accounts – some “real” and others bogus. The other focus is on services that provide tools that can help individuals (particularly hackers) break into specific accounts.

Rachwald says there are numerous variations on this theme, including “e-whoring,” which involves stealing suggestive images from social media sites and then recycling them in various kinds of pornographic schemes that can generate money.

Many of the same risks apply within corporations that allow employees to use social media, he says. “After Bin Laden was killed, there were hacker schemes to post and distribute fake photos of him through social media sites,” Rachwald says. “But the photos were actually vehicles for malware and could compro-mise corporate computers.”

Social networks are also a powerful tool for identifying corporate informa-tion and, especially, job functions and structures in companies, which can

then power other exploits – financial crimes and thefts of intellectual proper-ty, for example. And, again, botnets and analytic tools are making the process ever easier for criminals, Rachwald says.

Others see a growing problem, too. “Just as there is a lot of hacking activity directed toward financial and retail websites, there is a growing level of criminally motivated communications being directed at social networking sites,” says Jerry Irvine, CIO of Pre-scient Solutions, a Chicago-based IT

consultancy that focuses on data privacy and security issues. In fact, according to Irvine, hacking of even the largest of financial institutions, retail sites or other company websites cannot provide the amount of user data that social sites represent singly or in combination. Additionally, he says, while corporate entities have entire departments dedi-cated toward designing, maintaining and monitoring the security of their sys-tems, social media networks are “man-aged” by their individual users who, for the most part, pay little attention to the security of their information. As a result, it is easier and more rewarding for miscreants to attack these platforms.

And, the problem is getting worse. Initially, says Irvine, malicious activ-ity was more limited to individual accounts. Today, however, there are toolkits available for hacking, phishing and smishing (a form of phishing using text messages) designed specifically to help malicious individuals obtain large numbers of user IDs and passwords. “The goal for the most part is obtain-ing information in bulk, parsing it to determine authentication parameters for other websites and applications – financial institutions, credit cards and

more – and then even complete identity theft,” he says.

Bait and switchThe simplest of the many scenarios used to leverage social media sites is having an application that will send phishing emails or smishing texts to unsuspecting users claiming to be an authorized person or department of the social networking company, and then requesting the user provide their login information. “Some of these tools may even use cross-site script-ing to capture authentication parameters prior to forwarding the user into their actual site so that the link appears more legitimate,” says Irvine.

More elaborate solutions use ill-gotten IDs and passwords to breach an account and send “friends” malicious applications, plug-ins and URLs to grab more personally identifiable information (PII) off of the friends’ PCs, laptops and mobile devices, he says.

While none of the malicious activi-ties employed against social sites are entirely new, the important difference compared to previous hacks, Irvine says, is twofold: They are happening much more often and they affect a greater numbers of users per incident. In fact, says Irvine, “If you are a member of a social networking site, you have most likely been attacked and may not even know it.”

Alan Webber, a principal analyst and managing partner with Altimeter Group, a research firm based in San Mateo, Calif., says social media is evolv-ing into the number one threat to corpo-rations. And, he says, even though it can be an exercise in frustration when some employees don’t comply with corporate policies, user education about vulner-abilities and risks is just as important as having traditional IT security measures in place. “A lot of 20-somethings think this is all no big deal, but they are start-ing to learn otherwise,” he says.

However, Rachwald sees hope in tech-nology. “Companies could simply try to block employees from using social media,

Social media

12 • SC SPOTLIGHT • www.scmagazine.com

The goal is obtaining information in bulk...”— Jerry Irvine, Prescient Solutions

of Facebook users have clicked on a Facebook ad64%

Recently, a man entered a Target Store in Minneapolis with a coupon that had been sent to his

teenage daughter for cribs and baby clothes. He was offended the promo-tion had landed in his family’s mailbox. Owing to its savvy statistical methods in gathering data on its consumers, Tar-get knew something about this man’s daughter that even he did not yet know: She was pregnant.

Shop at Target, online or in-store, and customers will discover the retail chain’s uncanny ability to present custom promo-tions designed to appeal to personal buying habits. In today’s competitive online envi-ronment, the ability of online enterprises to capture information about consumers – from their preferred coffee brand to their curiosity about oil painting or a newfound interest in cribs and strollers – has brought the issue of consumer privacy to the forefront. The question is: How concerned

are consumers that much of their private information is fair game?

