More Related Content Similar to Social media and security essentials.pptx Similar to Social media and security essentials.pptx (20) More from Pink Elephant (7) Social media and security essentials.pptx1. Social Media & Security Essentials
January 31, 2011
Troy DuMoulin
AVP Strategic Solutions
Pink Elephant
Pink Elephant – Leading The Way In IT Management Best Practices
2. Welcome & Agenda
Agenda
The Impact & Growth of
Social Media
The key risks of Web 2.0
and Social Media
Recent Example Case
Studies for Facebook
and Twitter
Social Media as an IT
Service
Establishing Social
Media Policies
Looking at 2011
Next Steps
Objective:
Practical guidance about how to effectively
manage social networking security risks
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 2
3. The Flood Of Social Media NOW
Adoption has surged to staggering heights. While
Facebook has over 500 million users (July 2010),
MySpace has nearly 70 million in the U.S. (June 2010)
and LinkedIn has around 75 million worldwide (August
2010). As for Twitter, 105,779,710 registered users (April
2010) account for approximately 750 tweets each second
Facebook platform houses over 550,000 active
applications and is integrated with more than one million
websites
Burson-Marsteller study showed that, “of the Fortune
Global 100 companies, 65% have active Twitter
accounts, 54% have Facebook fan pages, 50% have
YouTube video channels and 33% have corporate blogs”
Securing the Social Network – Websense Whitepaper
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 3
4. Managing vs. Blocking Social Media
Not possible to ban the use of Social Media anymore than
it was possible to ban the internet (both have been tried)
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 4
5. Websense Research Highlights 2010
Based on a sample size of 200,000 Facebook and Twitter Entries
• Websense Security Labs
identified a 111.4% increase
in the number of malicious
websites from 2009 to 2010
• 79.9% of websites with
malicious code were
legitimate sites that have
been compromised— an
increase of 3% from the last
previous period
• Searching for breaking
trends and current news
represented a higher risk
(22.4%) than searching for
objectionable content
(21.8%)
• 52% of data stealing attacks
occurred over the Web
Every hour Websense scans more than 40 million websites for
malicious code and nearly 10 million emails for unwanted content and malicious
code. Using more than 50 million real-time data collecting systems, it monitors and
classifies Web, email, and data content. www.websense.com
2010 Threat Report – Websense
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 5
6. Websense Research Highlights 2010
Based on a sample size of 200,000 Facebook and Twitter Entries
40% of all Facebook status updates
have links and 10% of those links are
either spam or malicious. 2010 Threat Report – Websense
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 6
7. CISCO Annual Security Report
Consider social media. Its impact on computer security cannot be
overstated, It is common for workers to blend business and personal
communications on these social networks, further blurring the network
perimeter
The high levels of trust that users place in social networks – that is,
users’ willingness to respond to information appearing within these
networks – has provided ample opportunity for new and more
effective scams. Instead of searching out technical vulnerabilities to
exploit, criminals merely need a good lure to hook new victims
No longer does business take place solely behind network walls. The
critical work of an organization is happening increasingly on social
networks, on handheld devices, on Internet kiosks at airports, and at
local cafes
Social Media “Were The Problem” Social media users believe there is
protection in being part of a community of people they know.
