Social Networks and Information Security

- Oxymoron or can you have both?

Ben Rothke, CISSP PCI QSA

Senior Security Consultant

BT Professional Services

April 13, 2010

About me

• Ben Rothke, CISSP CISM PCI QSA

• Security Consultant – BT Professional Services

• Full-time information security since 1994

• Frequent writer and speaker

• Author of Computer Security: 20 Things Every Employee • Author of Computer Security: 20 Things Every Employee

Should Know (McGraw-Hill)

2

BT in North America

• Operating since 1988

• More than 4,000 employees in the US and

Canada

• Network Operations and Customer Service

Centers in Atlanta GA, Boston MA, Los Angeles

CA, Princeton NJ, Oakdale MN and Nutley NJ

• Seven of the more than 30 BT acquisitions

during recent years are HQ in the US, Infonet,

Radianz, Counterpane, INS, Comsat, Wire One, Radianz, Counterpane, INS, Comsat, Wire One,

Ribbit

• More than 3,500 customers in the US and

Canada, including 75% of F500 and 50% Fortune

1000

• Serving Canadian enterprises in 32 cities

serving hundreds of major customer sites across

the country

• Of BT’s top 2,000 customers, 50%+ are

headquartered or have major operations in

the Americas

Why BT for Security?

1,400 global practitioners with over 125 accredited security professionals

in the US

With proven experience

6,000 security

engagements in the

US since 1994

BT has delivered security services to over 75% of the Fortune 500

Over 1,500 firewalls

under management

Filters over 75,000

viruses from client

networks each month

Monitoring 550 networks with data

from over 150 countries and 335,000 devices

Industry-leading resources

Comprehensive event

correlation platforms and

reporting tools

Operating 9 world

class SOCs globally

24/7/365

Over 100 registered patents,

190 security papers and

numerous books

Delivering an integrated services portfolio

From assessment to

mitigation, on a global

basis

Incorporating industry-

leading technology &

services, with Counterpane

at the core

Third party validation

Leadership position in

Gartner’s 2007 North American

MSSP Magic Quadrant

Highest capability

maturity rating

from NSA

Many accreditations, including BS 27001/ISO 17799, SAS70-II, FIPS 140-2, CERT, FIRST,

CLAS, SANS GIAC and CHECK

Agenda

• How can enterprises effectively use social networks while

not putting their security and data at risk?

• Understanding and dealing with the security risks of social

networks

• Making the security focus shift from infrastructure • Making the security focus shift from infrastructure

protection to data protection

• Social network security strategies for enterprises

• Social network security strategies for individuals

• Q/A

5

Why are enterprises interested in social networking?

6

Why this is a very cool information security topic

• Easy security tasks

– Block all outbound ftp traffic

– Require disclaimers on all outbound emails

– Block admission to network if host AV signatures are not current

– Require encryption on all outbound file to Moscow office

• Challenging security tasks

– Stop end-users from inappropriate sharing of confidential and

proprietary data via social networks

7

Why are people interested in social networking?

8

Social networking - then and now

Computer Associates

• 1990’s

– President Charles Wang limits employees email usage

• to 1 hour in the morning & afternoon

• to emphasize face-to-face interaction rather than sending e-mails• to emphasize face-to-face interaction rather than sending e-mails

• 2010

– Computer Associates is now on Twitter

• http://twitter.com/cainc

9

Social networks huge - getting larger

• 75% of US online adults use social tools

– up from 56% in 2007

– The Growth Of Social Technology Adoption - Josh Bernoff, Forrester

10

The social web

• Social web is about communities, collaboration, peer

production and user-generated content

• Business reputations are defined by customer opinions and

ratings

• Press is delivered by independent bloggers

• Product development and insight is driven by customers• Product development and insight is driven by customers

• Digital natives who have grown up with the Internet flood

the workplace

• Your employees will likely expect to be part of the social

web and they'll have a lot to contribute

• Source: Joshua-Michéle Ross

11

Today’s social networking reality

12

Resistance to social networks is futile

• Social networks are not a fad

• Prepare a strategy and have a realistic understanding of the

risks and benefits of social software

• Understand the unique challenges with social networks and

factor them into decision on when and how to proceed• Gartner - Major Challenges Organizations Face Regarding Social Software• Gartner - Major Challenges Organizations Face Regarding Social Software

