SlideShare a Scribd company logo

Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011

S
sdavis532

The document discusses how social networks pose risks like revealing personally identifiable information and social engineering attacks. It emphasizes that organizations need effective social media policies and engaging training programs to exercise due care and diligence. Without these, employees may unintentionally damage an organization's reputation or fall victim to attacks. The presentation argues that blocking social media access is not enough and that policies and training are needed to mitigate risks while allowing organizations to benefit from social networking.

1 of 99
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Effective Training and Policy Takes the Fear out of Social Networking Shawn Davis NETSECURE 2011
Presentation Goals: • To provide an overview of social networks and common attack vectors • Best practices for initial social media policy creation • Make the case for the need of an engaging and interesting end-user training program
What is a Social Network? • Is it a website designed to allow you to share pictures of your cat with the masses? • Or a means to post by the minute details of your dental appointment?
What is a Social Network? ♦ A social network is like a “digital version of a relationship.” (Messmer, 2009)
Why is this important to realize? • Relationships offline are built on establishing trust. • Online relationships often skip this step. Q- Would you give a stranger on the street your home address, cell phone number, spouse’s name, your birth date, job title, and information on current projects at your work? A- Of course not! ♦ However, people give out this information online EVERY DAY!
Top 4 Social Networking Sites: • Estimated unique monthly visitors: • 550 million • 90.5 million • 89.8 million • 50 million (eBizMBA, 2010)
Top 4 Ranking of Greatest Security Risk: • 2010 Sophos Survey: • 61% reported • 18% reported • 17% reported • 4% reported (Sophos, 2010)
What are the Main Risks? • Personally Identifiable Information (PII) • Social Engineering Attacks • Reputation Damage
Personally Identifiable Information (PII) • Social Networking profiles can display a wide range of PII.
Personally Identifiable Information (PII) • Main Risk to User = Identity Theft • Main Risk to Organization = Logon Credential Acquisition • Password guessing and narrowing down cracking parameters: • Password reset forms:
PII - Logon Credential Acquisition • Attackers will often circulate surveys and quizzes like this one: (Dinerman, 2010)
PII • Valuable PII for attackers is mostly found across Facebook, Myspace, and LinkedIn. • Real Life Example: - Hacker GMZ was able to guess the password of a Twitter support staffer ultimately taking control of 33 high profile accounts including Britney Spears, U.S. President Obama, and Fox News. • PII also aids another common type of attack that requires more creativity from an attacker: (McMillan, 2009)
Social Engineering
What is Social Engineering? • Social Engineering – Threat that occurs when an an attacker uses social skills to trick a user into revealing their password or other confidential information. • Social Engineering attacks are widely used across all four of the top social networking sites
Social Engineering • The attacker will study PII, message posts, and friend lists in order to learn more about their target and develop a trust relationship. • It has been documented that many cyber criminals would rather engineer a user to uncover information than use their efforts to attack technology and controls for security. (Tiptop & Krause, 2007)
Social Engineering - Phishing • Phishing – Targets “a specific user or group of users and attempts to deceive the user into performing an action that launches an attack.” • This attack is usually carried out through Cross Site Scripting (XSS), keyloggers, worms, or other malware. • Distribution: 52% by a user opening an attachment 36% by a user clicking a link 9% by link redirect 3% unknown (FCIOC, 2009, p.9) & (Graham, 2009)
Social Engineering - Phishing • PII from social media sites make messages more believable. • Malware embedded links on wall posts of social media allow for greater distribution. • Shortened URL services such as http://tinyurl.com/ and http://bit.ly/ are used to hide these malicious sites.
Social Engineering - Phishing • What happens if an account is compromised as well?
Reputation Damage (Image used with permission from Chiron Inc.)
Reputation Damage • Users give a play-by-play of their life on social networking sites. • Possible threats to organizations include: - Embarrassment - Market share loss - Revenue losses - Legal liability ♦ 74% of 2,008 employed adults surveyed by Deloitte agreed that it is easy to damage a company’s reputation on social media. http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_2009_ethics_workplace_survey_220509.pdf
Reputation Damage – Real Life Examples • Employee of a campground chain posts a spreadsheet showing reservation statuses for their campsites on Facebook that contains customer credit card numbers. • The former chief marketing officer at Eastman Kodak admits to accidentally posting a damaging tweet about a product they had worked six months to protect. • A worker at a major fried chicken chain posts, “I just posted a funny video of myself frying a rodent at the restaurant where I work.” (Mitchell, 2009, Dinerman, 2010)
Reputation Damage – Legal Liability • What if your employee at work posts a derogatory statement about a competitor or individual that is untrue? - Your organization could be sued for defamation from practically any country or state. ♦ If no policy is in place preventing this action, your organization may even be pulled into litigation if an employee does this off hours from a home account.