This new paradigm of consumer intelligence gathering may have been a factor in prompting the Obama administration in February to unveil a “Consumer Privacy Bill of Rights” to serve as a foundation or “comprehensive blueprint to improve consumers’ privacy protections and ensure that the internet remains an engine for innovation and economic growth.”

But, while privacy controls are a topic about which many consumers have expressed some concern, few know much about how they work. Researchers

at the University of California, Berkeley School of Law, presenting

at the Amsterdam Privacy Conference in October, released findings indicating that of 1,203 adult internet users sur-veyed, a mere 13 percent of respondents had some knowledge of privacy controls, while a whopping 87 percent hadn’t even heard of them. But, when asked about their utility, respondents were in favor of disallowing online enterprises from collecting information about them. One of the researchers’ questions asked: “If a ‘do not track’ option were available to you when browsing the internet, which of the following things would you most want it to do?” Sixty percent of respon-dents replied “prevent websites from collecting information about you.”

“We’ve already seen major sites, like Facebook and Twitter, come under

fire for their lack of security features,” says Mark Orlando, director of cyber operations for Lake Mary, Fla.-based Foreground Security. “However, we need to remember that user data is what enables these companies to monetize their services through advertising, marketing and the like, so there is little incentive for companies to add privacy controls unless users demand it or stop using the service.”

Of course these sites continue to grow in popularity, so it seems for now users are content to trade in security and privacy for the features and functionality they’re get-ting by using the services, he says. “Until that changes, or until the business model changes, we shouldn’t expect to see many improvements in the privacy restrictions and controls offered by these sites.”

Twitter has improved its privacy controls. So has Mozilla Firefox, which offers a ‘do not track’ (DNT) feature.

Bob Bunge, associate professor at the College of Engineering and Informa-tion Sciences of DeVry University in Seattle, says that as DNT becomes widely adopted, the real winners will be incumbent tech companies – like Microsoft, Facebook, Google, Amazon and eBay – which have huge opt-in customer databases.

“The real technical drivers of ‘do not track’ are the competing web browser companies,” he says. “Microsoft, in particular, has announced that Do Not Track will be the default setting in [Internet Explorer] 10.” This has set off a firestorm of criticism from the advertising industry and online retailers. However, Bunge says companies that rely on understanding their customers’ browsing habits in order to generate revenue will find other ways to do so, such as through data mining.

On the other hand, Facebook is on record as supporting DNT, Bunge says, adding that such Big Data repositories allow companies to track customers through data mining, so a locked-down browser will not affect them as much.

Stephen Cobb, security evangelist for

SC SPOTLIGHT • www.scmagazine.com • 1514 • SC SPOTLIGHT • www.scmagazine.com

LinkedIn is all about professional networking. For those who maintain a profile, the information one shares with others may be sensitive, but the site does have privacy control options in its settings to select and edit data depending on the degree of sensitivity. Reid Hoffman, the billionaire founder of LinkedIn, called privacy an “old people issue.”

Hanzi Durzy, a spokesperson for the company, helped explain LinkedIn’s philosophy on privacy.

SC: Can you give us an overview of LinkedIn’s privacy policy and how it came to be? Has it changed much over the last year or two? Hanzi Durzy: LinkedIn’s privacy policy is designed to reflect the evolv-ing ways in which our members are us-ing the platform and exchanging their insights and data. The principle that guides all of our decisions, including ones regarding privacy and data protection, is to put our members first. As the world’s largest profes-sional network, LinkedIn takes the privacy of our members’ data seriously. We believe that more than 187 million professionals who have joined LinkedIn want to be seen and heard by people that they

may not know personally. We also believe that those professionals should be able to easily manage the informa-tion they share and how they share it. So, our privacy and data protection product philosophy is based on three ideas: clarity, consistency and control.

SC: What is LinkedIn’s philosophy with regard to ‘do not track’ privacy controls? HD: We understand the desire to provide people with choice about how their internet browsing history is used. LinkedIn is also very aware of the need to provide its members with innovative products. Achieving the right balance in this equation is crucial, and in doing so, we will strive to stay true to our focus on our members and maintain consistency, clar-ity and providing easy-to-use controls to our members to manage their experience on LinkedIn.

