Interop 2011 las vegas - session se31 - rothke
-
Upload
ben-rothke -
Category
Technology
-
view
971 -
download
2
Transcript of Interop 2011 las vegas - session se31 - rothke
![Page 1: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/1.jpg)
Social networks and security –can you have both?
Ben Rothke, CISSP, CISM CISASession SE-31May 12, 2011@benrothke
![Page 2: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/2.jpg)
About me
• Ben Rothke, CISSP, CISM, CISA• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every
Employee Should Know (McGraw-Hill)• Write the Security Reading Room blog
– https://365.rsaconference.com/blogs/securityreading
![Page 3: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/3.jpg)
Agenda
• Overview of social networks• Scary security risks associated with social
networks• Social network security strategies• Conclusion / Recommendations / Q/A
![Page 4: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/4.jpg)
Security risks can’t be ignored
![Page 5: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/5.jpg)
Twitter – corporate, mainstream
![Page 6: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/6.jpg)
Facebook – corporate, mainstream
![Page 7: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/7.jpg)
Business benefits
• enhanced collaboration• faster access to information within the
company• ability to get questions answered• shared workspaces• microblogs and chat• platform applications
![Page 8: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/8.jpg)
Social networking reality
![Page 9: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/9.jpg)
….is now social networking
• Your mission– find 20 design engineers based in the US at Boeing– build a rapport with them to get designs for new 737 derivative
• Time / Budget / Success– 1990 – Many people, many months, limited success, very
expensive– 2011 – One person, multiple Facebook accounts, can outsource to
India, near immediate results, extremely high success rate
• Facebook - easy to find out who they are– who their friends are– what they like, where they shop, daily habits, friends
![Page 10: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/10.jpg)
• To block or not to block?– no longer the question
• Social media isn’t a choice anymore – it’s a business transformation tool– Natalie Petouhoff – Weber Shandwick
• Business and information security goal– Secure use and enablement of social
media
![Page 11: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/11.jpg)
Reasons not to block• Don’t blame the game, blame the player• Smart companies control, not block
– Staff can use social media and be productive
• No longer a 9-5 world• Lose the benefits of social media• Abusers don’t suddenly become productive
– Social media abuse - HR issue. – Not a technical issue
![Page 12: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/12.jpg)
New security ideas required
• Easy security tasks– Block all outbound ftp traffic– Use DLP to encrypt sensitive -mails– Block admission to network if host AV signatures are
not current– Use SIEM to correlate all logs
• Challenging security task– Stop end-users from inappropriate sharing of
confidential/proprietary data via social networks
![Page 13: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/13.jpg)
Resistance is futile• Social networks are not a fad• Not only is resistance futile - it is a
negative business decision• Prepare a social networking strategy• Have a realistic understanding of the
risks and benefits of social software• Understand unique challenges and factor
them into on when and how to proceed
![Page 14: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/14.jpg)
Try stopping this…
![Page 15: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/15.jpg)
Security game-changer• Organizations and management are
struggling– to understand and deal with the numerous security
and privacy risks associated with social networks
• Traditional information security– firewalls and access control protected the perimeter.
Social networks open up that perimeter
• Focus shift– from infrastructure protection to data protection
![Page 16: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/16.jpg)
Security issues• People will share huge amounts of highly
confidential personal & business information with people they perceive to be legitimate
• Numerous legitimate security risks with allowing uncontrolled access to social sites
• But…these risks can be mitigated via a comprehensive security strategy
![Page 17: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/17.jpg)
Security and privacy risks• Malware
– Social networks as a malware distribution point
• Vulnerabilities– cross site scripting, cross site request forgery – 1 in 5 web attacks aimed at social networks
• Corporate espionage• Phishing / spear phishing• Bandwidth consumption
![Page 18: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/18.jpg)
More security and privacy risks• Information leakage• Social engineering attacks• Geotagging / location-based social
networking– allows random people to track an individual’s
location and correlate it with other information– publishing business photos can be detrimental to
business– Content-based Image Retrieval (CBIR)
![Page 19: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/19.jpg)
Cree.py is just the beginning
![Page 20: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/20.jpg)
Infosec losing on social media?• Requires a combination of technical,
behavioral and organizational security controls– many information security groups clueless on
how to do that
• Arguing that social media presents a highly unmanageable set of security risks– gives the impression that the infosec group is
incompetent
![Page 21: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/21.jpg)
Strategies and action items for enterprises to deal with
the security and privacy risks of social networks
![Page 22: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/22.jpg)
Secure use of social media
1. Enablement– Awareness, education
2. Governance– Corporate social media strategy– Realistic policies
3. Management– Effective monitoring
![Page 23: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/23.jpg)
Get in front of the wave
• Be proactive– dedicated team to deal with social networks– identify all issues around social networks
• Get involved and be engaged• Social networking is moving fast• Be flexible
– overall uncertainty about what strategies and tactics to adopt to security social media
![Page 24: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/24.jpg)
Risk assessment
• for each social network community– vulnerabilities associated with each
community
• each social community has its own set of unique security and privacy concerns
• which users are the greatest risk?
