Infotec 2010 Ben Rothke - social networks and information security
1. Social Networks and Information Security
- Oxymoron or can you have both?
Ben Rothke, CISSP PCI QSA
Senior Security Consultant
BT Professional Services
April 13, 2010
2. About me
• Ben Rothke, CISSP CISM PCI QSA
• Security Consultant – BT Professional Services
• Full-time information security since 1994
• Frequent writer and speaker
• Author of Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)
2
3. BT in North America
• Operating since 1988
• More than 4,000 employees in the US and
Canada
• Network Operations and Customer Service
Centers in Atlanta GA, Boston MA, Los Angeles
CA, Princeton NJ, Oakdale MN and Nutley NJ
• Seven of the more than 30 BT acquisitions
during recent years are HQ in the US, Infonet,
Radianz, Counterpane, INS, Comsat, Wire One,
Ribbit
• More than 3,500 customers in the US and
Canada, including 75% of F500 and 50% Fortune
1000
• Serving Canadian enterprises in 32 cities
serving hundreds of major customer sites across
the country
• Of BT’s top 2,000 customers, 50%+ are
headquartered or have major operations in
the Americas
4. Why BT for Security?
Industry-leading resources
1,400 global practitioners Comprehensive event Operating 9 world Over 100 registered patents,
with over 125 accredited correlation platforms and class SOCs globally 190 security papers and
security professionals reporting tools 24/7/365 numerous books
in the US
With proven experience
6,000 security BT has delivered Monitoring 550 Filters over 75,000
security services to Over 1,500 firewalls networks with data
engagements in the viruses from client
over 75% of the under management from over 150 countries
US since 1994 networks each month
Fortune 500 and 335,000 devices
Delivering an integrated services portfolio
Incorporating industry-
From assessment to
leading technology &
mitigation, on a global
services, with Counterpane
basis
at the core
Third party validation
Many accreditations, including
Leadership position in Highest capability BS 27001/ISO 17799, SAS70-II,
Gartner’s 2007 North American maturity rating FIPS 140-2, CERT, FIRST,
MSSP Magic Quadrant from NSA CLAS, SANS GIAC
and CHECK
5. Agenda
• How can enterprises effectively use social networks while
not putting their security and data at risk?
• Understanding and dealing with the security risks of social
networks
• Making the security focus shift from infrastructure
protection to data protection
• Social network security strategies for enterprises
• Social network security strategies for individuals
• Q/A
5
7. Why this is a very cool information security topic
• Easy security tasks
– Block all outbound ftp traffic
– Require disclaimers on all outbound emails
– Block admission to network if host AV signatures are not current
– Require encryption on all outbound file to Moscow office
• Challenging security tasks
– Stop end-users from inappropriate sharing of confidential and
proprietary data via social networks
7
9. Social networking - then and now
Computer Associates
• 1990’s
– President Charles Wang limits employees email usage
• to 1 hour in the morning & afternoon
• to emphasize face-to-face interaction rather than sending e-mails
• 2010
– Computer Associates is now on Twitter
• http://twitter.com/cainc
9
10. Social networks huge - getting larger
• 75% of US online adults use social tools
– up from 56% in 2007
– The Growth Of Social Technology Adoption - Josh Bernoff, Forrester
10
11. The social web
• Social web is about communities, collaboration, peer
production and user-generated content
• Business reputations are defined by customer opinions and
ratings
• Press is delivered by independent bloggers
• Product development and insight is driven by customers
• Digital natives who have grown up with the Internet flood
the workplace
• Your employees will likely expect to be part of the social
web and they'll have a lot to contribute
• Source: Joshua-Michéle Ross
11
13. Resistance to social networks is futile
• Social networks are not a fad
• Prepare a strategy and have a realistic understanding of the
risks and benefits of social software
• Understand the unique challenges with social networks and
factor them into decision on when and how to proceed
• Gartner - Major Challenges Organizations Face Regarding Social Software
BT Professional Services 13
16. Social networks - security game-changer
• Organizations and management are struggling
– to understand and deal with the security risks of social networks
• Traditional information security
– firewalls and access control protected the perimeter
– social networks open up that perimeter
• Focus shift
– from infrastructure protection to data protection
• DLP (data loss prevention) tools
– becoming the new firewall for the social web
• Bypass corporate services
– Facebook for email
– Skype as a telephone system
– Gmail for instant messaging
16
17. Security issues
• There are legitimate risks with allowing uncontrolled access
to social networking sites
– risks can be mitigated via a comprehensive security strategy
• Security and trust
– social networks require a full taxonomy of security
– people are much more trusting of a message from a friend or
colleague on a social network than they are of an e-mail
– people are used to e-mails being forged
• People will share extraordinary amounts of highly
confidential personal and business information with people
they perceive to be legitimate
17
18. Social media risks
Risk Description Security? Type?
Malware Infection of desktops, propagation of malware through staff or corporate profiles on Yes Technology
social-media services.
Chain of providers Mashups of applications within a social-media service enable the untraceable Yes Technology
movement of data.
Interface weaknesses Public application interfaces are not sufficiently secured, exposing users to cross-site Yes Technology
scripting and other exploits.
Reputation damage Degradation of personal and corporate reputations through posting of inappropriate No Content
content.
Exposure of confidential Loose lips sink ships, breach of IP or other trade secrets, breach of copyright, public Yes Content
information posting or downloading of private or sensitive personal information.
Legal exposure Legal liabilities resulting from posted content and online conversations or failure to Yes Content
meet a regulatory requirement to record and archive particular conversations.
Revenue loss For organizations in the information business, making content freely available may Yes Content
undercut fee-based information services
Staff productivity Workers failing to perform due to the distraction of social media No Behavior
Hierarchy subversion Informal social networks erode authority of formal corporate hierarchy and defined No Behavior
work processes
Social engineering Phishing attacks, misrepresentation of identity and/or authority to obtain Yes Behavior
information illicitly or to stimulate damaging behaviors by staff.
Identity fraud Profiles and postings that are erroneously attributed to a staff member or corporate Yes Behavior
office.
18
Source: Gartner – Report G00173953 - February 2010
19. How information security groups lose the social media war
• Social media security requires a combination of technical,
behavioral and organizational security controls
– Many information security groups are clueless on how to do that
• Arguing that social media presents unmanageable security
risks gives the impression that the information security
group is incompetent
• Too much use of the FUD (fear, uncertainty and doubt)
factor as part of their argument
19
20. Social network postings are immortal
• Physics 101 - Law of conservation of energy
– total amount of energy in an isolated system remains constant
– energy can’t be destroyed - can only change form
• Social networks physics 101
– Internet - huge database of unstructured content with an infinite life
– once confidential data is made public, it can never be made
confidential again
– once data is posted in a Web 2.0 world, it exists forever, somewhere
• RSS feeds can’t be unfed
– difficulty of complete account deletion
• users wishing to delete accounts from social networks may find that
it’s almost impossible to remove secondary information linked to
their profile such as public comments on other profiles
20
21. Security issues - aggregation
• Aggregation
– process of collecting content from multiple social network services
– consolidates multiple social networking profiles into one profile
• Google OpenSocial
– defines common API for social applications across multiple websites
– with standard JavaScript and HTML, developers can create apps that
access a social network’s friends and update feeds
• Long-term anonymity is nearly impossible
– users leave traces, IP addresses, embedded links, IDs in files, photos,
etc.
– no matter how anonymous one tries to be, eventually, with enough
traces, aggregation will catch up
21
22. Security and privacy risks
• Malware
• Social networks used as a malware distribution point
• Vulnerabilities
– cross site scripting (XSS), cross site request forgery (CSRF)
– 1 in 5 web attacks aimed at social networks
• Corporate espionage
• Phishing / spear phishing
• Bandwidth consumption
• Information leakage
• Social engineering attacks
• Content-based Image Retrieval (CBIR)
– emerging technology that matches features, such as identifying aspects of a room (e.g. a painting)
in very large databases, increasing the possibilities for locating users
22
23. Mission Impossible 1999 is social networking 2010
• Your mission
– find 20 divorced/single female design engineers based in the US at
Boeing Integrated Defense Systems
– build a rapport with them
– get critical data or designs for new fighter under development
• Time / Budget / Success
– 1999 – Many people, many months, limited success, very expensive
– 2009 – One person, multiple Facebook accounts, can outsource to
India, near immediate results, extremely high success rate
• Facebook makes it easy to find out who these women are
– who their friends are (likely other single women at Boeing)
– what they like, where they shop, their daily habits, their friends,
entertainment, and much more
23
24. Social networks and information security
• Social networks and security are compatible
– requires effort, staff, and a formalized plan of action
• Formalized, comprehensive social networking strategy
– there are no social network security appliances
• Public corporations
– subject to SEC disclosure obligations, must deal with fair disclosure
rules
– inside information on a social network is a regulatory violation
– must have formal logging and archiving in place for social networks
24
25. Strategies and action items for
enterprises to deal with the security
and privacy risks of social networks
25
26. Get in front of the social network wave
• Organizations must be proactive
– dedicated team to deal with social networks
– ability to identify all issues around social networks
• Get involved and be engaged
• Social networking is moving fast
– dynamic technology
– requires a proactive protection approach
• Be flexible
– overall uncertainty about what strategies and tactics to adopt to
security social media
26
27. Risk assessment
• Social media create new opportunities for fraud and abuse
• Enables a wide range of abuses
– Must be anticipated and evaluated to construct appropriate security
plans and controls
• Perform social network risk assessment
– create risk assessment for each social network community
– vulnerabilities associated with specific sites
– which users are the greatest risk?
– output will be used to create the social media policy and strategy
– customized to your specific risk matrix
– balance the risks vs. benefits
• US Marines – totally prohibited
• Starbucks – totally embraced
27
28. Social media strategy
• Strategy and policy should be based on your social media goals
• Take into account any special laws or rules
• Identify people or positions who will be the online public face
of the firm
• Decide if and how employees may identify themselves
• Involve risk managers in your planning
• Draconian policies preventing the use of social media will not
be effective
• Use a balanced approach
– allow access
– manage risk via technical controls, policies and employee training
28
29. Monitoring
• Maintain control over content company owns
– monitor employee participation on social networking sites
– significant risk of loss of IP protection if not monitored
– when inappropriate use of enterprise content occurs, notify
employee and explain how their actions violated policy
– control where and how corporate content is shared externally
29
30. Social network assessments
• Perform a LinkedIn analysis
• From LinkedIn you can tell:
– what technologies a company is using
– corporate direction
– vendors
– partners
– internal email addresses and address formats
• Perform a Facebook analysis
• From Facebook you can tell:
– almost everything
30
31. Define corporate social media policy and strategy
• Social networks blur boundary between company roles
– who speaks for the company on a blog, Twitter, Facebook
– border between the company and the outside world is evaporating
– this is a management decision, not an IT decision
– strategies: block, contain, disregard, embrace
– create user scenarios
• not all users need access
– see Twitter strategy for Government Departments
– ensure your corporate social media strategy is realistic
– view webinar by Joshua-Michele Ross on how to do this
31
32. Corporate social networking policy
• Social networking policy is a must
– even if it prohibits everything, you still need a policy
• Policies are needed because employees do stupid things
• Define a rational, sensible use of social media services
– include photography and video
– don’t reference clients, customers, or partners without obtaining
their express permission
• Data classification
– create a data classification program
– users need to be able to know precisely the different data
classification levels
32
33. Security awareness
• Social media is driven by social interactions
• Most of the significant risks are tied to the behavior of staff
when they are using social software
• Governance of staff behavior must take into account both
the technical capabilities of the social software and the
relative tendency of staff to engage in risky behavior in
social media
• Don't shun social media for fear of bad end-user behavior.
– Anticipate it and formulate a multilevel approach to policies for
effective governance.
• 3 C’s: clear, comprehensive, continuous
33
34. Security awareness
• Awareness and training program is critical
– must be effectively communicated and customized
– disseminate to everyone
– ensure recurrent training
– create topic taboo lists
– define expectations of privacy
• Link social networking training to other related training
– business ethics, standards of conduct, industry-specific regulations
• Public companies
– at risk for disclosure of insider information
– even if not at fault, assertion of insider disclosure is expensive,
embarrassing and time consuming
34
35. Guidelines
• Without clear guidelines, breaches are inevitable
• Excellent sources:
– Intel Social Media Guidelines
– IBM Social Computing Guidelines
• directives for blogs, wikis, social networks, virtual worlds and social media
35
36. Regulatory
• Regulatory compliance must be considered
– social networks present numerous scenarios which weren’t foreseen
when current legislation and data protection laws were created
– regulatory framework governing social networks should be reviewed
and, where necessary, revised
– consider what specific laws/regulations/standards apply
– all breach notice laws are relevant
• if customer or employee PII is posted, breach response plans would likely
need to be followed and notices would need to be sent
• HIPAA and expanded responsibilities under ARRA HITECH
• newly released final breach response rules from the HHS
36
37. EU and social networks
• EU Data Privacy Directives
– EU Directive on Data Protection 95/46/EC
– Data Protection Working Party Opinion 5/2009
– EU countries take personal privacy very seriously
• tagging of images with personal data without the consent of the subject
of the image violates the user’s right to informational self determination
• blanket monitoring and logging is unacceptable in EU
• many more privacy details need to be considered
• Review ENISA position paper
– Security Issues and Recommendations for Online Social Networks
– Online as Soon as it Happens
37
38. Human resources
• Human resources must be involved
– social networks open up a huge can of HR worms
– what are disciplinary actions for non-compliance?
– candidate’s social network presence as a factor in the hiring process?
– create directives for managing personal and professional time
– don’t be seen as encroaching on your employees’ free speech rights
– put out reasonable guidelines
– explain how innocent postings can be misconstrued
– but…a too heavy-handed approach will often backfire and result in
lower morale and often bad publicity
38
39. Hardware and software solutions
• Gartner
– Market for security controls for social media is relatively immature
– Security managers need to develop control environments that
incorporate new tools and techniques to monitor and control user
activity and data movement
– IT organizations have concentrated for too long on using technical
controls to ensure that IT and business resources are used
appropriately
– In some situations, social guidelines can be more effective than
technical controls
39
40. Reputation management
• Traditional PR and legal responses to an Internet-based
negative reputation event can cause more damage than
doing nothing
• Understanding how to establish, follow and update
protocols can make social-media chaos less risky to
enterprises
• Information security should coordinate activities with PR
teams to expand monitoring and supplement monitoring
with investigations and evidence collection processes
40
41. Dealing with reactive chaos
• Rare for companies to have tools and skills to conduct
investigation into origins of inappropriate material and the
identity of the individuals involved in social media breaches
• CSIRT are called on to provide investigation support.