Criminals are happy to prove this notion wrong
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 7
8. Social Media Risks – 1
Threat & Vulnerabilities Risks
Lack of control • Automated protection can only block or
enable websites and domains. (On or OFF)
• Classic Anti Virus software is ineffective
against social engineering or phishing attacks
• Engaging in Social Media does not require IT
involvement or approvals
• Lack of a business policy or lack of
enforcement of the policy
Exposure growing on • Malicious code “is not just coming from the
legitimate websites dark corners of the web, “Some 79 percent is
coming from legitimate sites”
Data loss is often based on • Social networking sites are all about trusted
exploiting implicit trust (Trust communities collaboration and data sharing
conditioning) • Most malware, scams and phishing attacks
are successful since they are based on
preying upon trusted relationships
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 8
9. Social Media Risks – 2
Threats & Vulnerabilities Risks
Customer or Employee exposure • Loss or exposure of customer information
leading to liability or loss of trust
• Reputational damage
• Targeted marketing to your customers
• Targeted head hunting of your employees
Unclear or loss of content • Enterprise’s loss of control/legal rights of
rights for information posted to information posted to the social media
social media sites sites
• Privacy violations
Mis-directed surfing on • Shortened URL Spoofing
legitimate sites • Identity theft
• Search Engine Optimization (SEO)
poisoning
• Cross site scripting attacks
• Trojan & Botnet proliferation
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 9
10. Early Adoption – Risk & Reward
Look for prior
Success Interested in
cost & cost
control
Embrace New
Technology
Luddites
Social
Media
Innovators Early Early Late Laggards
2.5 % Adopters Majority Majority 16 %
13.5 % 34 % 34 %
Companies are driven by growth. Growth often comes from innovation. Many companies get a leg
on competition by being willing to take a managed risk.
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 13
11. Recent Social Media Attacks
CASE STUDY EXAMPLES
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
12. URL Shortening – Boon & Risk
Warning! | There might be a problem with the requested link 10-12-28 7:10 PM
STOP - there might be a problem with the requested link
The link you requested has been identified by bit.ly as being potentially problematic. We have detected a link that
has been shortened more than once, and that may be a problem because:
Some URL-shorteners re-use their links, so bit.ly can't guarantee the validity of this link.
Some URL-shorteners allow their links to be edited, so bit.ly can't tell where this link will lead you.
Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for.
The link you requested may contain inappropriate content, or even spam or malicious code that could be
downloaded to your computer without your consent, or may be a forgery or imitation of another website,
designed to trick users into sharing personal or financial information.
Bit.ly suggests that you
Change the original link, and re-shorten with bit.ly
Close your browser window
Notify the sender of the URL
Or, continue at your own risk to
http://su.pr/4SzLwj
You can learn more about harmful content at www.StopBadware.org
You can find out more about phishing from www.antiphishing.org
For more information about our policy please contact support%2Bspam@bit.ly
Read more about bit.ly's spam and antiphishing partners here
Publish with bit.ly and protect your links
Security vendor McAfee Inc. is warning of a rising security risk in 2011
in the 3,000 shortened URLs generated per minute for use on social
media sites such as Twitter.
http://bit.ly/a/warning?url=http%3a%2f%2fsu%2epr%2f4SzLwj&hash=huUyr5 © Pink Elephant, 2011. All Rights Reserved.
Page 1 of 1
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 12
13. Short URL Checkers
Short URL Checker - RESULTS 10-12-28 7:12 PM
Short URL Checker Results
Home > Tinyurl Checker
URL as entered: http://su.pr/4SzLwj
http://www.good.is/post/12-year-old-girl-runs-make-shift-school-for-
village-children/
Enter Another URL or read more information about this link:
Safe Browsing Information About This Site
Safe Browsing information for this link (source: Google.com)
WHOIS
Whois Information (source: Domaintools.com)
Blog Search
Blogs (source: Google Blog Search)
Social Media Analysis
Social Internet Search (source: SocialMention)
Brought to you by:
http://pcistools.com/tinyurlchecker.php
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 13
http://www.pcistools.com/process_tURL.php Page 1 of 2
14. Facebook Email Scam
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 14
15. Awkward (haha) Video Facebook Scam
Exposed
URL’s not
Always hidden
Click-Jacking
Rapid spread of
Malware
SPAM
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 15
16. Instant Messenger Attacks
www.securelist.com/en/blog
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 16
17. Password
There are two “free toolbars” circulating around the web that
pretend to enable users to cheat at Zynga games on Facebook,
but actually attempt to steal Facebook login credentials. The
Facebook Toolbar Phishing false toolbars were spotted by Sunbelt researchers and should
be avoided at all cost. See below for more details.
