Social Media Gone Wild · –Users spending time on social media –Social media apps and sites under constant attack –Users bring your own devices –New hardware, new uses –Single

Social Media Gone Wild

Generously sponsored by:

ISSA Web Conference June 26, 2012

Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London

Welcome Conference Moderator

Mathieu Gorge ISSA Web Conference

Committee

2

Agenda

Speakers

• Jean Pawluk- Consultant and Former Chief Architect, Visa

• Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI

• Aaron Sheridan- Senior Systems Security Engineer at FireEye

Open Panel with Audience Q&A

Closing Remarks

3

Social Media Gone Wild Is A Perfect Storm is Brewing ?

Jean Pawluk

June 2012

4

Insert

Photo

Here

A Perfect Storm is Brewing

Social interaction has blurred the work / life boundary

Users find many new ways to share data

Factor 1 - Social Media - Amazing Growth

Big Five – Facebook (901M - Feb 2012) – Twitter (500M users – March 2012) – LinkedIn (161M users – March 2012) – Google+ (170M users – April 2012) – Windows Live (330M users – June 2009)

• Non US – Qzone (536M user – Dec 2011) – Tencent Weibo (310M users – Sept 2011) – Sina Weibo (250M users – Sept 2011) – Habbo (230M users – Sept 2011)

• Personal – Foursquare (15M users – Feb 2012) – Pinterest (10.5M users – Feb 2012) – Tumblr (42M users – Feb 2012)

• Corporate – Yammer (~ 5M users – April 2012) – Jive (~3000 firms – Sept 2011) – Chatter (~ 5M users ? – April 2012) – SharePoint (~ 20 M users – Oct 2009)

6

Factor 2 - Easy to use & Hard to control

• BYOD

• Apps permission - Users just say yes – Links to unknown sites

– Data captures by accident or intent by 3rd parties

– Often coded with “ask forgiveness” mindset and little testing

• Geo-location

• Cross – app linking – Think mashups

• Twitter feeds -> LinkedIn

• Photo recognition and geo location tracking – > Foursquare x LinkedIn x Facebook x latest favorite app

Factor 3 - Data Quarrying

• Deep tracking is not just science fiction.

• In reality: – No difference between public and private content

– Online personal and professional content is integrating

– Can harm you and others

• Data and reputation may never “go away”

• Freedom of speech doesn’t mean every thought should be posted (sex-texting)

• Eye-opening reads: – WSJ series “What they Know”

– Time’s “Data Mining: How Companies Now Know Everything About You

Illustration by Joe Zeff

Time Magazine

Factor 4 – Increased Attack Surfaces

More – Users spending time on social media

– Social media apps and sites under constant attack

– Users bring your own devices

– New hardware, new uses

– Single Sign On and ID’s shared across social media

– Widespread use of shortened URL links

Social Media designed for sharing – Data is mobile & accessible anywhere

– More sites available for targeted attacks and to spread viruses and malware.

9

What me ? Worry ? Business are waking up to social media security issues

• Information leaks

• Intrusions

• Viruses and malware

• Spear Phishing

• Loss of IP, corporate plans, market data, customer data

• Brand Damage

• Fear that employees wasting time at work

• Span of control issues with employees, customers and rivals

• Fear competitors trolling for info or creating misinformation to discredit the business.

• Liability and laws that differ around world.

Examples

• Tricking users by friending them and then using them to spread malware – Easier to social engineer and leverage

– Koobface spread between Facebook and Twitter via social users

– Torpig used Twitter topics to create random domains to send victims to pick up malware and spread it further.

• Fake social media posts and updates from your “friends”

• Social Engineering of business - Completive Intelligence - RSA Secure ID hack used fake recruitment plan entry point

• Defrauding friends and relatives with scams asking for emergency funds

• Massive password thefts from social media sites

11

Think about - Legal and Regulatory

• Who has legal liability?

• Who has device ownership ?

• Who owns the data content ?

• Who controls access to content ? – Approval mechanism

– What about censorship ? • Corporate

• Government

• Rogue system creation and use – Do you know what going in your company?

– Internal vs. Competitors

Think about - User awareness, policy & tools

• Content & security levels ?

Create

View / Read

Edit / Delete

• Community use

Open - anyone

Restricted – limited public use

Private – members only

Think about - User Behavior

Who do you trust ?

Users at work:

- Does social media affect work ?

Internal vs. External Content Use ?

