View
1
Download
0
Category
Preview:
Citation preview
Social Media Gone Wild
Generously sponsored by:
ISSA Web Conference June 26, 2012
Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London
Welcome Conference Moderator
Mathieu Gorge ISSA Web Conference
Committee
2
Agenda
Speakers
• Jean Pawluk- Consultant and Former Chief Architect, Visa
• Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI
• Aaron Sheridan- Senior Systems Security Engineer at FireEye
Open Panel with Audience Q&A
Closing Remarks
3
Social Media Gone Wild Is A Perfect Storm is Brewing ?
Jean Pawluk
June 2012
4
Insert
Photo
Here
A Perfect Storm is Brewing
Social interaction has blurred the work / life boundary
Users find many new ways to share data
Factor 1 - Social Media - Amazing Growth
Big Five – Facebook (901M - Feb 2012) – Twitter (500M users – March 2012) – LinkedIn (161M users – March 2012) – Google+ (170M users – April 2012) – Windows Live (330M users – June 2009)
• Non US – Qzone (536M user – Dec 2011) – Tencent Weibo (310M users – Sept 2011) – Sina Weibo (250M users – Sept 2011) – Habbo (230M users – Sept 2011)
• Personal – Foursquare (15M users – Feb 2012) – Pinterest (10.5M users – Feb 2012) – Tumblr (42M users – Feb 2012)
• Corporate – Yammer (~ 5M users – April 2012) – Jive (~3000 firms – Sept 2011) – Chatter (~ 5M users ? – April 2012) – SharePoint (~ 20 M users – Oct 2009)
6
Factor 2 - Easy to use & Hard to control
• BYOD
• Apps permission - Users just say yes – Links to unknown sites
– Data captures by accident or intent by 3rd parties
– Often coded with “ask forgiveness” mindset and little testing
• Geo-location
• Cross – app linking – Think mashups
• Twitter feeds -> LinkedIn
• Photo recognition and geo location tracking – > Foursquare x LinkedIn x Facebook x latest favorite app
Factor 3 - Data Quarrying
• Deep tracking is not just science fiction.
• In reality: – No difference between public and private content
– Online personal and professional content is integrating
– Can harm you and others
• Data and reputation may never “go away”
• Freedom of speech doesn’t mean every thought should be posted (sex-texting)
• Eye-opening reads: – WSJ series “What they Know”
– Time’s “Data Mining: How Companies Now Know Everything About You
Illustration by Joe Zeff
Time Magazine
Factor 4 – Increased Attack Surfaces
More – Users spending time on social media
– Social media apps and sites under constant attack
– Users bring your own devices
– New hardware, new uses
– Single Sign On and ID’s shared across social media
– Widespread use of shortened URL links
Social Media designed for sharing – Data is mobile & accessible anywhere
– More sites available for targeted attacks and to spread viruses and malware.
9
What me ? Worry ? Business are waking up to social media security issues
• Information leaks
• Intrusions
• Viruses and malware
• Spear Phishing
• Loss of IP, corporate plans, market data, customer data
• Brand Damage
• Fear that employees wasting time at work
• Span of control issues with employees, customers and rivals
• Fear competitors trolling for info or creating misinformation to discredit the business.
• Liability and laws that differ around world.
Examples
• Tricking users by friending them and then using them to spread malware – Easier to social engineer and leverage
– Koobface spread between Facebook and Twitter via social users
– Torpig used Twitter topics to create random domains to send victims to pick up malware and spread it further.
• Fake social media posts and updates from your “friends”
• Social Engineering of business - Completive Intelligence - RSA Secure ID hack used fake recruitment plan entry point
• Defrauding friends and relatives with scams asking for emergency funds
• Massive password thefts from social media sites
11
Think about - Legal and Regulatory
• Who has legal liability?
• Who has device ownership ?
• Who owns the data content ?
• Who controls access to content ? – Approval mechanism
– What about censorship ? • Corporate
• Government
• Rogue system creation and use – Do you know what going in your company?
– Internal vs. Competitors
Think about - User awareness, policy & tools
• Content & security levels ?
Create
View / Read
Edit / Delete
• Community use
Open - anyone
Restricted – limited public use
Private – members only
Think about - User Behavior
Who do you trust ?
Users at work:
- Does social media affect work ?
Internal vs. External Content Use ?
Is Social Media (ever) secure ?
How much security is too much ? Courtesy Kexino.com
User Tips
Think before you click ! think before you post !