– but often contacted late
• Optimal approach
– monitoring and managing social media and incident response
requires approach that combines efforts and capabilities of the PR,
HR and information security teams
41
43. Reputation management
• Goal is to build and protect a positive Internet-based
reputation
• Risks to reputation are significant and growing with the
increased use of social networks
• Create reputation management group with input from IT,
legal, risk management, PR and marketing
• Coordinated approach
– proactive / responsive
43
44. Strategies and action items for
individuals to deal with the security
and privacy risks of social networks
44
45. Let’s be careful out there
• You can lose your job
– policy violation
– managers and executives - special responsibility when blogging by
virtue of the position
– too much time on social network sites
– perception that you are promoting yourself at the expense of the
company
– especially if your employer is not into social networking
• Don’t embarrass yourself, friend, family, coworkers
• Be aware of the dark side of social networks
– divorce
– cyberbullies
– see MySpace suicide case
45
46. Action items – individual user
• Curb your enthusiasm
– those with OCD/addictive personalities must ensure they know the
addictive nature of social networking
– what is fun today is embarrassing tomorrow
– don’t post comment that you don’t want the entire world to see
– consider carefully which images, videos and information you publish
– set daily time limits on how much time you will spend
• When at work
– you are being paid to work when you are at work
– don‘t abuse the trust your employer had in hiring you
46
47. Social incrimination
• Everything you post may be used against you
– be judicious when posting, especially photos/videos
• copyright issue
– camcorders now have Direct Upload to YouTube capabilities
• Don’t post photo that you don’t want the world to see
• Watch that pose – the world will see you in that photo
– images give away private data about other people, especially when
tagged with metadata
• Enable Facebook security controls
– 10 Privacy Settings Every Facebook User Should Know
47
48. Action items – individual user
• Limited security capabilities
– don’t assume social networks sites will give you privacy or
confidentiality
– especially over the long-term when items are cross-posted/shared
• Ensure you know about and are compliant with employer’s
social media guidelines
– if you post something corporate, ensure that it is public information
– be careful about posting customer information, even if it is public
– breach of insider information can cost you your job
– know the rules of using social networking sites while you’re at work
– take extra care if you friend your boss on Facebook
– Facebook is viral and addictive – don’t waste your workday on it
48
49. Action items – individual user
• Bad social networking can lead to career suicide
• Use and maintain anti-virus software
• HR is looking
– 45% of employers now screen social media profiles
• Realize the inherent tension in social networks
– know your limits
– social networks are like a party
– point is to have fun without humiliating yourself
• Choose good passwords
– follow password creation rules
– don’t use the same password across multiple social networks
49
50. Action items – individual user
• Don’t accept every Facebook invitation
• Realize you are a target for social engineers
• Be aware of friends asking for salami
• What does your friends’ list say about you?
• Something you post today, or a YouTube video you appear
in, can haunt you for the rest of your life
• Trust but verify all invitations
• Limit the amount of personal information you post
– do you really need to post your birthday?
– get in the habit of not sharing personal data
50
51. Action items – individual user
• Be careful when taking surveys
– especially on Facebook
– answers can be aggregated by bogus surveys to launch social
engineering attack
– password recovery answers
• Not everything needs to be commented on
– Think twice before posting about
• interviews
• complaints about long/boring meetings
• complaints about coworkers, management, bosses, etc.
• off the cuff remarks
51
52. Children
• Especially susceptible to social network threats
– kids misrepresent their age to join sites that have age restrictions
– kids post more information in their pictures than was intended, such
as hobbies, interests, location of their school
• Teach your kids about Internet safety
– be aware of their online habits, guide them to appropriate sites
– they should never meet in person anyone they met online
• Parents must ensure that their children become safe and
responsible users
• National Cyber Alert System Cyber Security Tip ST05-002
– Keeping Children Safe Online
– http://www.us-cert.gov/cas/tips/ST05-002.html
52
53. Conclusions / Q&A
• Social networks introduce significant security risks
• Companies must recognize these risks and take a formal
approach to deal with them
• Individuals can’t be naïve about their responsibilities
• Social networks and security - - not an oxymoron
– as long as social network security is part of a comprehensive
corporate information security program
– and end-users and individuals are aware of the risks and their
responsibilities
53
54. Contact information
Ben Rothke, CISSP PCI QSA
Senior Security Consultant
BT Professional Services
ben.rothke@bt.com
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
54