Reputation Damage – Legal Liability • What happens if you try to terminate an employee after they damage the reputation of your organization or another party’s? - An employee fired for making the damaging posts could take legal recourse against their employer if the employee can prove that a policy was either not in place forbidding the action or that they were not made aware of it.
Legal Responsibility • An organization is legally responsible to exercise due care and due diligence in regards to social networking use by its employees.
Due Care and Due Diligence: • To demonstrate due care, an organization must take measures to ensure that every employee is aware of what is and is not acceptable in the workplace as well as the consequences of actions that are illegal or unethical. • To demonstrate due diligence, an organization needs to partake in continual activities to protect others. (Whitman & Mattord, 2010)
How to exercise Due Care? ♦ A social media policy MUST be in place and actively updated for EVERY organization. ♦ An engaging social media training program MUST be in place for ALL employees (including executives.) ♦ Policy compliance documentation ♦ Training completion documentation
Due Care (cont) ♦ Short quiz to demonstrate comprehension. ♦ Clear consequences to violations must be listed in your social media policy. ♦ These consequences must be enforced company-wide (including executives.) ♦ Don’t forget about policy review and training for subsequent new hires!
How to exercise Due Diligence? ♦ Annual review of your social media policy with IT, HR, and your legal department ♦ Annual refresher training for all employees and executives. ♦ Short annual refresher quiz. ♦ Again, keep records of all training and signatures.
If a simple policy and training program can mitigate this much risk, then all organizations probably already have their own in place… Right?
Unfortunately, not.
How often is a Social Media policy not in place? • Two surveys from 2009 that asked employers and executives if their organization has a formal policy in place for social media use: Manpower Survey of 11,000 Deloitte Survey of 500 Employers Business Executives 2% 6% 29% Yes 22% Yes No No 69% Unsure Unsure 72%
♦ A 2009 survey by ad agency Russell Herder and law firm Ethos Business Law asked 438 respondents these questions: Do you have concerns about social media and its implications for both corporate security and reputation Have you implemented damage? social media guidelines? No Yes 19% 33% No Yes 81% 67%
If this is so important, why the low numbers? 1. Lack of engagement from upper management towards information security. -C-Level financial and administrative support is vital for any information security department to function. 2. Some organizations only focus on technological solutions Technology based solutions need to complement policy and training, not replace.
If this is so important, why the low numbers? 3. An organization may just block all access to social media and hope for the best. -Blocking these sites without instilling policy will not protect an organization from potential litigation. -Blocking would also take away all of the benefits that social media has to offer such as: -Increased collaboration -Greater interactive relationship with customers -Sales and marketing strategies -Incentivized working conditions for employees
Another large benefit - New Customer Acquisition: Organizations that have acquired new customers through social networking: Small Business 26% 41% Medium Companies Large Firms 33% • Regus survey of 15,000 business owners of all sizes worldwide http://www.regus.presscentre.com/imagelibrary/downloadMedia.ashx?MediaDetailsID=463
How to take the fear out of social media? ♦ An effective social media policy in combination with an effective end user training program is the best way to prevent threats from: -PII -Social Engineering / Phishing -Reputation Damage -Potential Litigation
Social Media Policy Creation: • A social media policy is really just an extension of an organization’s acceptable use and other existing policies. • The creation of this document should be a joint effort by: -Information Security -Information Technology -Human Resources -Legal -End Users
Social Media Policy Creation: (Cont) • Led by a team leader employed in an Information Security or Risk Management function. • Project champion with the ear of upper management to ensure financial and administrative support. (Whitman & Mattord, 2010) • A good first step is to review policies of other organizations.
Social Media Governance Database • http://socialmediagovernance.com/policies.php
Social Media Governance Database • http://socialmediagovernance.com/studies
Social Media Policy Creation: (Cont) • Each organization will likely have different philosophies on social media use. • For example: A liberal arts college, a global corporation, and a government agency will mostly likely not all be able to use the same social media policy.
A Liberal Arts College: • Unrestricted information sharing and allow open access to all social networking. • Policy may focus on guidelines for posting but will still need to cover all potential threats.
A Liberal Arts College: (Cont) • University of Michigan’s social media policy starts with general rules to follow and then has separate guidelines for posting as an individual versus posting on behalf of the University. • They end with safety and privacy tips that cover the topics of privacy, PII, liabilities, and malware.
A Global Corporation: • May utilize social media for brand management as well as a sales and marketing tool. • Policy will need to cover all possible threats and may focus on reputation damage and data leaks.
A Global Corporation: (Cont) • Coca-Cola Company’s social media policy starts with their company vision and commitments and then delves into principals and expectations. • They also have guidelines on posting for individual use versus company business use.
A Global Corporation: (Cont) • Certified online spokespeople: These certified spokespeople are the only employees allowed to speak on behalf of Coca-Cola online. ♦ This is a great idea! • Their online spokespeople are also expected to follow 10 specific principles:
A Global Corporation: (Cont) 1. Be Certified in the Social Media Certification Program. 2. Follow our Code of Business Conduct and all other Company polices. 3. Be mindful that you are representing the Company. 4. Fully disclose your affiliation with the Company. 5. Keep records. 6. When in doubt, do not post. 7. Give credit where credit is due and don’t violate others’ rights. 8. Be responsible to your work. 9. Remember that your local posts can have global significance. 10. Know that the internet is permanent.
A Government Agency: • The government agency will often have the strictest requirements in regards to social media use.
A Government Agency: (Cont) • The Federal CIO council created a document in 2009 entitled Guidelines for Secure Use of Social Media by Federal Departments and Agencies. • “The decision to embrace social media technology is a risk- based decision, not a technology based decision.”
A Government Agency: (Cont) • Sections on risk, social media traits, and recommendations for controls. • Assists an agency in making a business case for social media use based on a risk management approach. • Mentions spear phishing, social engineering, and web applications attacks as main risks to a government agency.
Social Media Policy Creation: (Cont) • After reviewing various policies, choose a few that are similar to your organization’s mission as a reference point. • The next step – Evaluate your own organization’s social networking use. -Involve end users -Find out what future plans sales, marketing, etc has for using social media. -InfoSec should analyze likely threats from organizational use as well as personal use from end users at work and at home.
Social Media Policy Creation: (Cont) • Start the creation process and involve HR. (Refer the end user to review their employment agreement and handbook early on in the new policy.) • The employee handbook and acceptable use policy should be updated to list the consequences of not abiding by the guidelines of the new social media policy. • Guidelines in the new policy should be based on information and feedback from end users, IS, and HR.
Social Media Policy Creation (Cont) • Issue specific policies need to be rewritten to account for social media use. • Once all sections and guidelines are complete, your legal department should review the final draft of the new social media policy and any changes to other existing policies to cover all potential legal liabilities. • Once a final draft is approved by all parties involved, it should be submitted for approval by upper management.
Social Media Policy Distribution • A step that is often missed is distribution of the new policy! • A Deloitte survey of 2,008 employees found that: - 24% didn’t know if they had a policy - 11% said there is a policy but don’t know what it is. • You spent all of this time making the policy, don’t forget to distribute it!
Social Media Policy Distribution (Cont) • Distribution can be in paper or electronic form: (Needs to document that the user has agreed to the terms and conditions with a signature and date.) • This is to protect an organization from a user stating that they were not aware of the policy from a liability stand- point. • Be sure to file a copy as well as present a copy to the end user.
Social Media Training: Social Media Training 3/24/11
Social Media Training: • Training program should be designed during the policy creation process. • It is very difficult for an employee to state in court that they were unaware of a policy when it can be documented that they have completed a training program. • All employees from the CEO down are required to attend for compliance and to reflect a company-wide effort.
Social Media Training: (Cont) • Training should be interesting, interactive and engaging! ♦ Goal of the training should be to gain the buy-in of your end-users. ♦ First step is to prove to end-users that damage from PII, Social Engineering, and Reputation Damage can actually happen very easily.
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Convinced that this could happen to you now? • Show end-users that poor security habits not only affect their company but could affect them personally as well:
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011
Social Media Training (Cont) • Also go over: -What PII is okay and what should be removed. -More examples of Reputation Damage. -How to defend against Social Engineering attempts. -How to avoid falling for Phishing attempts. -Examples of current malware schemes -Using very difficult password reset questions. -Not using the same password for all sites. -Not friending anyone unless you know them well.
Social Media Training (Cont) • It only takes one random friending to erase privacy controls!
Social Media Training (Cont) • Great time to revisit strong password creation!
Social Media Training (Cont) • A quick side note about rainbow tables: -1 PC can crack even a strong password in seconds. -Most rainbow tables are not currently calculated out past fourteen places at the moment.
Social Media Training (Cont) • After the training is over don’t forget to retain that signed completion document for each end-user. • Also, don’t forget about new hires at their orientation and follow-up trainings for all users.
Just think if after the training… -Users finally saw the value of strong passwords and no longer minded mandatory password changes… -Malware infections on client systems decreased 70% from users truly understanding which attachments not to open… -Users took a moment to think before they post… -Executives appreciated the value of your job role…
Accomplish all of that and… You have then increased security awareness and started to develop that coveted security conscious culture within your organization!
What else? You have also started to take the FEAR out of social networking!
Research: My paper and list of sources: http://www.itm.iit.edu/data/IIT- ITMwhitepaperTrainingAndPolicyForSocialNetworking.pdf Shawn Davis’ email – sdavis17@iit.edu Questions?
Thanks for attending!