Think twice about giving apps permission to your data
Beware
– shortened URL's
– interactive upgrade requests
– mobile apps and use of geo-location
Use an up-to-date browser
15
User Tips Continued
Use unique logins and password for every site you use to limit exposure (Yep it a pain)
Verify domains
-check that the URL shows a legitimate website & not into a fake look a like site.
Be cautious of messages, emails, links & posts that seem suspicious.
Make sure security is up to date - patches on, anti-virus/spyware, firewall's, monitors & web advisory tools
16
17
Question and Answer
Jean Pawluk Consultant and Former Chief Architect, Visa
Social Media Gone Wild Rebecca Herold
CIPP, CISSP, CISA, CISM, FLMI
Benefits, Dangers &
Information Security and Privacy Policies
19
Page 20
© Rebecca Herold. All rights reserved.
Agenda
• What Is Social Media?
• A Few Social Media Facts
• Benefits...
• But Be Aware Of The Dangers...
• Using Social Media Apps
• Posting Photos and Videos
• Common Risks and Scams
• Topics/Issues to Cover Within Social Media Policies
• What to Tell Workers
What is “social media”? Just a few examples of the most commonly used types of social media sites:
• Blogs such as TypePad, WordPress, etc.
• Collaboration sites, such as wikis (e.g., Wikipedia, Delicious) and social news (e.g., Digg)
• Livecasting and meeting sites such as Skype, Livestream, etc.
• Microblogs such as Twitter
• Photography and art sharing sites such as Photobucket, Flickr, Picasa, VineMe, etc..
• Presentation sharing sites, such as Scribd, Slideshare, etc.
• Product reviews sites such as Epinions.com, MouthShut.com, etc.
• People reviews sites such as RateMDs.com, Healthgrades.com, etc.
• Social networks such as Facebook, LinkedIn, Google+, Pinterest, etc.
• Video sharing sites such as YouTube, Vimeo, etc.
• Virtual worlds such as Second Life, Maple Story, etc
Page 21
© Rebecca Herold. All
rights reserved.
Page 22
© Rebecca Herold. All rights reserved.
A Few Social Media Facts (1/2) • Twitter has over 555 million users and over 200 million
tweets per day
• Facebook has over 901 million users, 50% of which log in daily
• Over 150 million people use LinkedIn
• Google+ has over 170 million users
• Pinterest has over 11.7 million users
• Over 40% of all Internet traffic is video
• YouTube has 107 million unique visitors each month and 10.3 million followers on Twitter
• The number of social media sites is unlimited
A Few Social Media Facts (2/2)
• Everyone is impacted by social media sites
• What happens on social media sites stays online forever
Page 23
© Rebecca Herold. All
rights reserved.
Benefits • Customer Service
• Knowledge Sharing and Collaboration
• Patient Health Education
• Customer Awareness
• Learning
• Marketing
• New Contacts
• News/World Events
• Patient Care
• Research
• Crisis Management
Page 24
© Rebecca Herold. All
rights reserved.
Dangers • Damage Reputations
• Leaking Information (e.g., PHI, employee info, etc.)
• Network Slow-Downs and Stand-stills
• Personal Relationships Damaged
• Physical Dangers
• Potentially Be Seen By Everyone
• For frequent hacks
• Spread Malware
• Keyloggers
• Time Bandits
• Used As Evidence in Investigations
• Misinterpreted Information
• Violate Laws
• Result in Civil Lawsuits
Page 25
© Rebecca Herold. All
rights reserved.
Using Apps & Other Software
• Spotify
• Foursquare
• Farmville
• TribeHR
• Etc.
Page 26
© Rebecca Herold. All
rights reserved.
Activities from Personal Networks/Devices • Don’t post about work
• Don’t post about co-workers
• Don’t post about customers, patients, etc.
• Don’t sync or share files between personally-owned computers and computers/systems
Page 27
© Rebecca Herold. All
rights reserved.
Risks Posting Photos & Videos
• About workplace, patients, customers and co-workers
• Personal photos
• Patient/customer/consumer photos
• Obtaining consent
Page 28
© Rebecca Herold. All
rights reserved.
Common Social Media Risks and Scams
• Spear phishing
• Social engineering
• Spoofing
• Malware
• Keyloggers
• Denial of Service (DoS)
Page 29
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (1/11)
Appropriate use of social networks (Facebook, LinkedIn, YouTube and Twitter in particular)
• From the networks
• From the company-owned computing devices
• From networks using personally-owned computing devices
• From staff-owned computing devices and/or networks
• From public computers/networks
Page 30
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (2/11)
Blogging
• Content of posts
• References to co-workers, customers, patients, the business, etc.