The images below were provided courtesy of Help Net Security and detail the method
of operation of the deceitful toolbars.
At first glance, the toolbars look legitimate and appear at the top of your browser,
along with a legitimate Facebook logo. The buttons have features that allow for
cheating on “Zynga Games” along with other links as well.
The problem is, when users click on the “Facebook” logo in the top left corner of the
bar (they layout sometimes changes), they are taken to a false Facebook page that asks
you to login but actually steals your credentials instead!
www.securelist.com/en/blog
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 17
18. Facebook Survey Scams
Nakedsecurity.sophos.com/category/social-networks
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 18
19. Malware Infection Example
Nakedsecurity.sophos.com/category/social-networks
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 19
20. Leveraging Twitter Trends
www.securelist.com/en/blog
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 20
21. Fake Adobe Attack From Twitter
www.securelist.com/en/blog
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 21
22. Using Frameworks To Manage Social Media Strategy
SERVICE LIFECYCLE &
RISK MANAGEMENT
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 22
23. Service Management & Social Media?
In this world there are four kinds of people:
Those who make things happen
Those who watch things happen
Those who have things happen to them
Those who wonder what happened
"In its simplest terms, there is anarchy in the absence of social media policy and
training," says John Pironti, ISACA board member and president of IP Architects, LLC.
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
23
24. IT Service Lifecycle & Social Media
Manage Business
Requirement
• Business Engagement
• Social Media Strategy
Manage • Business Risk Assessment
Plan
• Service Analysis • Estimate business and technical resources
• Customer Value Realization Assessment • Define Governance & Monitoring
• Continual Service Improvement • Establish Social Media Measures
• Establish Risk Mitigation plan
• Establish financial budgets and funding
Report Source /build
• Summary, drill down, analysis • Insource / Outsource
• KPIs • Choose Social Media
platforms
• Communication strategy
• Training strategy
Cost / Recovery Provision
• Track Planned vs Actual cost • Build / Publish Services
• Accounts Payable • Define change approval process
Deliver/ • Service Testing
Operate • Transition to production
• Content Development
• Content Management
Plan / Build
• Incident Management
Operate • Security Management
• Change Management
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 24
25. Service Management Integration
SERVICE STRATEGY SERVICE DESIGN
• Service Strategy • Service Catalog Management
• Financial Management • Service Level Management
• Service Portfolio Management • Capacity Management
• Demand Management • Availability Management
• IT Service Continuity Management
• Information Security Management
• Supplier Management
© Crown copyright 2007
Reproduced under license from OGC
Figure 1.2 Service Strategy 1.2.3
SERVICE OPERATION SERVICE TRANSITION
• Event Management • Transition Planning & Support
• Incident Management • Change Management
• Request Fulfillment • Service Asset & Configuration
• Problem Management Management
• Access Management • Release & Deployment
Management
Functions • Service Validation & Testing
• Service Desk • Evaluation
• Technical Management CONTINUAL SERVICE IMPROVEMENT • Knowledge Management
• IT Operations Management • Seven Step Improvement
• Application Management • Service Measurement
• Service Reporting
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
26. A Risk Management Effort Includes:
Identifying risks related to social media use
Assessing these risks to ascertain the probability of these
risks occurring and the potential impact to the business if
they do occur
Planning a mitigation strategy to deal with the higher
impact, higher priority risks
Managing & Monitoring the risks through
communication and the implementation
of risk mitigation and avoidance
strategies
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 26
27. Establishing A Social Media Strategy
When creating a social media strategy, some questions to
consider are:
What are the strategic benefits/goals for leveraging Social Media?
Are all appropriate stakeholders involved in social media strategy
development?
What platforms will be used when, by whom and for what objectives?
What are the risks and how will they be mitigated?
What policies need to be established?
What are the new legal issues associated with the use of social media?
How will customer privacy issues be addressed?