![Page 25: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/25.jpg)
Risk assessment
• output will be used to create the social media policy and strategy– customized to your specific risk matrix
• balance risks vs. benefits– US Marines – totally prohibited– Starbucks – totally embraced
![Page 26: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/26.jpg)
Social network risk assessment• LinkedIn analysis – you can determine:
• what technologies a company is using• corporate direction• vendors• partners• internal e-mail addresses and address formats
• Facebook analysis – you can determine: • almost everything
![Page 27: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/27.jpg)
Social media strategy
• Based on your social media goals• Identify people or positions who will be the
online public face of the firm• Decide if/how employees may identify
themselves• Twitter strategy for Government
Departments– http://digitalengagement.cabinetoffice.gov.uk/blog
![Page 28: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/28.jpg)
Social media strategy
• Draconian policies preventing the use of social media will most often not be effective
• Use a balanced approach– allow access– manage risk via technical controls, policies
and employee training
![Page 29: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/29.jpg)
Blurred role boundaries
• who speaks for the company• border between the company and the
outside world is evaporating• management decision, not an IT decision• strategies: block, contain, disregard,
embrace• create user scenarios
– not all users need access
![Page 30: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/30.jpg)
Social networking policy• Social networking policy is a must
– even if it prohibits everything, you still need a policy
• Employees will do stupid things• Rational, sensible use of social media
services– include photography and video– don’t reference clients, customers, or partners
without obtaining their express permission
![Page 31: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/31.jpg)
Monitoring• Maintain control over content company
owns– monitor employee social networking participation– significant risk of loss of IP protection if not
monitored– inappropriate use of enterprise content occurred?
• notify employee - explain how their actions violated policy
– control where and how corporate content is shared externally
![Page 32: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/32.jpg)
Security awareness• Social media is driven by social interactions• Most significant risks are tied to the behavior of
staff when they are using social software• Don't shun social media for fear of bad end-
user behavior – Anticipate it and formulate a multilevel approach to
policies for effective governance
• 3 C’s– clear, comprehensive, continuous
![Page 33: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/33.jpg)
Security awareness
• Awareness and training program is critical– effectively communicated and customized– disseminate to everyone– ensure recurrent training– create topic taboo lists– define expectations of privacy
![Page 34: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/34.jpg)
How to get fired in 3 tweets….• Let employees know they can lose their job
– policy violation– managers and executives - special responsibility
when blogging by virtue of their position– too much time on social network sites– perception that they are promoting themselves at
the expense of the company– especially if employer is not into social networking
![Page 35: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/35.jpg)
End-user awareness• Curb your enthusiasm
– those with OCD/addictive personalities – be cognizant of addictive nature of social networking
– what is fun today is embarrassing tomorrow– expect that entire world will see your comments– consider carefully which images, videos and
information you publish– set daily time limits on social media
![Page 36: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/36.jpg)
Awareness 101
• Ensure staff know about and are compliant with social media guidelines– post something corporate, ensure that it is
public information– be careful about posting customer
information, even if it is public
![Page 37: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/37.jpg)
Awareness 101• Ensure staff know about and are
compliant with social media guidelines– breach of insider information can cost you your job– know the rules of using social networking sites
while at work– take extra care if you friend your boss on Facebook– Facebook is viral and addictive – don’t waste the
workday on it
![Page 38: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/38.jpg)
Social media guidelines• Without guidelines, breaches are inevitable• Excellent sources:
– Intel Social Media Guidelines– IBM Social Computing Guidelines– Oracle Social Media Participation Policy
• Policies much have directives for blogs, wikis, social networks, virtual worlds, social media and more.
![Page 39: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/39.jpg)
Regulatory compliance
• Regulatory framework should be reviewed and where necessary, revised
• Consider what specific laws, regulations, standards, breach notice laws apply
![Page 40: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/40.jpg)
Reputation management• Traditional PR and legal responses to an
Internet-based negative reputation event can cause more damage than doing nothing
• establish, follow and update protocols can make social-media chaos less risky to enterprises
• Infosec coordinate activities with PR teams – expand monitoring and supplement monitoring with
investigations and evidence collection processes
![Page 41: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/41.jpg)
Reputation management
![Page 42: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/42.jpg)
Reputation management• Goal is to build and protect a positive
Internet-based reputation• Risks to reputation are significant and
growing with the increased use of social networks
• Create reputation management group with input from IT, legal, risk management, PR and marketing
![Page 43: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/43.jpg)
Reputation management
• Coordinated approach– proactive / responsive
![Page 44: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/44.jpg)
HR must be involved
• Social networks open up a huge can of HR worms
• What are disciplinary actions for non-compliance?
• Can candidate’s social network presence be a factor in hiring process?
• Create directives for managing personal and professional time
![Page 45: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/45.jpg)
HR must be involved• Don’t be seen as encroaching on
employees’ free speech• Create reasonable guidelines • Explain how innocent postings can be
misconstrued• heavy-handed approach will often backfire
and result in lower morale and often bad publicity
![Page 46: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/46.jpg)
HR & FCRA
• Via Facebook, you can know way too much about a candidate:– race, orientation, religion, politics, health, etc.– such information can be used to show bias
• EEOC and expensive litigation
![Page 47: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/47.jpg)
References• Clearswift Security Awareness Research• New Media and the Air Force• ENISA position papers
– Security Issues and Recommendations for Online Social Networks
– Online as Soon as it Happens
• Parents’ Guide to Facebook
![Page 48: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/48.jpg)
Conclusion• Social networks introduce security risks
– social networks & security can be compatible• Perform a comprehensive risk assessment
against all social networks to be used• Understand business & technical
requirements• Recognize these security and privacy risks
and take a formal approach to mitigate them
![Page 49: Interop 2011 las vegas - session se31 - rothke](https://reader033.fdocuments.us/reader033/viewer/2022042821/55d52cd1bb61ebfa778b4626/html5/thumbnails/49.jpg)
Contact info
• Ben Rothke, CISSP CISA • Senior Security Consultant• BT Professional Services• @benrothke
• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothke