Pro-active Enterprise Security

Social Networking Security Risks

New York City, HBO Auditorium, 1100 Avenue of the Americas

April 7th 2011

Prepared by Mathieu Gorge, CEO, VigiTrust

Mathieu Gorge, CEO , VigiTrust – April 7th 2011

2 / 24©2003-2011 VigiTrust

Agenda

VigiTrust & The Five Pillars of Security™

From media to Social Media

Social Networking Definitions & History

Privacy in an interconnected world

Social Networking Risks & Attack Types

Do’s & Don’ts of Social Networking

Managing Digital Identities on Social Networks

Social Network Security Tips

Recommended reading

Q& A

040711

3 / 24©2003-2011 VigiTrust

VigiTrust & The Five Pillars of Security™

040711

©2003-2011VigiTrust040711

CSMSCompliance & Security Management Suite

SAMS

Security Accreditation

Management System

Enterprise

MCP

Merchant Compliance

Portal

Agregators

eSEC

Security eLearning

Modules

Mid-Size

5 Pillars of Security Framework™Physical Security, People Security, Data Security, IT Security, Crisis Management

5 / 24©2003-2011 VigiTrust

The Elephant in the room

040711

Epsilon Breach– Outsourced marketing organization

– Online marketing – have access to millions of e-mail addresses

– Affected companies include target, Walgreens, Marriott, Hilton etc…

How to react to such a breach?– Data Breach notification laws will kick in

– State Attorneys are likely to take action

– MA 201 may get a real start

– Communicating with customers and warning them not to fall into the trap of phishing e-mails is

all affected organizations can do to protect their customers – it’s about raising awareness levels

6 / 24©2003-2011 VigiTrust

Social Media Considerations: from traditional

Media to Social Media

040711

Traditional Media Social Media

Press Release (hard copy) Internet based release

News piece Blog post

Newspaper interview Podcast/ web video

Media briefings Webcast

Customer briefing Webinar

Customer reference Community Advocate

Customer service (call center) Customer service chat

forums

Customer seminar Virtual show

Etc… Etc…

7 / 24©2003-2011 VigiTrust

Social Networking Definitions & Brief History

“Internet based network of trusted friends and colleagues”– Aimed at building relationships

– Aimed at facilitating interaction between individuals and between businesses

– Allows users to share opinions and ideas

– Aimed at allowing parties to make information about themselves publically available

– Key sites: FaceBook, Twitter, MySpace, LinkedIn

Typical Features– Allow you to build and publish your profile

– Communication platforms (forums, chat room, email, IM)

– Sharing documents (pictures, videos, music, files)

Brief History– Bulletin Boards and opt-in mailing lists started in the mid to late 90’s

– Blogs became very popular as did IM in early 2000’s

– All based on likeminded people exchanging information with multiple parties

– Creation of online profile(s) available in the public domain for everyone to see

040711

8 / 24©2003-2011 VigiTrust

Social Networking – A few figuresFacebook

– More than 500 million active users

– 50% of active users log on to Facebook in any given day

– Average user has 130 friends

– People spend over 700 billion minutes per month on Facebook

Facebook Activity– There are over 900 million objects that people interact with (pages, groups, events and

community pages)

– Average user is connected to 80 community pages, groups and events

– Average user creates 90 pieces of content each month

– More than 30 billion pieces of content (web links, news stories, blog posts, notes, photo albums,

etc.) shared each month.

Sophos Survey of SMB - 2010– 57% of users report being spammed via SN

– 36% report having malware because of SN usage

– 72% of CEOs report that they see SN as a danger for their organization• 60% tagging Facebook as the main issue, followed by MySpace, Twitter and LinkedIn

Panda Social Media Risk Index – 2010– 33% victim of malware & virus attacks through SN

– Facebook is the biggest vector of attacks (72%), YouTube 41.2%

– 23% of companies reported “misplacing” confidential data on SN sites

040711

9 / 24©2003-2011 VigiTrust

Privacy Considerations for Digital

Citizens & Entities

040711

Notion of Digital Citizens & Entities– Citizens

– Entities

– Digital Footprint

Privacy laws – Personally Identifiable Information (PII) as defined in State and Federal Laws (US)

– Data Protection Directive (EU)

– Lisbon Treaty (EU)

– Others…

Privacy means different things to different people– Typically stops where data about yourself is no longer in your control

– Everyone has different notions of privacy

• For personal data

• For work related data

– Generation Gap

• Younger generations tend not to value privacy as high as their parents

• Baseline Magazine: Managing Generation Gaps in the Workplace

10 / 24©2003-2011 VigiTrust

Social Networking Risks

Threats to digital citizens– Stalking & Bullying

– Digital Dossier Aggregation

– Secondary Data Collection

– Technical threats to users IT & Mobile equipment

• Malware

• Viruses

• Spam

• Tagging

• Cross Profile images

• Linkability

• …

Threats to digital entities– Damage to reputation

– Branding issues

– Corporate espionage

– Competitive aspects

– And of course technical threats

040711

11 / 24©2003-2011 VigiTrust

What data are they after?Data on direct & indirect targets - individuals

– About you

– About your parents

– About your friends for secondary data collection

Data pertaining to digital entities– Customer names

– Names of Executives

– Names of the IT team

– Competitive Information

– Financial information

Examples– Israeli Soldier revealing plan of attack for next days battle on his Facebook page

– Employee revealing that the M&A is not going through on Facebook

– Journalist posting condolences on twitter before family was informed of death of loved ones

040711

12 / 24©2003-2011 VigiTrust

What else can go wrong?

Attack on SN sites themselves – Front page of French newspaper Le Monde’s Facebook page defaced on April 5th 2011

– Attack on Twitter & Google Apps• Twitter management accounts were hacked

Focus on Head of States & Celebrities– A hacker took over French President Nicolas Sarkozy's Facebook account and issued a fake

message that he would not run for re-election in 2012 (Jan 25th 2011)

Fake Notifications– Trying to get you to log on to your SN account which …does not exist

Fake Accounts– Many fake accounts out there – Facebook has a team dedicated to finding them and disabling

them

040711

13 / 24©2003-2011 VigiTrust

What makes attacks possible?

Important aspect: Gathering information requires planning– Successful attacks are always well planned – it is not bad luck or a lottery

Assumptions– Attacker has chosen a target (individuals, government or business)

– Attacker has a motive (financial or political)

– Attacker has an objective (gain or steel information or infiltration of SN)

– Attacker has technical skills • Maybe, maybe not….

Intelligence gathered by attacker(s) was made “readily” available by victims– Pet names, mother’s maiden name

– Address, numbers

– Current location - future location

Password management– Using the same password for all sites

– Using the same password for business and personal sites

040711

14 / 24©2003-2011 VigiTrust

LinkedIn – Should I stay or should I go?LinkedIn benefits

– Free version allows you to build your Linked presence

– Build personal & company presence

– Advertize your events

– Join groups of linked minded people

– Be introduced – notion of being trusted because you are a friend of a friend

– Search facility is excellent

BUT caution should be exercised because– You are only a few degrees away from anyone

– LinkedIn updates go to all your connections• Do you really want all your network to have the same access to your information

• Are you regarding all your contacts as “equal”?

– LinkedIn should not be your main CRM• It is easy to build a dependency on LinkedIn

– It is hard to suspend connections with anyone in your network

– Some applications running on LinkedIn advertize too much about you

040711

15 / 24©2003-2011 VigiTrust

Don’ts of SN securityBan SN sites altogether - It’s about managing risk

– You will shift the technical risks to personal devices

– The risk is simply shifted but DATA is still equally at risk

Whatever you do on SN, do not:

– Advertize your whole life on the SN sites, especially:

• Your SSN, Your home address

– Tell the truth nothing but the whole truth – the more info you publish the more vulnerable

you are

• This increases your overall Digital Footprint

– Advertize your whereabouts

• Current location ,Travel plans, Whether for business or personal life

– Post political or religious views without considering impact it may have

• Anything you say is potentially going to be used against you

– WRT business SN, you should not:

• Post negative comments about your boss, colleagues or their friends – remember you are

all connected

• Fuel social engineering attacks

– Will your post enable malicious third parties to get insider knowledge about your

organization

040711

16 / 24©2003-2011 VigiTrust

Compliance Considerations

Data Privacy & Protection– Breach notifications

– eDiscovery

– Non-compliance with records management regulations

• Remember that SN sites are cloud based so where is your data located?

– Centre for Digital Democracy looking into social networking rules

– Do we need new government rules targeting social-networking sites?

• Federal Trade Commission is contemplating such rules with an announcement expected late this year,

and related legislation is being drafted in the House of Representatives

• Code of Conduct is required

What about the Police & the Army? – Should officers and soldiers be allowed to use SN when at work

– Should they be allowed discuss work related issues on SN

– Social media governance must be applied to police and armed forces

040711

17 / 24©2003-2011 VigiTrust

Managing your Digital Presence

(individual users)

You can’t take anything back– Ever tried to close a Facebook account

– Remember that your friends may still have your info saved or cached on their machine(s)

– Anything you say may potentially be used against you

Strike the right balance between being visible to the right audience and

maintaining your own acceptable privacy levels– Who do you want to be visible to?

– Who do you not want to be visible to?

– What constitutes an acceptable level of privacy for you?

Regularly review your Digital presence– Is it still accurate and/or relevant

– Is the old digital you still the real you?

040711

18 / 24©2003-2011 VigiTrust

Managing your Digital Presence (Businesses)

You can’t take anything back either – In legal cases, other parties legal team will scan your SN presence and use it against you

Understand that SN is typically owned by Sales & Marketing– No capex, easy to get started

– Security & compliance considerations are typically retrofitted not in by design/deployment

Must have a mix of– Policies & Procedures

– User Awareness – TRAINING IS KEY

– Security solutions at network and device levels

SN Must be treated a business tool and be subject to a formal risk

assessment– Way benefits against risks associated with SN

– Devise a risk mitigation strategy

– Because content is mostly managed by individual users, you must ensure that SN strategy

covers:• Business use at work

• Business use at home or on devices owned by the Employee

• Personal use at work

• Personal use at home or on devices owned by the Employee

– Must include a crisis management plan – Incident Response Plan

040711

19 / 24©2003-2011 VigiTrust

Window into the future of SN securitySN is going mobile

– Smart Phones allow you to use SN on the move

– LinkedIn

Watch how generation evolves – SN impacts their behavior– Tend of have a lack of face-to-face communication skills

– Overreliance on internet and instant communication – no patience

– Value of corporate data on par with own data – therefore not protected appropriately

Parents and Teachers will eventually get more involved– Social responsibility to educate children very early as regards dangers of SN

– Schools and Universities must play a role in educating tomorrow’s workforce

Government should and will get more involved– Cyber Security Tip ST06-003 from NIST

Consumer Power is greatly increased by SN - this will continue– Feedback via SN is disseminated really fast

– Reputations can be destroyed in minutes

Online Reputation Management Tools will take off– ReputationDefender

040711

20 / 24©2003-2011 VigiTrust040711

21 / 24©2003-2011 VigiTrust040711

22 / 24©2003-2011 VigiTrust040711

23 / 24©2003-2011 VigiTrust

Final Thoughts

http://www.linkedin.com/in/mgorge

040711

©2003-2010 VigiTrust040711

For more information on Compliance

and how VigiTrust can helpwww.vigitrust.com

VigiTrust

99 Madison Ave, New York – 10016

New York

VigiTrust

Cunningham House, 130 Francis St

Dublin 8

Mathieu Gorge

mathieu@vigitrust.com

+353 (0) 1 453 9143

bmurray@vigitrust.com

212 750 5100

www.vigitrust.com