More Related Content

PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
PPT
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010
Jason Hong
 
PPT
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Jason Hong
 
PDF
Cybersecurity: Whose job is it anyway?
Guy Pearce
 
PPTX
SucessfulInsiderThreat
HammerNJ
 
PDF
Forcepoint Whitepaper 2016 Security Predictions
Kim Jensen
 
PPTX
Part 3 social media in the workplace final
shrm
 
PDF
3852 Socialnetworking Bk
Leo Greeley
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010
Jason Hong
 
Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Jason Hong
 
Cybersecurity: Whose job is it anyway?
Guy Pearce
 
SucessfulInsiderThreat
HammerNJ
 
Forcepoint Whitepaper 2016 Security Predictions
Kim Jensen
 
Part 3 social media in the workplace final
shrm
 
3852 Socialnetworking Bk
Leo Greeley
 

What's hot (19)

PDF
Stanford GSB_Closer Look_Why Boards Should Care About Social Media
Sarah Larcker
 
PPTX
Boxing Clever: How to Safeguard your Company's Reputation Online
Charlie Pownall
 
PPTX
20110720 fose 2011 sm governance
Jesse Wilkins
 
PDF
Insights social bridge to it committee - e book - us
Tony Weinberg
 
PDF
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
PDF
Social Bridge to the IT Committee
LinkedIn India
 
PDF
Linkedin the Social Bridge to the IT Committee
Jill Sida
 
PPTX
September 2019 part 9
seadeloitte
 
PPTX
Data Security for Nonprofits
NPowerCR
 
PPTX
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
Lumension
 
PPTX
Social networking
akshay kumar
 
PDF
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
FitCEO, Inc. (FCI)
 
PPTX
Mapping Roles and Responsibilities for Social Media Risk Management
Nexgate
 
PDF
CHIME LEAD DC 2014 - Opening Keynote "What is Cyber Security and Why is it Cr...
Health IT Conference – iHT2
 
PPT
Social media for attorneys 2.0
SquareOne|Consulting
 
PPTX
4 nurturing the it committee ppt-sg-k2 (final)
LinkedIn Singapore
 
PPT
IMSafer Angel Round
Brandon Watson
 
PDF
Mimecast Threat Report
Chris Hewitt
 
PPT
State of endpoint risk v3
Lumension
 
Stanford GSB_Closer Look_Why Boards Should Care About Social Media
Sarah Larcker
 
Boxing Clever: How to Safeguard your Company's Reputation Online
Charlie Pownall
 
20110720 fose 2011 sm governance
Jesse Wilkins
 
Insights social bridge to it committee - e book - us
Tony Weinberg
 
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
Social Bridge to the IT Committee
LinkedIn India
 
Linkedin the Social Bridge to the IT Committee
Jill Sida
 
September 2019 part 9
seadeloitte
 
Data Security for Nonprofits
NPowerCR
 
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
Lumension
 
Social networking
akshay kumar
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
FitCEO, Inc. (FCI)
 
Mapping Roles and Responsibilities for Social Media Risk Management
Nexgate
 
CHIME LEAD DC 2014 - Opening Keynote "What is Cyber Security and Why is it Cr...
Health IT Conference – iHT2
 