13BT Professional Services 13

Social networks are major news stories

14

But the security risks can’t be ignored

15

Social networks - security game-changer

• Organizations and management are struggling

– to understand and deal with the security risks of social networks

• Traditional information security

– firewalls and access control protected the perimeter

– social networks open up that perimeter

• Focus shift• Focus shift

– from infrastructure protection to data protection

• DLP (data loss prevention) tools

– becoming the new firewall for the social web

• Bypass corporate services

– Facebook for email

– Skype as a telephone system

– Gmail for instant messaging16

Security issues

• There are legitimate risks with allowing uncontrolled access

to social networking sites

– risks can be mitigated via a comprehensive security strategy

• Security and trust

– social networks require a full taxonomy of security

– people are much more trusting of a message from a friend or – people are much more trusting of a message from a friend or

colleague on a social network than they are of an e-mail

– people are used to e-mails being forged

• People will share extraordinary amounts of highly

confidential personal and business information with people

they perceive to be legitimate

17

Social media risks

Risk Description Security? Type?

Malware Infection of desktops, propagation of malware through staff or corporate profiles on

social-media services.

Yes Technology

Chain of providers Mashups of applications within a social-media service enable the untraceable

movement of data.

Yes Technology

Interface weaknesses Public application interfaces are not sufficiently secured, exposing users to cross-site

scripting and other exploits.

Yes Technology

Reputation damage Degradation of personal and corporate reputations through posting of inappropriate

content.

No Content

Exposure of confidential

information

Loose lips sink ships, breach of IP or other trade secrets, breach of copyright, public

posting or downloading of private or sensitive personal information.

Yes Content

18

information posting or downloading of private or sensitive personal information.

Legal exposure Legal liabilities resulting from posted content and online conversations or failure to

meet a regulatory requirement to record and archive particular conversations.

Yes Content

Revenue loss For organizations in the information business, making content freely available may

undercut fee-based information services

Yes Content

Staff productivity Workers failing to perform due to the distraction of social media No Behavior

Hierarchy subversion Informal social networks erode authority of formal corporate hierarchy and defined

work processes

No Behavior

Social engineering Phishing attacks, misrepresentation of identity and/or authority to obtain

information illicitly or to stimulate damaging behaviors by staff.

Yes Behavior

Identity fraud Profiles and postings that are erroneously attributed to a staff member or corporate

office.

Yes Behavior

Source: Gartner – Report G00173953 - February 2010

How information security groups lose the social media war

• Social media security requires a combination of technical,

behavioral and organizational security controls

– Many information security groups are clueless on how to do that

• Arguing that social media presents unmanageable security

risks gives the impression that the information security

group is incompetentgroup is incompetent

• Too much use of the FUD (fear, uncertainty and doubt)

factor as part of their argument

19

Social network postings are immortal

• Physics 101 - Law of conservation of energy

– total amount of energy in an isolated system remains constant

– energy can’t be destroyed - can only change form

• Social networks physics 101

– Internet - huge database of unstructured content with an infinite life– Internet - huge database of unstructured content with an infinite life

– once confidential data is made public, it can never be made

confidential again

– once data is posted in a Web 2.0 world, it exists forever, somewhere

• RSS feeds can’t be unfed

– difficulty of complete account deletion

• users wishing to delete accounts from social networks may find that

it’s almost impossible to remove secondary information linked to

their profile such as public comments on other profiles

20

Security issues - aggregation

• Aggregation

– process of collecting content from multiple social network services

– consolidates multiple social networking profiles into one profile

• Google OpenSocial

– defines common API for social applications across multiple websites

– with standard JavaScript and HTML, developers can create apps that

access a social network’s friends and update feeds

• Long-term anonymity is nearly impossible

– users leave traces, IP addresses, embedded links, IDs in files, photos,

etc.