Is Social Media (ever) secure ?

How much security is too much ? Courtesy Kexino.com

User Tips

Think before you click ! think before you post !

Think twice about giving apps permission to your data

Beware

– shortened URL's

– interactive upgrade requests

– mobile apps and use of geo-location

Use an up-to-date browser

15

User Tips Continued

Use unique logins and password for every site you use to limit exposure (Yep it a pain)

Verify domains

-check that the URL shows a legitimate website & not into a fake look a like site.

Be cautious of messages, emails, links & posts that seem suspicious.

Make sure security is up to date - patches on, anti-virus/spyware, firewall's, monitors & web advisory tools

16

17

Question and Answer

Jean Pawluk Consultant and Former Chief Architect, Visa

Social Media Gone Wild Rebecca Herold

CIPP, CISSP, CISA, CISM, FLMI

Benefits, Dangers &

Information Security and Privacy Policies

19

Page 20

© Rebecca Herold. All rights reserved.

Agenda

• What Is Social Media?

• A Few Social Media Facts

• Benefits...

• But Be Aware Of The Dangers...

• Using Social Media Apps

• Posting Photos and Videos

• Common Risks and Scams

• Topics/Issues to Cover Within Social Media Policies

• What to Tell Workers

What is “social media”? Just a few examples of the most commonly used types of social media sites:

• Blogs such as TypePad, WordPress, etc.

• Collaboration sites, such as wikis (e.g., Wikipedia, Delicious) and social news (e.g., Digg)

• Livecasting and meeting sites such as Skype, Livestream, etc.

• Microblogs such as Twitter

• Photography and art sharing sites such as Photobucket, Flickr, Picasa, VineMe, etc..

• Presentation sharing sites, such as Scribd, Slideshare, etc.

• Product reviews sites such as Epinions.com, MouthShut.com, etc.

• People reviews sites such as RateMDs.com, Healthgrades.com, etc.

• Social networks such as Facebook, LinkedIn, Google+, Pinterest, etc.

• Video sharing sites such as YouTube, Vimeo, etc.

• Virtual worlds such as Second Life, Maple Story, etc

Page 21

© Rebecca Herold. All

rights reserved.

Page 22


A Few Social Media Facts (1/2) • Twitter has over 555 million users and over 200 million

tweets per day

• Facebook has over 901 million users, 50% of which log in daily

• Over 150 million people use LinkedIn

• Google+ has over 170 million users

• Pinterest has over 11.7 million users

• Over 40% of all Internet traffic is video

• YouTube has 107 million unique visitors each month and 10.3 million followers on Twitter

• The number of social media sites is unlimited

A Few Social Media Facts (2/2)

• Everyone is impacted by social media sites

• What happens on social media sites stays online forever

Page 23


rights reserved.

Benefits • Customer Service

• Knowledge Sharing and Collaboration

• Patient Health Education

• Customer Awareness

• Learning

• Marketing

• New Contacts

• News/World Events

• Patient Care

• Research

• Crisis Management

Page 24


rights reserved.

Dangers • Damage Reputations

• Leaking Information (e.g., PHI, employee info, etc.)

• Network Slow-Downs and Stand-stills

• Personal Relationships Damaged

• Physical Dangers

• Potentially Be Seen By Everyone

• For frequent hacks

• Spread Malware

• Keyloggers

• Time Bandits

• Used As Evidence in Investigations

• Misinterpreted Information

• Violate Laws

• Result in Civil Lawsuits

Page 25


rights reserved.

Using Apps & Other Software

• Spotify

• Foursquare

• Farmville

• Instagram

• TribeHR

• Etc.

Page 26


rights reserved.

Activities from Personal Networks/Devices • Don’t post about work

• Don’t post about co-workers

• Don’t post about customers, patients, etc.

• Don’t sync or share files between personally-owned computers and computers/systems

Page 27


rights reserved.

Risks Posting Photos & Videos

• About workplace, patients, customers and co-workers

• Personal photos

• Patient/customer/consumer photos

• Obtaining consent

Page 28


rights reserved.

Common Social Media Risks and Scams

• Spear phishing

• Social engineering

• Spoofing

• Malware

• Keyloggers

• Denial of Service (DoS)

Page 29


rights reserved.

Social Media Policies Topics (1/11)

Appropriate use of social networks (Facebook, LinkedIn, YouTube and Twitter in particular)

• From the networks

• From the company-owned computing devices

• From networks using personally-owned computing devices

• From staff-owned computing devices and/or networks

• From public computers/networks

Page 30


rights reserved.