SC: Is LinkedIn a believer in such a policy and have plans

to implement tighter track-ing controls in the future? Why or why not?HD: We have no immedi-ate plans to implement DNT, given the fact that

there still is no consensus on what the DNT signal should

exactly mean.

PrIvaCy & LInkeDIn:“Old people issue”?

Do not track

PRivacy in Play?There’s a battle brewing about privacy controls that can have significant consequences for online commerce, reports Jim Romeo.

ESET, a global security vendor with U.S. headquarters in San Diego, says there seems to be much praise for these develop-ments in privacy circles, but they are some-thing of a yawn in consumer circles. This is not surprising to him because, he says, the average internet user is not really aware of how much tracking goes on.

“If you take Mozilla’s numbers, less than nine percent of desktop users of Firefox have adopted DNT, and less than 20 percent of Firefox mobile users,” says Cobb. “Those numbers may change as more people understand the data-gathering process going on behind tracking. However, if you turn off track-ing, you will start to lose some of the features and functionality offered by other big social media players – notably Facebook, Google, LinkedIn and Insta-gram – for whom tracking is part of the business model.”

He says he sees Facebook continuing to evolve its privacy control mechanisms and interface, although it is still a long way from easy to use. “Again, if user-behavior tracking is part of your busi-ness model, that makes it hard to deliver simple user controls that don’t break that business model,” he says.

Meanwhile, Michael Sprague, co-found-

er of Scrambls, an open source technology that provide controls for online posts in social media applications, says DNT pri-vacy controls have been well received. He also points out how many people are still unaware of how much information social media companies collect about them and the ways in which this data can be used.

“The case of Target figuring out that a girl was pregnant before her father did is an excellent example,” he says. “Facebook, LinkedIn and others should

make it simple for users to understand and use privacy settings. At Scrambls, we advocate that users should be able to design their own privacy settings and use them across the web.”

In any case, social networks make fre-quent changes to their privacy controls, Sprague adds. “Often, these changes are driven by business requirements, rather than addressing the needs of the consumer. For example, a privacy change will allow a new type of advertisement to be displayed, targeting users based on their personal information. It is rare to see a company taking an active stance to increase the privacy of its users.”

Further, Sprague says Twitter has taken an impressive leadership position in attempting to defend the privacy of its users. He points to a recent case in Sep-tember where tweets sent by an Occupy Wall Street protester were ordered unsealed. Twitter did not want to reveal the tweets, but a Manhattan Criminal Court judge ruled that they were to be turned as evidence. “The implications of that decision are deeply troubling for anyone sharing personal content on social networks,” says Sprague.

And, he also expresses concern about how the the bring-your-own device

trend is affecting personal privacy. “It has already become common practice to bring your personal devices to work: smartphones, tablets, notebooks and more,” says Sprague. “Now what we’re doing is bringing our different identities into the work environment, with different levels of access associated with them.”

The interesting question to consider, he says, is when and why one will have access to online information in the future. “It will be absolutely essential to have the ability to

develop access policies based on context, and to have the ability to make dynamic changes to these policies,” he says.

The prognosis, say many privacy experts, is that privacy policies with regard to online posting and access will likely become more critical, where a new watchword will govern: caution.

“Businesses should remind users that everyone is a potential target,” says Foreground Security’s Orlando. “You don’t have to be a high-ranking execu-tive or have access to sensitive corporate information. Sometimes it’s strictly a numbers game for the bad guys, where they want to accumulate as much data as possible regardless of who their targets happen to be.”

The lesson: Don’t give them anything with which to work, Orlando says. A good rule of thumb is to remain as vague and boring as possible when posting to these sites, and don’t post anything one wouldn’t be comfortable posting on a sign on one’s front lawn, he says. “Don’t vent about difficult projects or difficult people at work. Don’t advertise dates and destinations for trips you’re taking. Always assume that there are no privacy protections for what you’re sharing, even if you think it’s only going to your small network of friends.”

ESET’s Cobb says the biggest chal-lenge is to build a business model that enables transparency to your intentions toward user data. For example, he sees Twitter as figuring out how to build rev-enue streams without tracking because of the demographic it attracts – and part of the allure for customers is the service’s position to tracking.

Looking forward three to five years, he believes the public may reach the privacy cliff – where people have to choose between free content supported by an advertising system that requires accep-tance of tracking, or paid content that is delivered without any tracking.

“This stark, binary choice is more likely, in my opinion, than the evolution of widely embraced granular privacy controls,” says Cobb. n

Do not track

16 • SC SPOTLIGHT • www.scmagazine.com

of companies with 100 or more employees use social media in their marketing mix.– eMarketer

90%

But, it doesn’t have to be so daunting. Not with the launch of SC MarketScope. This new site, brought to you by SC Magazine, is the place for purchasing IT security products and services.SC MarketScope is the fi rst stop for key decision-makers.

Features include: 1. Vendor overviews 2. Reviews of products/services 3. Expert advice and opinion from IT security contributors and columnists (exclusive to SC MarketScope)

4. Lead generation

We’re live! Visit us at www.scmarketscope.com

For more information, please contactSamantha Amorososales campaign manager, SC Magazinesamantha.amoroso@haymarketmedia.com646-638-6021

It’s a big IT security world out there...

Social media proved useful in communications during Hurricane Sandy, but enterprise data may also have been

vulnerable as a result, reports Stephen Lawton.

When Hurricane Sandy blew in to the coastal New York and New Jersey, it also churned up information security contingency plans that had never been so

challenged by an act of nature. With the loss of data centers and cell phone towers, and

interruptions of the local and regional communications infra-structure, companies still needed ways to keep in contact with employees, customers and vendors. As a result, social media sites became hubs of connec-tion and correspondence.

Outside of those who lost internet and cellular connec-tions, social media sites saw increased activity. Accord-ing to Twitter, more than 20 million tweets were sent at the height of the storm. Twitter based its number on tracking the terms “sandy,” “hurricane,” “#sandy,” and “#hurricane.” As well, Facebook uses a metric called Talk Meter, which measures topic mentions on a scale of one to 10. On the day the storm hit, just a week

prior to the run-up to the presidential election, Facebook said it reached a level of 7.12, compared with “Obama” (3.86) and “Romney” (3.5).

While these mentions were overwhelmingly news about the storm and how affected individuals were coping, businesses also made use of social media. But the emergency should not be cause to skirt security issues that are always present with enterprise use of social media.

“Using Twitter, Facebook and other social media sites is fine as long as workers use common sense,” says Blair Pleasant, president and prin-cipal analyst at COMMfusion, a Santa Rosa, Calif.-based technology consultancy that focuses on unified commu-nications. “My motto about using social media is, ‘Don’t be stupid.’ Understand that this is a public forum and don’t release any confidential

information.” Some com-panies have developed

social media guide-lines and tools so

Disaster recovery

that workers understand what is and isn’t OK to say in these public forums, she says.

Because of the inherent insecure nature of sites like Twitter or Facebook, social media should be used during disasters to relay information about safety, provide status updates – “We’re OK, but have no electricity” – or provide information about where to get supplies, Pleasant says. “You can let customers know that you lost power or communications, and maybe give them alternative ways to contact you, but don’t conduct real business over public social media sites.”

Rather than focusing on consumer-oriented social media sites, which offer minimal security options, Pleasant instead recommends that IT organiza-tions use enterprise-grade social media services and products – such as IBM Connections, Cisco’s WebEx Social, Yammer and Jive. “These let workers get the benefits of social software, but in a secure, private environment,” she says.

The primary reason to go this route, she says, is because social engineering continues to be a challenge for many companies. From a corporate and busi-ness perspective, workers might give away proprietary information, includ-ing “soft” intelligence, such as identities of employees or locations of premises, which could assist social engineer-

ing attacks against the company. “In an economy where information is the lifeblood of an organization, preserv-ing the confidentiality, integrity and availability of information is vital,” she says. “Virus and malware protection is still important, but data loss prevention is fast becoming an indispensable com-ponent of an organization’s technology protection.”

In order to overcome these poten-tial vulnerabilities, she recommends a combination of approaches, including technology, policies, guidelines, con-trols, enforcement and education.

Authentic communicationPleasant’s concerns are echoed by Nicholas Percoco, senior vice president of security vendor Trustwave’s Spider-Labs, a research team that performs penetration testing, develops secu-rity tools and issues public advisories about vulnerabilities it finds in various products and technologies. He says that when non-traditional forms of commu-nications are employed during events

like Sandy, such as distributing infor-mation over social media networks, two major security issues come to the fore. First, he says, recipients of the mes-sages need to know that the messages are authentic. Second, recipients must know where to go to obtain valid infor-mation from the company.