Social media for attorneys 2.0
SquareOne|Consulting
 
4 nurturing the it committee ppt-sg-k2 (final)
LinkedIn Singapore
 
IMSafer Angel Round
Brandon Watson
 
Mimecast Threat Report
Chris Hewitt
 
State of endpoint risk v3
Lumension
 
Ad

Similar to Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011 (20)

PDF
Social Media: Infiltrating The Enterprise
Jay McLaughlin
 
PPT
Risky business of social media
Trivera Interactive
 
PDF
Interop 2011 las vegas - session se31 - rothke
Ben Rothke
 
DOCX
Social Media & Enterprise Security Whitepaper
SchleighS
 
PPTX
Social media March 2013
Timothy Holden
 
PPTX
Social media security
n|u - The Open Security Community
 
PDF
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec
 
PPT
Managing Social Media in the Workplace
Eric Swenson
 
PPT
Managing Social Media in the Workplace
Eric Swenson
 
PDF
Social media risks and controls
Marc Vael
 
PPTX
Social media pp
Uriah Hansen
 
PPT
Social Media: Managing Risk
shshap
 
PDF
Social Networking in the Business World: A Strategic Approach
linkedinlion11
 
PDF
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
PDF
Social Media London Presentation 5th April 2011
iohann Le Frapper
 
PPT
Longmeadow 2012
Tish Grier
 
PDF
Social media and its associated risks
Grant Thornton
 
PDF
DLA Piper Social media report 2011
Alexander Krastev
 
PDF
On The Business of social media
Doug Winfield
 
PPTX
Minimizing Risk Via Social Media Policies
Dave Tinker, CFRE
 
Social Media: Infiltrating The Enterprise
Jay McLaughlin
 
Risky business of social media
Trivera Interactive
 
Interop 2011 las vegas - session se31 - rothke
Ben Rothke
 
Social Media & Enterprise Security Whitepaper
SchleighS
 
Social media March 2013
Timothy Holden
 
Social media security
n|u - The Open Security Community
 
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec
 
Managing Social Media in the Workplace
Eric Swenson
 
Managing Social Media in the Workplace
Eric Swenson
 
Social media risks and controls
Marc Vael
 
Social media pp
Uriah Hansen
 
Social Media: Managing Risk
shshap
 
Social Networking in the Business World: A Strategic Approach
linkedinlion11
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Social Media London Presentation 5th April 2011
iohann Le Frapper
 
Longmeadow 2012
Tish Grier
 
Social media and its associated risks
Grant Thornton
 
DLA Piper Social media report 2011
Alexander Krastev
 
On The Business of social media
Doug Winfield
 
Minimizing Risk Via Social Media Policies
Dave Tinker, CFRE
 
Ad

Effective Training and Policy Takes the Fear out of Social Networking - Shawn Davis - NETSECURE 2011

  • 1. Effective Training and Policy Takes the Fear out of Social Networking Shawn Davis NETSECURE 2011
  • 2. Presentation Goals: • To provide an overview of social networks and common attack vectors • Best practices for initial social media policy creation • Make the case for the need of an engaging and interesting end-user training program
  • 3. What is a Social Network? • Is it a website designed to allow you to share pictures of your cat with the masses? • Or a means to post by the minute details of your dental appointment?
  • 4. What is a Social Network? ♦ A social network is like a “digital version of a relationship.” (Messmer, 2009)
  • 5. Why is this important to realize? • Relationships offline are built on establishing trust. • Online relationships often skip this step. Q- Would you give a stranger on the street your home address, cell phone number, spouse’s name, your birth date, job title, and information on current projects at your work? A- Of course not! ♦ However, people give out this information online EVERY DAY!
  • 6. Top 4 Social Networking Sites: • Estimated unique monthly visitors: • 550 million • 90.5 million • 89.8 million • 50 million (eBizMBA, 2010)
  • 7. Top 4 Ranking of Greatest Security Risk: • 2010 Sophos Survey: • 61% reported • 18% reported • 17% reported • 4% reported (Sophos, 2010)
  • 8. What are the Main Risks? • Personally Identifiable Information (PII) • Social Engineering Attacks • Reputation Damage
  • 9. Personally Identifiable Information (PII) • Social Networking profiles can display a wide range of PII.
  • 10. Personally Identifiable Information (PII) • Main Risk to User = Identity Theft • Main Risk to Organization = Logon Credential Acquisition • Password guessing and narrowing down cracking parameters: • Password reset forms:
  • 11. PII - Logon Credential Acquisition • Attackers will often circulate surveys and quizzes like this one: (Dinerman, 2010)
  • 12. PII • Valuable PII for attackers is mostly found across Facebook, Myspace, and LinkedIn. • Real Life Example: - Hacker GMZ was able to guess the password of a Twitter support staffer ultimately taking control of 33 high profile accounts including Britney Spears, U.S. President Obama, and Fox News. • PII also aids another common type of attack that requires more creativity from an attacker: (McMillan, 2009)
  • 14. What is Social Engineering? • Social Engineering – Threat that occurs when an an attacker uses social skills to trick a user into revealing their password or other confidential information. • Social Engineering attacks are widely used across all four of the top social networking sites
  • 15. Social Engineering • The attacker will study PII, message posts, and friend lists in order to learn more about their target and develop a trust relationship. • It has been documented that many cyber criminals would rather engineer a user to uncover information than use their efforts to attack technology and controls for security. (Tiptop & Krause, 2007)
  • 16. Social Engineering - Phishing • Phishing – Targets “a specific user or group of users and attempts to deceive the user into performing an action that launches an attack.” • This attack is usually carried out through Cross Site Scripting (XSS), keyloggers, worms, or other malware. • Distribution: 52% by a user opening an attachment 36% by a user clicking a link 9% by link redirect 3% unknown (FCIOC, 2009, p.9) & (Graham, 2009)
  • 17. Social Engineering - Phishing • PII from social media sites make messages more believable. • Malware embedded links on wall posts of social media allow for greater distribution. • Shortened URL services such as http://tinyurl.com/ and http://bit.ly/ are used to hide these malicious sites.
  • 18. Social Engineering - Phishing • What happens if an account is compromised as well?
  • 19. Reputation Damage (Image used with permission from Chiron Inc.)
  • 20. Reputation Damage • Users give a play-by-play of their life on social networking sites. • Possible threats to organizations include: - Embarrassment - Market share loss - Revenue losses - Legal liability ♦ 74% of 2,008 employed adults surveyed by Deloitte agreed that it is easy to damage a company’s reputation on social media. http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_2009_ethics_workplace_survey_220509.pdf
  • 21. Reputation Damage – Real Life Examples • Employee of a campground chain posts a spreadsheet showing reservation statuses for their campsites on Facebook that contains customer credit card numbers. • The former chief marketing officer at Eastman Kodak admits to accidentally posting a damaging tweet about a product they had worked six months to protect. • A worker at a major fried chicken chain posts, “I just posted a funny video of myself frying a rodent at the restaurant where I work.” (Mitchell, 2009, Dinerman, 2010)
  • 22. Reputation Damage – Legal Liability • What if your employee at work posts a derogatory statement about a competitor or individual that is untrue? - Your organization could be sued for defamation from practically any country or state. ♦ If no policy is in place preventing this action, your organization may even be pulled into litigation if an employee does this off hours from a home account.
  • 23. Reputation Damage – Legal Liability • What happens if you try to terminate an employee after they damage the reputation of your organization or another party’s? - An employee fired for making the damaging posts could take legal recourse against their employer if the employee can prove that a policy was either not in place forbidding the action or that they were not made aware of it.
  • 24. Legal Responsibility • An organization is legally responsible to exercise due care and due diligence in regards to social networking use by its employees.