Page 31
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (3/11)
Wikis (e.g., Wikipedia, GeniusWiki, Brainkeeper, Zwiki)
• Those (if any) acceptable to use for business purposes
• Those unacceptable to use for business purposes
• Acceptable activities for the wikis
Page 32
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (4/11)
Information that should not be posted from any type of location/computer
• PHI, PII, SPI, etc.
• Co-worker information
• Confidential business information
Page 33
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (5/11)
Marketing
requirements/guidelines
• Positions/departments authorized to
post
• Types of information acceptable to post
• Type of information that should not be
posted
• Do not take personal information from
sites to use for business (e.g.,
marketing, etc.)
Page 34
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (6/11)
Security controls that need to be in place
• Anti-malware
• Firewalls (including personal firewalls)
• Spam prevention
• DLP
Page 35
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (7/11)
Time spent on social networks while at work
• Not while with customers or patients
• Only for short periods of time
• Only during breaks
Page 36
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (8/11) Linking/friending/etc. with customers, patients and co-workers
• Don’t ask for worker passwords
• Only authorized personnel can participate from accounts established for personnel
• Don’t link/friend/etc. from your personal accounts that list as your employer
• Examples of how to respond to request: – “Thank you very much for your invitation! However, it is against
our policies to link with or friend patients in social network sites.”
Page 37
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (9/11)
Posting photos & videos
• Patient/customer posting (e.g., that patients/customers want to take with staff) – Ask that they only post images that include staff with the staff’s
knowledge
– Ask that they don’t include others within their images
• Staff posting – No posting of patient/customer images unless approved by the
Privacy Office or with written consent of patient
– No posting of images showing facility entries or other staff unless approved by the Privacy Office
Page 38
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (10/11)
Reacting to posts about and staff
• Don’t respond directly to negative posts
• Report the negative posts to the PR Office
• Don’t argue, defame, or otherwise act negatively in communications with others online
Page 39
© Rebecca Herold. All
rights reserved.
Social Media Policies Topics (11/11)
Donor searches (e.g., kidney, etc.)
• Only authorized personnel can post messages for such searches
• Only authorized personnel can post replies to posts offering organs
Page 40
© Rebecca Herold. All
rights reserved.
Page 41
© Rebecca Herold. All rights reserved.
Before Posting Think (1)…
Are you posting anything you, or your friends, family, co-workers, employers, patients or guests don’t want the entire world to see?
– Internet-based social media sites are public, even many that say they are “private”
– Social media sites on “closed” networks have more controls
Page 42
© Rebecca Herold. All rights reserved.
Do you want that post to be seen forever?
– Once posted on the Internet information is virtually impossible to remove
– Information posted on internal networks are easier to control
Before Posting Think (2)…
Page 43
© Rebecca Herold. All rights reserved.
What are the consequences of your posts being used out of context?
– Your Internet posts can be copied, altered, reposted
– Will your hard work be used inappropriately by someone else?
Before Posting Think (3)…
Page 44
© Rebecca Herold. All rights reserved.
Could your post put you, or your family, friends, co-workers, customers or patients in danger?
– Criminals like to see posts stating when people will be at specific locations, away from their home, etc.
– We are a litigious society
Before Posting Think (4)…
Page 45
© Rebecca Herold. All rights reserved.
Are you violating any laws?
– Are you violating any healthcare, financial, or other federal, state or international laws?
– Are you committing copyright or licensing infringement with the information you post?
– Are you stating something as fact that really isn’t?
Before Posting Think (5)…
Page 46
© Rebecca Herold. All rights reserved.
Is your message clear?
– Be sure you are not unintentionally breaking cultural norms or putting out something unintentionally offensive.
– Meet the expectations of company communications for internal sharing.
Before Posting Think (6)…
Page 47
© Rebecca Herold. All rights reserved.
Remember…
Questions?
Page 48
© Rebecca Herold. All rights reserved.
Contact Information
Rebecca Herold & Associates, LLC “The Privacy Professor”®
1408 Quail Ridge Avenue
Van Meter, Iowa 50261
Phone 515-996-2199
Web site: www.theprivacyprofessor.com
Blog: www.privacyguidance.com/blog
rebeccaherold@rebeccaherold.com
TwitterID: http://twitter.com/PrivacyProf
Question and Answer
Rebecca Herold & Associates, LLC “The Privacy Professor”®
rebeccaherold@rebeccaherold.com
Social Media Gone Wild Using Social Media for Spear Phishing &
Advanced Targeted Attacks
50
Insert
Photo
Here
Aaron Sheridan, Sr. Security Systems Engineer, FireEye
Social Media Connects Us More Than Ever
51
(Google image search for “Social Media”)
Social Media Content is Accessed and Updated Constantly
52
Ch
eck
ou
t th
is v
ideo
!