It is easy to create a Twitter or Facebook account that looks official, but can dupe readers, Percoco says. For example, a potential attacker could cre-ate an account that has a company name and the word “alert” after it. Employees might not realize that this is a fake account and that posted information could be misleading, causing those who follow it to take actions that could create security risks.

Companies need to create written policies and explain them to employees, customers or anyone else who might need to see a message from the company, Per-coco says. Too, a company’s policies need to outline where authenticated informa-tion can be found and who is authorized to distribute that information.

Alan Webber, principal analyst special-izing in digital risk management for the San Mateo, Calif.-based Altimeter Group, posted a blog just days before the storm, advising companies to institute a social media policy. While the timing was coincidental, Webber says in an interview that Sandy underscored his belief that companies need to include social media planning as part of an overall disaster plan. While social media can open some new vulnerabilities, it is not unlike email or other traditional forms of communica-tions and, therefore, the risk that social media creates can be mitigated. Compa-nies need to use social media as a commu-nications tool that includes acceptable-use

SC SPOTLIGHT • www.scmagazine.com • 1918 • SC SPOTLIGHT • www.scmagazine.com

Blair Pleasant, president and principal ana-lyst at technology consultancy COMMfu-sion, cites several security vulnerabilities related to social media. These include:

Information leakage –• loss of confidential information;Network and data security –• viruses, spyware, malware spread through accessing links, applets;Compliance – • Storing and sharing data and content as required by law or regulations;

Exposure to legal liabilities and • financial penalties – data con-tained on social media accounts may be regulated or necessary for discovery; Client or patient identity and • privacy – potential violations of various privacy laws; Damage to business value –• company brand and reputation;Data exfiltration –• stopping corporate data from leaving the company’s network is the primary challenge.

vuLnerAbILITIeS:exposure

Winds of change

A good social media policy won’t erase all of the risk...”

—Alan Webber, Altimeter Group

also require building that functionality into their environment and applications, which could prove quite expensive.”

be preparedAt Montefiore Medical Center in the Bronx, roughly 100 miles north from where Sandy hit the shore in New Jersey, CIO Jack Wolf said he was prepared for the storm. The hospital conducts annual tests of its disaster recovery plan, and three times a year evaluates additional backup systems. While the facility does not currently have a disaster recovery plan that specifically identifies social media, it was able to use Facebook, Twitter and Yammer extensively on an ad-hoc basis during Sandy.

Wolf says an important directive he sent to employees was to make sure they did not disclose protected health information (PHI) of patients over non-secure communications (PHI is covered under the Health Insurance Portability and Accountability Act, or HIPAA).

While some employees communi-cated via texting, Twitter and Facebook to coordinate transportation to and from the hospital, “direct patient care was limited to voice communications,” he says. Because of the danger of a third party intercepting a message or install-ing malware on systems, he discouraged the use of internet cafés and Wi-Fi hot spots for connecting to hospital data-bases, viewing patient data or accessing other information.

A Yammer account was set up and used extensively for communicating with employees, he says. This proved to be a viable hub for communications because it was easy for the employees to use. While Montefiore did not lose power, other facilities in the area did. As a result, it was able to assist other hospitals in the region, Wolf says.

One of the key lessons learned from Sandy was the need for the medical center to incorporate social media into its emergency response policies and procedures, Wolf says. While the use of social media worked well during the

SC SPOTLIGHT • www.scmagazine.com • 21

policies and proper training, just as they would with phones or laptops.

“A good social media policy won’t erase all of the risk of having a social media presence,” he says, “but it will outline what is considered acceptable, and if and when things go wrong, a process for addressing the issue.”

Brian Honan, CEO of BH Consult-ing, agrees. “Companies should decide beforehand on how they plan to use social media in the event of an emer-gency,” says Honan, who is also CEO of the Irish Reporting and Informa-tion Security Service, Ireland’s first CERT (Computer Emergency Response Team). These protocols, he adds, should be built into the company’s social media strategy.

“In the event of a disaster, compa-nies need to be aware that a number of stakeholders may be looking for updates on what is happening,” he says. “People – such as staff, family members of staff, customers, suppliers, partners and the media – may be looking to see how the company has been affected.” As such, the company should look to post relevant news, but ensure that news does not unduly alarm those looking for information, he says.