How can positive brand recognition be ensured?
How will awareness training be communicated to employees and
customers?
How will inquiries and concerns from customers be handled?
Does the enterprise have the resources to support such an initiative?
Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 27
28. Establishing Policies
EXAMPLE SOCIAL MEDIA
POLICES
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 28
29. Social Media Policy Categories
Personal use in the workplace:
Whether it is allowed
The nondisclosure/posting of business-related content
The discussion of workplace-related topics
Inappropriate sites, content or conversations
Personal use outside the workplace:
The nondisclosure/posting of business-related content
Standard disclaimers if identifying the employer
The dangers of posting too much personal information
Business use:
Whether it is allowed
The process to gain approval for use
The scope of topics or information permitted to flow through this
channel
Disallowed activities (installation of applications, playing games, etc.)
The escalation process for customer issues
Source: ISACA Social Media Business Benefits & Security, Governance and Assurance Perspectives
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 29
30. Example General Guidelines
Be respectful to the company, other employees, customers,
partners, and competitors
Social media activities should not interfere with other work
commitments or impact productivity
Your online presence reflects the company. Be aware that
your actions captured via images, posts, or comments can
reflect that of our company
Do not reference or site company clients, partners, or
customers without their express consent. In all cases, do not
publish any information regarding a client during the
engagement
Company logos and trademarks may not be used without
written consent
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
31. Policy Statement Examples
Personal blogs should have clear disclaimers that the
views expressed by the author in the blog is the author’s
alone and do not represent the views of the company
Information published on social networking sites should
comply with the company’s confidentiality and disclosure
of proprietary data policies. This also applies to
comments posted on other blogs, forums, and social
networking sites
Watching videos or reading blogs are invaluable sources
of inspiration and information. Please refrain from
reading personal or non-industry blogs during company
time
Please refrain from personal online shopping during
company time
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
32. Resources & Policies Examples
Harvard Law Blogging Policy
http://blogs.law.harvard.edu/terms-of-use/
Oracle Social Media Participation Policy
http://www.sun.com/communities/guidelines.jsp
IBM Social Computing Guidelines
http://www.ibm.com/blogs/zz/en/guidelines.html
30 Tips to Manage Employees Online
http://ariwriter.com/30-tips-to-manage-employees-online/
Baker and Daniels Law
http://www.bakerdstreamingvid.com/publications/
Baker_Daniels_Social-Media-Policy.pdf
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 32
33. Looking Forward – Discussion
McAfee Labs Predicts December 28, Emerging Threats
in 2011
Exploiting Social Media: URL-shortening services
Exploiting Social Media: Geolocation services
Mobile: Usage is rising in the workplace, and so will
attacks
Apple: No longer flying under the radar
Applications: Privacy leaks—from your TV
Hacktivism: Following the WikiLeaks path
Advanced Persistent Threat: Cyberespoinage
Your Thoughts ???
www.mcafee.com
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 33
34. Next Steps When You Go Back
Within 30 days:
Conduct an assessment of corporate and personal Social
Media use
Within 60 days:
Conduct risk assessment for Social Media
Established policies that addresses social media use covering
both business and personal use
Conduct policy training for all users
Within 90 days:
Define service strategy for Social Media
Service Design (functional and non functional requirements)
Define Transition plans
Define operational processes and resources
Define Management and CSI activities and measures
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 34
35. References
Securing Social Network – Websense
Social Media: Business Benefits and Security – ISACA
CISCO Annual Report on Security 2009
Social Networking & Security – Infosec.co.uk
2010 Threat Report – Websense
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 35
36. Questions?
Troy DuMoulin
t.dumoulin@pinkelephant.com
http://blogs.pinkelephant.com/troy
http://twitter.com/TroyDuMoulin
Thank You
PINK ELEPHANT
www.pinkelephant.com
© Pink Elephant, 2011. All Rights Reserved.
Social Media & Security Essentials ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. 36