This is a presentation slide deck from the ISC2 Congress 2012 Session 3283 about identifying the risks of using social media in the enterprise.

1. Risk Assessment of Social Media Use
Robert Shullich, CPP, CISSP

2. Agenda
• Who Am I
• Rules of Engagement
• Social Media
• Risk
• Case Studies
• Recommendations
• Q&A
2

3. Who Am I
• About a year in current job
• 8 years in Corporate Security
• 16 years at the Stock Exchanges (NYSE/AMEX)
• 8 years at a software company
• 3+ years in CUNY
• IT security for more than 20 years
• In IT for 40 years
3

4. Disclaimer
• I am not a lawyer, any information presented
here is not meant to be legal advice. If you
need legal advice, please seek counsel with a
qualified and licensed professional who
practices law in the subject matter and
jurisdiction that applies.
• Opinions expressed here are my own, and are
not meant to be opinions of ASIS, ISC2, or
anyone I work for.
4

5. Rules of Engagement
• Pure Risk, Not Opportunist
• Chicken Little – The Sky is Falling
• Objective is to Protect
• No Recommendation on Block v. Allow
• Legal and Regulatory compliance is focused on
USA
• This is NOT legal advice
• Suggestions, but Not Solutions
5

6. Disruptive Technologies
• Social Media
• Consumerization of IT (BYOD, BYOT, BYOB)
– Bring Your Own
• Devices, Technology
• Disaster, Toys, Botnet
• Cloud Computing
• Mobile
6

7. Research (Old Way)
7

8. Research (Today)
8

9. Social Media
Social Engineering
• Two different concepts
• Both have the adjective “Social”
• Social Media can be used as platform for
Social Engineering
• Social means “Human”
• Largest threat “Human”
• No Brain Patches
9

10. Threat: Humans
10

11. Early E-Mail FAIL
11

12. Separation
12

13. Discretion
13

14. Behavior
It has long been accepted that online
behavior differs from the behavior
people would exhibit in the real
world due, largely, to the anonymity
it allows.
14

15. Digital Gen Z
“With all of the social media outlets out there-
from Facebook and Myspace to Twitter to
Instagram to cell phone texting-kids today are
communicating and challenging each other in
a completely new way, doing and saying things
they wouldn't if they were talking face-to-
face”.
15

16. Anonymity
16

17. Anonymity
17

18. Lack of Common Sense
• Are people getting dumber?
18

19. Info-Sec Warning
19

20. The Dark Knight’s Secrets
20

21. Where You Are
21

22. What is Social Media?
• One of the key ingredients is:
– User Generated Content
• Earlier Applications
– Collaboration
– Instant Message
– E-Mail
– Forums
22

23. Social Media Not New
• Prior to Internet
• BBS
• Services
23

24. Social Media is Big
24

25. One Stop Shopping
25

26. Rise of Social Networks
RANK Category
Share of Time
June 2010
Share of Time
June 2009
% Change in
Share of Time
1 Social Networks 22.7% 15.8% 43%
2 Online Games 10.2% 9.3% 10%
3 E-mail 8.3% 11.5% -28%
4 Portals 4.4% 5.5% -19%
5 Instant Messaging 4.0% 4.7% -15%
6 Videos/Movies** 3.9% 3.5% 12%
7 Search 3.5% 3.4% 1%
26

27. Social Media Uses
• Media – Sharing of Photos, Videos
– Flickr, YouTube
• Networking – Staying Connected
– Linkedin, Facebook, Friendster
• Publishing
– Blogging, Wikis, MicroBlogging
• Commerce
– eBay, Pazap.com, MyStore.com
• Collaboration
– Google Apps
27

28. To Ban or Not to Ban
• Decision should be based on:
– Risk and Risk Appetite
– Business Need
– Business Culture
– Business Regulatory Requirements
– Other business factors
In the end - It is a business decision
28

29. What does Block Mean?
29

30. Blocking Outcome
30

31. Who is at Risk?
• Each Individual
– Shoot yourself in the foot
• Organizations
– Employee puts organization at risk
– Insider
• Third-Party Observers
– Put target at risk
– Outsider
31