Companies should also be aware that due to the public nature of social media, they should not post too many details about the effects the disaster has had on their premises, particularly their physi-cal security, as criminals may be looking for such information.

Another challenge companies face when using social media is ensuring that stakeholders are getting authentic information, as criminals will exploit disasters to launch phishing and social engineering scams. Employees need

to be trained and aware of the social networks and the type of messages the company will be sending over these networks, Honan says.

“In a time of crisis, staff will be look-ing for information on what they should do – for example, whether or not they should turn up for work,” he says. “This could be an opportunity for criminals to use the disaster as a means to attack the company by using phishing mes-sages within social media platforms.” In addition, a number of fraudsters have been known to set up fake accounts in the names of companies and post false information that could damage the reputation of the company or even influ-ence stock market prices.

Additionally, Honan says that these bogus accounts could be used to send messages to staff that contain links to websites infected with malware that would enlist their computers and/or smartphones to either steal financial data, intellectual property or gain a foot-hold within the company’s network to exploit at a later time. “Employees also need to verify that accounts claiming to represent their employer are actually real,” he says.

The data centerDuring Sandy, flooding throughout the greater New York area caused widespread power outages, including to data centers, SpiderLabs’ Percoco says. When power at the data centers failed, backup power generators would have been used to keep systems up long enough for IT departments to shut them down safely. However, when all power was lost to the data centers, not only did the servers go dark, but so did the physical security barriers guarding the

facility, such as cameras, cardkey locks and other electronics.

In such cases, he says, a company could be breached by attackers who could enter the data center and pull hard disks directly out of servers. In cases where the attacker would not want the victim to know they were compromised, they could simply clone hard disks and then return them to their original servers.

While such attacks on physical assets are possible, they are less likely today than they were in the past, says Altimeter Group’s Webber. It is more likely today that attackers will use social engineering techniques to introduce malware onto corporate systems than to burglarize a data center.

Ideally, Percoco says, companies in potential disaster zones will have a failover disaster recovery facility that can take the load in case the primary data center is damaged or destroyed. But, if the failover facility is cloud-based, companies still need to have plans in place for servers that are not cloud-based. These need to handle confidential company data, such as trade secrets or client lists, which data security policies state must be on secure servers.

Comparing the scope of Sandy to the nation’s to another devastating event of recent times, Hurricane Katrina, Pleas-ant says, “New York City has more data centers than New Orleans, not to mention it’s the center of the financial world, so obviously there was more damage to the business world.”

Honan agrees, adding that companies should look at the risks and assess them based on their business requirements. For example, an e-commerce site would have more dependency on its data center than a company that is only hosting a “brochure ware” website, he says. Once the company identifies the risks, it should look at ways to address them, including having backups and an alternate data center. Companies also need to consider having “real-time synchronization of data and automatic fail-over to another data center,” Honan adds. “This would

Disaster recovery

20 • SC SPOTLIGHT • www.scmagazine.com

Alan Webber, principal analyst for the Altimeter Group, says there are three reasons to have a social media policy:

Establish an acceptable pattern of behavior. Social media policies should first establish what acceptable patterns of behavior (or PoBs) are for employees, and even customers on social media. These acceptable PoBs can be as broad as saying ‘Do no harm’ to being highly restrictive around content, platforms, who gets to participate and how social communications are cleared. Some of the companies best at this include cases that give employees and others some context around the acceptable PoBs.

Protect the company and the employees. Secondly, social media policies should defend both the com-pany and employee. By outlining what is acceptable, the company can then identify who and what the company will and won’t allow, and if an employee should step past that line or outside

that pattern, the company is somewhat protected legally. At the same time, the policy should protect employees. That way, if they are following the policy and something goes wrong, they are cov-ered. But check that with legal counsel.

Provide an enforcement frame-work. If and when something goes wrong, the policy should provide a process to address the issue. For example, if someone continues to post inappropriate content on the corporate Facebook page, then there is a level-handed process in place to address the issue.

SOCIAL medIA: Policy

of Fortune 500 companies maintain an active blog. – V3 Integrated Marketing

23%

tweets per day are sent. – Digital Buzz Blog340m

Sandy crisis, every IT disaster recovery component needs to be documented and tested, and the employees trained in their proper use. Sandy tested the IT department’s ability to use social media during a disaster, but Wolf says it is bet-ter to have a vetted policy in place. He also says he will look into new methods for remote clinicians to access hospital records when traditional virtual private networks (VPNs) are not available.