Blogging

• Content of posts

• References to co-workers, customers, patients, the business, etc.

Page 31


rights reserved.


Wikis (e.g., Wikipedia, GeniusWiki, Brainkeeper, Zwiki)

• Those (if any) acceptable to use for business purposes

• Those unacceptable to use for business purposes

• Acceptable activities for the wikis

Page 32


rights reserved.


Information that should not be posted from any type of location/computer

• PHI, PII, SPI, etc.

• Co-worker information

• Confidential business information

Page 33


rights reserved.


Marketing

requirements/guidelines

• Positions/departments authorized to

post

• Types of information acceptable to post

• Type of information that should not be

posted

• Do not take personal information from

sites to use for business (e.g.,

marketing, etc.)

Page 34


rights reserved.


Security controls that need to be in place

• Anti-malware

• Firewalls (including personal firewalls)

• Spam prevention

• DLP

Page 35


rights reserved.


Time spent on social networks while at work

• Not while with customers or patients

• Only for short periods of time

• Only during breaks

Page 36


rights reserved.

Social Media Policies Topics (8/11) Linking/friending/etc. with customers, patients and co-workers

• Don’t ask for worker passwords

• Only authorized personnel can participate from accounts established for personnel

• Don’t link/friend/etc. from your personal accounts that list as your employer

• Examples of how to respond to request: – “Thank you very much for your invitation! However, it is against

our policies to link with or friend patients in social network sites.”

Page 37


rights reserved.


Posting photos & videos

• Patient/customer posting (e.g., that patients/customers want to take with staff) – Ask that they only post images that include staff with the staff’s

knowledge

– Ask that they don’t include others within their images

• Staff posting – No posting of patient/customer images unless approved by the

Privacy Office or with written consent of patient

– No posting of images showing facility entries or other staff unless approved by the Privacy Office

Page 38


rights reserved.


Reacting to posts about and staff

• Don’t respond directly to negative posts

• Report the negative posts to the PR Office

• Don’t argue, defame, or otherwise act negatively in communications with others online

Page 39


rights reserved.


Donor searches (e.g., kidney, etc.)

• Only authorized personnel can post messages for such searches

• Only authorized personnel can post replies to posts offering organs

Page 40


rights reserved.

Page 41


Before Posting Think (1)…

Are you posting anything you, or your friends, family, co-workers, employers, patients or guests don’t want the entire world to see?

– Internet-based social media sites are public, even many that say they are “private”

– Social media sites on “closed” networks have more controls

Page 42


Do you want that post to be seen forever?

– Once posted on the Internet information is virtually impossible to remove

– Information posted on internal networks are easier to control


Page 43


What are the consequences of your posts being used out of context?

– Your Internet posts can be copied, altered, reposted

– Will your hard work be used inappropriately by someone else?


Page 44


Could your post put you, or your family, friends, co-workers, customers or patients in danger?

– Criminals like to see posts stating when people will be at specific locations, away from their home, etc.

– We are a litigious society


Page 45


Are you violating any laws?

– Are you violating any healthcare, financial, or other federal, state or international laws?

– Are you committing copyright or licensing infringement with the information you post?

– Are you stating something as fact that really isn’t?


Page 46


Is your message clear?

– Be sure you are not unintentionally breaking cultural norms or putting out something unintentionally offensive.

– Meet the expectations of company communications for internal sharing.


Page 47


Remember…

Questions?

Page 48


Contact Information

Rebecca Herold & Associates, LLC “The Privacy Professor”®

1408 Quail Ridge Avenue

Van Meter, Iowa 50261

Phone 515-996-2199

Web site: www.theprivacyprofessor.com

Blog: www.privacyguidance.com/blog

[email protected]

TwitterID: http://twitter.com/PrivacyProf

Question and Answer

Rebecca Herold & Associates, LLC “The Privacy Professor”®

[email protected]

Social Media Gone Wild Using Social Media for Spear Phishing &

Advanced Targeted Attacks

50

Insert

Photo

Here

Aaron Sheridan, Sr. Security Systems Engineer, FireEye

Social Media Connects Us More Than Ever

51

(Google image search for “Social Media”)

Social Media Content is Accessed and Updated Constantly

52

Ch

eck

ou

t th

is v

ideo

!

That post was hilarious!