  • 25. Due Care and Due Diligence: • To demonstrate due care, an organization must take measures to ensure that every employee is aware of what is and is not acceptable in the workplace as well as the consequences of actions that are illegal or unethical. • To demonstrate due diligence, an organization needs to partake in continual activities to protect others. (Whitman & Mattord, 2010)
  • 26. How to exercise Due Care? ♦ A social media policy MUST be in place and actively updated for EVERY organization. ♦ An engaging social media training program MUST be in place for ALL employees (including executives.) ♦ Policy compliance documentation ♦ Training completion documentation
  • 27. Due Care (cont) ♦ Short quiz to demonstrate comprehension. ♦ Clear consequences to violations must be listed in your social media policy. ♦ These consequences must be enforced company-wide (including executives.) ♦ Don’t forget about policy review and training for subsequent new hires!
  • 28. How to exercise Due Diligence? ♦ Annual review of your social media policy with IT, HR, and your legal department ♦ Annual refresher training for all employees and executives. ♦ Short annual refresher quiz. ♦ Again, keep records of all training and signatures.
  • 29. If a simple policy and training program can mitigate this much risk, then all organizations probably already have their own in place… Right?
  • 31. How often is a Social Media policy not in place? • Two surveys from 2009 that asked employers and executives if their organization has a formal policy in place for social media use: Manpower Survey of 11,000 Deloitte Survey of 500 Employers Business Executives 2% 6% 29% Yes 22% Yes No No 69% Unsure Unsure 72%
  • 32. ♦ A 2009 survey by ad agency Russell Herder and law firm Ethos Business Law asked 438 respondents these questions: Do you have concerns about social media and its implications for both corporate security and reputation Have you implemented damage? social media guidelines? No Yes 19% 33% No Yes 81% 67%
  • 33. If this is so important, why the low numbers? 1. Lack of engagement from upper management towards information security. -C-Level financial and administrative support is vital for any information security department to function. 2. Some organizations only focus on technological solutions Technology based solutions need to complement policy and training, not replace.
  • 34. If this is so important, why the low numbers? 3. An organization may just block all access to social media and hope for the best. -Blocking these sites without instilling policy will not protect an organization from potential litigation. -Blocking would also take away all of the benefits that social media has to offer such as: -Increased collaboration -Greater interactive relationship with customers -Sales and marketing strategies -Incentivized working conditions for employees
  • 35. Another large benefit - New Customer Acquisition: Organizations that have acquired new customers through social networking: Small Business 26% 41% Medium Companies Large Firms 33% • Regus survey of 15,000 business owners of all sizes worldwide http://www.regus.presscentre.com/imagelibrary/downloadMedia.ashx?MediaDetailsID=463
  • 36. How to take the fear out of social media? ♦ An effective social media policy in combination with an effective end user training program is the best way to prevent threats from: -PII -Social Engineering / Phishing -Reputation Damage -Potential Litigation
  • 37. Social Media Policy Creation: • A social media policy is really just an extension of an organization’s acceptable use and other existing policies. • The creation of this document should be a joint effort by: -Information Security -Information Technology -Human Resources -Legal -End Users
  • 38. Social Media Policy Creation: (Cont) • Led by a team leader employed in an Information Security or Risk Management function. • Project champion with the ear of upper management to ensure financial and administrative support. (Whitman & Mattord, 2010) • A good first step is to review policies of other organizations.
  • 39. Social Media Governance Database • http://socialmediagovernance.com/policies.php
  • 40. Social Media Governance Database • http://socialmediagovernance.com/studies
  • 41. Social Media Policy Creation: (Cont) • Each organization will likely have different philosophies on social media use. • For example: A liberal arts college, a global corporation, and a government agency will mostly likely not all be able to use the same social media policy.
  • 42. A Liberal Arts College: • Unrestricted information sharing and allow open access to all social networking. • Policy may focus on guidelines for posting but will still need to cover all potential threats.
  • 43. A Liberal Arts College: (Cont) • University of Michigan’s social media policy starts with general rules to follow and then has separate guidelines for posting as an individual versus posting on behalf of the University. • They end with safety and privacy tips that cover the topics of privacy, PII, liabilities, and malware.
  • 44. A Global Corporation: • May utilize social media for brand management as well as a sales and marketing tool. • Policy will need to cover all possible threats and may focus on reputation damage and data leaks.
  • 45. A Global Corporation: (Cont) • Coca-Cola Company’s social media policy starts with their company vision and commitments and then delves into principals and expectations. • They also have guidelines on posting for individual use versus company business use.
  • 46. A Global Corporation: (Cont) • Certified online spokespeople: These certified spokespeople are the only employees allowed to speak on behalf of Coca-Cola online. ♦ This is a great idea! • Their online spokespeople are also expected to follow 10 specific principles:
  • 47. A Global Corporation: (Cont) 1. Be Certified in the Social Media Certification Program. 2. Follow our Code of Business Conduct and all other Company polices. 3. Be mindful that you are representing the Company. 4. Fully disclose your affiliation with the Company. 5. Keep records. 6. When in doubt, do not post. 7. Give credit where credit is due and don’t violate others’ rights. 8. Be responsible to your work. 9. Remember that your local posts can have global significance. 10. Know that the internet is permanent.
  • 48. A Government Agency: • The government agency will often have the strictest requirements in regards to social media use.
  • 49. A Government Agency: (Cont) • The Federal CIO council created a document in 2009 entitled Guidelines for Secure Use of Social Media by Federal Departments and Agencies. • “The decision to embrace social media technology is a risk- based decision, not a technology based decision.”
  • 50. A Government Agency: (Cont) • Sections on risk, social media traits, and recommendations for controls. • Assists an agency in making a business case for social media use based on a risk management approach. • Mentions spear phishing, social engineering, and web applications attacks as main risks to a government agency.
  • 51. Social Media Policy Creation: (Cont) • After reviewing various policies, choose a few that are similar to your organization’s mission as a reference point. • The next step – Evaluate your own organization’s social networking use. -Involve end users -Find out what future plans sales, marketing, etc has for using social media. -InfoSec should analyze likely threats from organizational use as well as personal use from end users at work and at home.
  • 52. Social Media Policy Creation: (Cont) • Start the creation process and involve HR. (Refer the end user to review their employment agreement and handbook early on in the new policy.) • The employee handbook and acceptable use policy should be updated to list the consequences of not abiding by the guidelines of the new social media policy. • Guidelines in the new policy should be based on information and feedback from end users, IS, and HR.
  • 53. Social Media Policy Creation (Cont) • Issue specific policies need to be rewritten to account for social media use. • Once all sections and guidelines are complete, your legal department should review the final draft of the new social media policy and any changes to other existing policies to cover all potential legal liabilities. • Once a final draft is approved by all parties involved, it should be submitted for approval by upper management.
  • 54. Social Media Policy Distribution • A step that is often missed is distribution of the new policy! • A Deloitte survey of 2,008 employees found that: - 24% didn’t know if they had a policy - 11% said there is a policy but don’t know what it is. • You spent all of this time making the policy, don’t forget to distribute it!
  • 55. Social Media Policy Distribution (Cont) • Distribution can be in paper or electronic form: (Needs to document that the user has agreed to the terms and conditions with a signature and date.) • This is to protect an organization from a user stating that they were not aware of the policy from a liability stand- point. • Be sure to file a copy as well as present a copy to the end user.
  • 56. Social Media Training: Social Media Training 3/24/11
  • 57. Social Media Training: • Training program should be designed during the policy creation process. • It is very difficult for an employee to state in court that they were unaware of a policy when it can be documented that they have completed a training program. • All employees from the CEO down are required to attend for compliance and to reflect a company-wide effort.
  • 58. Social Media Training: (Cont) • Training should be interesting, interactive and engaging! ♦ Goal of the training should be to gain the buy-in of your end-users. ♦ First step is to prove to end-users that damage from PII, Social Engineering, and Reputation Damage can actually happen very easily.
  • 87. Convinced that this could happen to you now? • Show end-users that poor security habits not only affect their company but could affect them personally as well:
  • 90. Social Media Training (Cont) • Also go over: -What PII is okay and what should be removed. -More examples of Reputation Damage. -How to defend against Social Engineering attempts. -How to avoid falling for Phishing attempts. -Examples of current malware schemes -Using very difficult password reset questions. -Not using the same password for all sites. -Not friending anyone unless you know them well.
  • 91. Social Media Training (Cont) • It only takes one random friending to erase privacy controls!
  • 92. Social Media Training (Cont) • Great time to revisit strong password creation!
  • 93. Social Media Training (Cont) • A quick side note about rainbow tables: -1 PC can crack even a strong password in seconds. -Most rainbow tables are not currently calculated out past fourteen places at the moment.
  • 94. Social Media Training (Cont) • After the training is over don’t forget to retain that signed completion document for each end-user. • Also, don’t forget about new hires at their orientation and follow-up trainings for all users.
  • 95. Just think if after the training… -Users finally saw the value of strong passwords and no longer minded mandatory password changes… -Malware infections on client systems decreased 70% from users truly understanding which attachments not to open… -Users took a moment to think before they post… -Executives appreciated the value of your job role…
  • 96. Accomplish all of that and… You have then increased security awareness and started to develop that coveted security conscious culture within your organization!
  • 97. What else? You have also started to take the FEAR out of social networking!
  • 98. Research: My paper and list of sources: http://www.itm.iit.edu/data/IIT- ITMwhitepaperTrainingAndPolicyForSocialNetworking.pdf Shawn Davis’ email – sdavis17@iit.edu Questions?