– no matter how anonymous one tries to be, eventually, with enough

traces, aggregation will catch up

21

Security and privacy risks

• Malware

• Social networks used as a malware distribution point

• Vulnerabilities

– cross site scripting (XSS), cross site request forgery (CSRF)

– 1 in 5 web attacks aimed at social networks

• Corporate espionage

• Phishing / spear phishing• Phishing / spear phishing

• Bandwidth consumption

• Information leakage

• Social engineering attacks

• Content-based Image Retrieval (CBIR)– emerging technology that matches features, such as identifying aspects of a room (e.g. a painting)

in very large databases, increasing the possibilities for locating users

22

Mission Impossible 1999 is social networking 2010

• Your mission

– find 20 divorced/single female design engineers based in the US at

Boeing Integrated Defense Systems

– build a rapport with them

– get critical data or designs for new fighter under development

• Time / Budget / Success• Time / Budget / Success

– 1999 – Many people, many months, limited success, very expensive

– 2009 – One person, multiple Facebook accounts, can outsource to

India, near immediate results, extremely high success rate

• Facebook makes it easy to find out who these women are

– who their friends are (likely other single women at Boeing)

– what they like, where they shop, their daily habits, their friends,

entertainment, and much more23

Social networks and information security

• Social networks and security are compatible

– requires effort, staff, and a formalized plan of action

• Formalized, comprehensive social networking strategy

– there are no social network security appliances

• Public corporations• Public corporations

– subject to SEC disclosure obligations, must deal with fair disclosure

rules

– inside information on a social network is a regulatory violation

– must have formal logging and archiving in place for social networks

24

Strategies and action items for

enterprises to deal with the security enterprises to deal with the security

and privacy risks of social networks

25

Get in front of the social network wave

• Organizations must be proactive

– dedicated team to deal with social networks

– ability to identify all issues around social networks

• Get involved and be engaged

• Social networking is moving fast

– dynamic technology– dynamic technology

– requires a proactive protection approach

• Be flexible

– overall uncertainty about what strategies and tactics to adopt to

security social media

26

Risk assessment

• Social media create new opportunities for fraud and abuse

• Enables a wide range of abuses

– Must be anticipated and evaluated to construct appropriate security

plans and controls

• Perform social network risk assessment

– create risk assessment for each social network community– create risk assessment for each social network community

– vulnerabilities associated with specific sites

– which users are the greatest risk?

– output will be used to create the social media policy and strategy

– customized to your specific risk matrix

– balance the risks vs. benefits

• US Marines – totally prohibited

• Starbucks – totally embraced

27

Social media strategy

• Strategy and policy should be based on your social media goals

• Take into account any special laws or rules

• Identify people or positions who will be the online public face

of the firm

• Decide if and how employees may identify themselves

• Involve risk managers in your planning• Involve risk managers in your planning

• Draconian policies preventing the use of social media will not

be effective

• Use a balanced approach

– allow access

– manage risk via technical controls, policies and employee training

28

Monitoring

• Maintain control over content company owns

– monitor employee participation on social networking sites

– significant risk of loss of IP protection if not monitored

– when inappropriate use of enterprise content occurs, notify

employee and explain how their actions violated policy

– control where and how corporate content is shared externally

29

Social network assessments

• Perform a LinkedIn analysis

• From LinkedIn you can tell:

– what technologies a company is using

– corporate direction

– vendors

– partners– partners

– internal email addresses and address formats

• Perform a Facebook analysis

• From Facebook you can tell:

– almost everything

30

Define corporate social media policy and strategy

• Social networks blur boundary between company roles

– who speaks for the company on a blog, Twitter, Facebook

– border between the company and the outside world is evaporating

– this is a management decision, not an IT decision

– strategies: block, contain, disregard, embrace

– create user scenarios

• not all users need access

– see Twitter strategy for Government Departments

– ensure your corporate social media strategy is realistic

– view webinar by Joshua-Michele Ross on how to do this

31

Corporate social networking policy

• Social networking policy is a must

– even if it prohibits everything, you still need a policy

• Policies are needed because employees do stupid things

• Define a rational, sensible use of social media services

– include photography and video– include photography and video

– don’t reference clients, customers, or partners without obtaining

their express permission

• Data classification

– create a data classification program

– users need to be able to know precisely the different data

classification levels

32

Security awareness

• Social media is driven by social interactions

• Most of the significant risks are tied to the behavior of staff

when they are using social software

• Governance of staff behavior must take into account both

the technical capabilities of the social software and the the technical capabilities of the social software and the

relative tendency of staff to engage in risky behavior in

social media

• Don't shun social media for fear of bad end-user behavior.

– Anticipate it and formulate a multilevel approach to policies for

effective governance.

• 3 C’s: clear, comprehensive, continuous

33

Security awareness

• Awareness and training program is critical

– must be effectively communicated and customized

– disseminate to everyone

– ensure recurrent training

– create topic taboo lists

– define expectations of privacy

• Link social networking training to other related training

– business ethics, standards of conduct, industry-specific regulations

• Public companies

– at risk for disclosure of insider information

– even if not at fault, assertion of insider disclosure is expensive,

embarrassing and time consuming

34

Guidelines

• Without clear guidelines, breaches are inevitable

• Excellent sources:

– Intel Social Media Guidelines

– IBM Social Computing Guidelines

• directives for blogs, wikis, social networks, virtual worlds and social media

35

Regulatory

• Regulatory compliance must be considered

– social networks present numerous scenarios which weren’t foreseen

when current legislation and data protection laws were created

– regulatory framework governing social networks should be reviewed

and, where necessary, revised

– consider what specific laws/regulations/standards apply

– all breach notice laws are relevant– all breach notice laws are relevant

• if customer or employee PII is posted, breach response plans would likely

need to be followed and notices would need to be sent

• HIPAA and expanded responsibilities under ARRA HITECH

• newly released final breach response rules from the HHS

36

EU and social networks

• EU Data Privacy Directives

– EU Directive on Data Protection 95/46/EC

– Data Protection Working Party Opinion 5/2009

– EU countries take personal privacy very seriously

• tagging of images with personal data without the consent of the subject

of the image violates the user’s right to informational self determination

• blanket monitoring and logging is unacceptable in EU• blanket monitoring and logging is unacceptable in EU

• many more privacy details need to be considered

• Review ENISA position paper

– Security Issues and Recommendations for Online Social Networks

– Online as Soon as it Happens

37

Human resources

• Human resources must be involved

– social networks open up a huge can of HR worms

– what are disciplinary actions for non-compliance?

– candidate’s social network presence as a factor in the hiring process?

– create directives for managing personal and professional time

– don’t be seen as encroaching on your employees’ free speech rights– don’t be seen as encroaching on your employees’ free speech rights

– put out reasonable guidelines

– explain how innocent postings can be misconstrued

– but…a too heavy-handed approach will often backfire and result in

lower morale and often bad publicity

38

Hardware and software solutions

• Gartner

– Market for security controls for social media is relatively immature

– Security managers need to develop control environments that

incorporate new tools and techniques to monitor and control user

activity and data movement

– IT organizations have concentrated for too long on using technical – IT organizations have concentrated for too long on using technical

controls to ensure that IT and business resources are used

appropriately

– In some situations, social guidelines can be more effective than

technical controls

39

Reputation management

• Traditional PR and legal responses to an Internet-based

negative reputation event can cause more damage than

doing nothing

• Understanding how to establish, follow and update

protocols can make social-media chaos less risky to

enterprisesenterprises

• Information security should coordinate activities with PR

teams to expand monitoring and supplement monitoring

with investigations and evidence collection processes

40

Dealing with reactive chaos

• Rare for companies to have tools and skills to conduct

investigation into origins of inappropriate material and the

identity of the individuals involved in social media breaches

• CSIRT are called on to provide investigation support.