Advanced Targeted Attacks Using Social Media

53

Source: http://www.theregister.co.uk/2012/06/20/syrian_skype_trojan/

• Targeting Syrian activists Skype accounts

• Latest attack installs Blackshades Trojan

masked as video file

• When opened on Windows silently drops

a key logger and begins data theft

• Other recent attacks included targeting

the Youtube or Twitter credentials of high

profile Syrian opposition

• Remote Desktop Viewing, Webcam

spying and audio-eavesdropping

Advanced Malware Attack Lifecycle

54

Poison Ivy Trojan spreading via Skype

55

Source: http://infosecisland.com/blogview/21340-Skype-Malware-Campaign-Spreading-Poison-Ivy-Trojan.html

Another Example in the News…

56

The Information Was Used to Craft an Email…

57

Social Media and the Attack on RSA

58

Social Media and the Attack on RSA

59

A very effective way to find targets

60

Carefully Crafted Email and Attachment

61

62

“…an all too real cyber espionage threat.”

Sourced from: http://www.theregister.co.uk/2011/05/27/lockheed_securid_hack_flap/

Social Media Sites Can Be Used To Store Malware

63

Malware Retrieves .rtf Exploit Stored on Free Blog

64

How To Prevent Targeted Spear Phishing Emails

65

• Support large range of file

types (PDF, Office formats, ZIP,

etc.)

• Attachment analysis

• URL analysis

• Correlates malicious URLs to

emails at the CMS

REQUIREMENTS

• Protect against spear phishing and blended attacks

• Analyze all emails for malicious attachments and URLs

• Perform In-line MTA active security or SPAN/BCC for monitoring

• Provide Brute-force analysis of all Email attachments in VX Engine

• Web MPS integration for malicious URL analysis/blocking

• Web MPS integration for blocking of newly discovered callback channels

The Virtual Execution Engine

66

PHASE 1

Multi-Protocol Object Capture

PHASE 2

Virtual Execution Environments

(Dynamic Analysis)

PHASE 1: WEB MPS

• Aggressive Capture

• Web Object Filter

PHASE 1: E-MAIL MPS

• Email Attachments

• URL Analysis

PHASE 1: FILE MPS

• Network File Shares

PHASE 1: MAS

• Human Driven via

GUI/CLI/SSH

Feedback

Loop

DYNAMIC,

REAL-TIME ANALYSIS

• Exploit detection

• Malware binary analysis

• Cross-matrix of OS/apps

• Originating URL

• Subsequent URLs

• OS modification report

• C&C protocol descriptors

Map to Target

OS and

Applications

Targ

eted

Th

reat

Inte

llig

ence

The Malware Protection System

67

• Pace of advanced targeted attacks is

accelerating, affecting all verticals and

all segments

• Traditional defenses (NGFW, IPS, AV,

and gateways) no longer stop these

attacks

• Real-time, integrated, signature-less

solution is required across Web, email

and file attack vectors

• Advanced threat protection to

supplement traditional defenses and

stop advanced targeted attacks

Complete Protection Against

Advanced Targeted Attacks

Web

Malware

Protection

System

Email

Malware

Protection

System

File

Malware

Protection

System

Register for a free threat assessment at:

www.fireeye.com/stopthreats

http://www.fireeye.com/stopthreats

5 Criteria for Advanced Threat Protection

68

1. Dynamic, signature-less engine to detect & block zero-

day and targeted inbound attacks (as used by APT

actors, crimeware actors, and Hacktivists)

2. Real-time protection to stop data exfiltration

3. Integrated, cross-protocol Web & Email inbound infection

and outbound callback protection

4. Accurate, no tuning, and very low false positive rate

5. Global malware intelligence for sharing threat indicators

to block zero-day malware & latest callback channels

Question and Answer

Aaron Sheridan Senior Security Systems Engineer, FireEye

[email protected]

Open Panel with Audience Q&A

• Jean Pawluk- Consultant and Former Chief Architect, Visa

• Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI

• Aaron Sheridan- Senior Systems Security Engineer at FireEye Technologies, Inc.

70

71

Closing Remarks

Online Meetings Made Easy

Thank you to Citrix for donating this Webcast service

Thank you to our Sponsor

CPE Credit

• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.

• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

72

Documents

Social Media Gone Wild · –Users spending time on social media –Social media apps and sites under constant attack –Users bring your own devices –New hardware, new uses –Single