Wolf was pleasantly surprised at how quickly the employees and IT staff were able to set up a social media command center and use it successfully. Unan-ticipated challenges, such as the loss of

power across such a wide swath of New York, meant that employees who were not at the hospital had to improvise in charg-ing their cell phones and other internet-connected devices. The loss of cell towers also complicated network access.

Overall, social media got relatively high marks during Hurricane Sandy. However, data security breaches are insidious, and it is still far too early to tell if the storm led to any significant compromises. But even if information-loss incidents are discovered over time, it may be too difficult to determine if they were related directly to the storm or to the use of social media. n

A s the digital world continues to evolve, social networking will

remain an essential com-ponent. Services like Xbox LIVE, Facebook and Twitter attract millions of members and weave seamlessly into everyday life – from our smartphones to web search.

As we share this informa-tion, we generate massive amounts of data. In fact, 90 percent of the data available in the world today was created in the last two years. Consid-ering the amount of infor-mation we share and store online, some might ask: Does privacy still matter?

Privacy remains tremen-dously relevant, especially

in the social media-infused, data-rich world in which we live. Consumers expect strong protections, as they are increasingly aware of the digital “trails” they leave behind online. The Pew Research Center recently found that more than half of Americans who use mobile apps have uninstalled or avoided certain apps due to concerns about the way per-sonal information is shared or collected. Interestingly, young people cared about this just as much as older people.

The fact that the next generation of consumers is growing up on social networks and constantly interacting with their mobile computing devices is redefin-ing privacy. They want to share more information, but still want to maintain control over how much they share, who they share it with and how it is used. They don’t want their data to be later used or shared in ways they did not expect or that do not provide value to them. People want to share infor-mation, but they want the organizations that hold their information to use it respon-sibly and to protect it.

That said, privacy on social networks is a two-way street: Users are expected to responsibly manage their own information. Every single piece of data that

exists online about a user can impact how that indi-vidual is perceived by family and friends, an employer, a mortgage lender – anyone. Unfortunately, many of us are unaware of the cumula-tive “portrait” created by the aggregate of this online data.

A Microsoft survey found that while 91 percent of peo-ple at some point have done something to manage their overall online profile, only 67 percent feel in control of their online reputation, while fewer still – 44 percent of adults – actively think about the long-term consequences of their online activities.

There are many simple ways you can better protect our online reputations. For

instance, on social networking sites, personal blogs and other places where you maintain personal data, use privacy settings to help manage who can see your profile or photos, how people can search for you, who can comment and how to block unwanted access. According to our research, 49 percent of adults do not use privacy settings on social networking sites.

Think about what you post (particularly personal photos and videos), with whom you share informa-tion, and how this content reflects on your reputation. Let others know what you do and do not want shared, and ask them to remove anything you don’t want disclosed. Our research showed that only 38 percent of adults and 39 percent of children (ages 8 to 17) actively think about the long-term impact their online activities might have on someone else’s reputation.

There will need to be more focus on the use of information in the future to help ensure better privacy protection for everyone. It’s essential to maintain an open dialogue about this subject to keep privacy headed in the right direction while we reap the benefits that technology advances and increased data sharing will provide.

Brendon Lynch is the chief privacy officer at Microsoft.

LastWord

Finding privacy on a data-centric web

The next generation of consumers... don’t want their data to be used or shared in ways they did not expect.”

Online data about a user can impact how that person is perceived, says Microsoft’s Brendon Lynch.

22 • SC SPOTLIGHT • www.scmagazine.com

Don’t be anti-social. Follow us.Our websites, scmagazine.com and scmarketscope.com, combined receive more than 1,000,000 monthly impressions and 80,000 monthly unique visitors. Readers have come to expect timely news, in-depth feature stories, virtual events and industry opinions, and we fully enlist social media to bring our award-winning editorial content to as extensive an audience as possible. Through blog posts, tweets and specialized newsletters, we keep you connected to the pulse of the security industry.

Visit us today at www.scmagazine.com or at

SponSor

The EdgeWave portfolio of web, email and data protection tech-nologies delivers comprehensive protection with unrivalled ease of deployment and the lowest TCO on the market. The company’s award winning product lines include iPrism Web Security, Social Media Security and the ePrism Email Security Suite.