– but often contacted late

• Optimal approach

– monitoring and managing social media and incident response

requires approach that combines efforts and capabilities of the PR,

HR and information security teams

41

Reputation management

42

Reputation management

• Goal is to build and protect a positive Internet-based

reputation

• Risks to reputation are significant and growing with the

increased use of social networks

• Create reputation management group with input from IT,

legal, risk management, PR and marketinglegal, risk management, PR and marketing

• Coordinated approach

– proactive / responsive

43

Strategies and action items for

individuals to deal with the security individuals to deal with the security

and privacy risks of social networks

44

Let’s be careful out there

• You can lose your job

– policy violation

– managers and executives - special responsibility when blogging by

virtue of the position

– too much time on social network sites

– perception that you are promoting yourself at the expense of the

companycompany

– especially if your employer is not into social networking

• Don’t embarrass yourself, friend, family, coworkers

• Be aware of the dark side of social networks

– divorce

– cyberbullies

– see MySpace suicide case

45

Action items – individual user

• Curb your enthusiasm

– those with OCD/addictive personalities must ensure they know the

addictive nature of social networking

– what is fun today is embarrassing tomorrow

– don’t post comment that you don’t want the entire world to see

– consider carefully which images, videos and information you publish

– set daily time limits on how much time you will spend– set daily time limits on how much time you will spend

• When at work

– you are being paid to work when you are at work

– don‘t abuse the trust your employer had in hiring you

46

Social incrimination

• Everything you post may be used against you

– be judicious when posting, especially photos/videos

• copyright issue

– camcorders now have Direct Upload to YouTube capabilities

• Don’t post photo that you don’t want the world to see

• Watch that pose – the world will see you in that photo• Watch that pose – the world will see you in that photo

– images give away private data about other people, especially when

tagged with metadata

• Enable Facebook security controls

– 10 Privacy Settings Every Facebook User Should Know

47

Action items – individual user

• Limited security capabilities

– don’t assume social networks sites will give you privacy or

confidentiality

– especially over the long-term when items are cross-posted/shared

• Ensure you know about and are compliant with employer’s

social media guidelinessocial media guidelines

– if you post something corporate, ensure that it is public information

– be careful about posting customer information, even if it is public

– breach of insider information can cost you your job

– know the rules of using social networking sites while you’re at work

– take extra care if you friend your boss on Facebook

– Facebook is viral and addictive – don’t waste your workday on it

48

Action items – individual user

• Bad social networking can lead to career suicide

• Use and maintain anti-virus software

• HR is looking

– 45% of employers now screen social media profiles

• Realize the inherent tension in social networks

– know your limits– know your limits

– social networks are like a party

– point is to have fun without humiliating yourself

• Choose good passwords

– follow password creation rules

– don’t use the same password across multiple social networks

49

Action items – individual user

• Don’t accept every Facebook invitation

• Realize you are a target for social engineers

• Be aware of friends asking for salami

• What does your friends’ list say about you?

• Something you post today, or a YouTube video you appear

in, can haunt you for the rest of your lifein, can haunt you for the rest of your life

• Trust but verify all invitations

• Limit the amount of personal information you post

– do you really need to post your birthday?

– get in the habit of not sharing personal data

50

Action items – individual user

• Be careful when taking surveys

– especially on Facebook

– answers can be aggregated by bogus surveys to launch social

engineering attack

– password recovery answers

• Not everything needs to be commented on

– Think twice before posting about

• interviews

• complaints about long/boring meetings

• complaints about coworkers, management, bosses, etc.

• off the cuff remarks

51

Children

• Especially susceptible to social network threats

– kids misrepresent their age to join sites that have age restrictions

– kids post more information in their pictures than was intended, such

as hobbies, interests, location of their school

• Teach your kids about Internet safety

– be aware of their online habits, guide them to appropriate sites

– they should never meet in person anyone they met online– they should never meet in person anyone they met online

• Parents must ensure that their children become safe and

responsible users

• National Cyber Alert System Cyber Security Tip ST05-002

– Keeping Children Safe Online

– http://www.us-cert.gov/cas/tips/ST05-002.html

52

Conclusions / Q&A

• Social networks introduce significant security risks

• Companies must recognize these risks and take a formal

approach to deal with them

• Individuals can’t be naïve about their responsibilities

• Social networks and security - - not an oxymoron

– as long as social network security is part of a comprehensive

corporate information security program

– and end-users and individuals are aware of the risks and their

responsibilities

53

Contact information

Ben Rothke, CISSP PCI QSA

Senior Security Consultant

BT Professional Services

ben.rothke@bt.com

www.linkedin.com/in/benrothke

www.twitter.com/benrothke

54