That post was hilarious!
Advanced Targeted Attacks Using Social Media
53
Source: http://www.theregister.co.uk/2012/06/20/syrian_skype_trojan/
• Targeting Syrian activists Skype accounts
• Latest attack installs Blackshades Trojan
masked as video file
• When opened on Windows silently drops
a key logger and begins data theft
• Other recent attacks included targeting
the Youtube or Twitter credentials of high
profile Syrian opposition
• Remote Desktop Viewing, Webcam
spying and audio-eavesdropping
Advanced Malware Attack Lifecycle
54
Poison Ivy Trojan spreading via Skype
55
Source: http://infosecisland.com/blogview/21340-Skype-Malware-Campaign-Spreading-Poison-Ivy-Trojan.html
Another Example in the News…
56
The Information Was Used to Craft an Email…
57
Social Media and the Attack on RSA
58
Social Media and the Attack on RSA
59
A very effective way to find targets
60
Carefully Crafted Email and Attachment
61
62
“…an all too real cyber espionage threat.”
Sourced from: http://www.theregister.co.uk/2011/05/27/lockheed_securid_hack_flap/
Social Media Sites Can Be Used To Store Malware
63
Malware Retrieves .rtf Exploit Stored on Free Blog
64
How To Prevent Targeted Spear Phishing Emails
65
• Support large range of file
types (PDF, Office formats, ZIP,
etc.)
• Attachment analysis
• URL analysis
• Correlates malicious URLs to
emails at the CMS
REQUIREMENTS
• Protect against spear phishing and blended attacks
• Analyze all emails for malicious attachments and URLs
• Perform In-line MTA active security or SPAN/BCC for monitoring
• Provide Brute-force analysis of all Email attachments in VX Engine
• Web MPS integration for malicious URL analysis/blocking
• Web MPS integration for blocking of newly discovered callback channels
The Virtual Execution Engine
66
PHASE 1
Multi-Protocol Object Capture
PHASE 2
Virtual Execution Environments
(Dynamic Analysis)
PHASE 1: WEB MPS
• Aggressive Capture
• Web Object Filter
PHASE 1: E-MAIL MPS
• Email Attachments
• URL Analysis
PHASE 1: FILE MPS
• Network File Shares
PHASE 1: MAS
• Human Driven via
GUI/CLI/SSH
Feedback
Loop
DYNAMIC,
REAL-TIME ANALYSIS
• Exploit detection
• Malware binary analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to Target
OS and
Applications
Targ
eted
Th
reat
Inte
llig
ence
The Malware Protection System
67
• Pace of advanced targeted attacks is
accelerating, affecting all verticals and
all segments
• Traditional defenses (NGFW, IPS, AV,
and gateways) no longer stop these
attacks
• Real-time, integrated, signature-less
solution is required across Web, email
and file attack vectors
• Advanced threat protection to
supplement traditional defenses and
stop advanced targeted attacks
Complete Protection Against
Advanced Targeted Attacks
Web
Malware
Protection
System
Malware
Protection
System
File
Malware
Protection
System
Register for a free threat assessment at:
www.fireeye.com/stopthreats
5 Criteria for Advanced Threat Protection
68
1. Dynamic, signature-less engine to detect & block zero-
day and targeted inbound attacks (as used by APT
actors, crimeware actors, and Hacktivists)
2. Real-time protection to stop data exfiltration
3. Integrated, cross-protocol Web & Email inbound infection
and outbound callback protection
4. Accurate, no tuning, and very low false positive rate
5. Global malware intelligence for sharing threat indicators
to block zero-day malware & latest callback channels
Question and Answer
Aaron Sheridan Senior Security Systems Engineer, FireEye
aaron.sheridan@FireEye.com
Open Panel with Audience Q&A
• Jean Pawluk- Consultant and Former Chief Architect, Visa
• Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI
• Aaron Sheridan- Senior Systems Security Engineer at FireEye Technologies, Inc.
70
71
Closing Remarks
Online Meetings Made Easy
Thank you to Citrix for donating this Webcast service
Thank you to our Sponsor
CPE Credit
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
72
Recommended