32. Individual
• Write Blog entry about themselves
– Teacher Loses Job After Commenting About Students,
Parents on Facebook
• Post Picture about themselves
– Drunken Pirate – Student can’t get Teaching License
• Tweet about themselves
– Cisco just offered me a job! Now I have to weigh the
utility of a fatty paycheck against the daily commute
to San Jose and hating the work
32

33. Drunken Pirate
33

34. WeinerGate
34

35. Tweeting
35

36. Organizations
• Tweet Gives up Location
– IT Consultant tweet’s Osama Bin Laden Raid
• Linkedin
– Company’s Configuration exposed
– Spam attacks with malicious code to linkedin
communities (Spear Phishing)
– Know who is looking for job, ready to jump ship
36

37. Third-Party Observers
• Drive by paparazzi
– Cop Undone By Photos Of Bikini Girls On Facebook
– Falsely Tagged Facebook Photo Gets Palestinian
Jail Time And Trial
• Rodney King
• Occupy Movements
• Hacktivism
• Facial Recognition
37

38. Objective
38

39. Risk Management
• Can’t Assess unless Threats are Known
• Have to keep up with the news
• Social Media Policy has to be customized
39

40. How to Address Risk
• Avoid
• Mitigate
• Transfer
• Accept
40

41. Reputation
41

42. Scarlet Letter
42

43. Negative Brand
43

44. I have been burned
• Forums for unsatisfied customers to report
their negative experiences
• If a company is running a scam, it is a good
way to get the word out
44

45. Information Leakage
• Data Loss
• Piracy and Infringement, IP
• Corporate Espionage
• Reconnaissance
• Organizational Financials
45

46. VIP Protection
• Also Executive Protection
• Movement sometimes restricted
46

47. Credential Leakage
• ID Cards for Olympic Village, no special
protection, standard bar codes, tweet your
safety away!
47

48. Content
• Printed word
• Photographs
• Images
• Music
• Video
• Content imbedded in Content
48

49. Content Management
• Litigation Lawyers looking for the Smoking
Gun
• Social Media rich in discoverable information
(e-discovery) and the courts are willing to
accept it
49

50. Public Relations
• Who Speaks for the Corporation?
• 1/3 Employees Disciplined for Inappropriate
comments about company made on personal
social media sites.
50

51. Content Management
• Permanence
• Stale or Outdated Information
51

52. Content
Censorship
“Everyone is entitled to his own opinion but not
his own facts” (Daniel Patrick Moynihan)
52

53. Content Management
• Ownership
• Control
• Moderation
• Forensics
53

54. Recording & Archiving
• Various regulations require archiving and
retention of communications
• This has included e-mail and instant
messenger
• Social Media is all about communications
• Example: Facebook has a chat feature and e-
mail offering – How do you capture those
communications?
54

55. Privacy
55

56. Privacy Issues
• Lack of Awareness
• Trust
• Application (games)
56

57. Background Checks
• A lot of Information on a lot of sites
• Easily Collected through search engines
• But
– Due Diligence v. Discrimination
– Information not vetted – may not be accurate
– Martin Gaskell – University of Kentucky
• $125K out of court settlement
57

58. Hiring Practices
• NLRB stepping in and saying FCRA Notice is
required if Social Media used in hiring decision
58

59. Geotagging
• Wikipedia:
Geotagging (also written as GeoTagging) is the
process of adding geographical identification
metadata to various media such as photographs,
videos, websites, SMS messages, or RSS feeds and
is a form of geospatial metadata
59

60. Geotagging
• Photo taken inside factory (or outside) with GPS
coordinates, uploaded to social networking
where metadata might not be stripped
• Anyone downloading the photo, and gets
metadata has location also
• Can find out where your secret factory is located
• Photo might be taken by someone you don’t have
control over
60

61. GPS Tracking
• Each day device collects and stores data of
where the device was located
• GPS devices used in cars can track at intervals
where the device has been. Used in GPS
forensics to get Travel history
• All of a sudden people were surprised that
Apple and Google did the tracking in phones
as well.
61

62. Facebook Places
• Lets you share where you are
• And you can find out where friends are as well
• Are you at risk because someone knows where
you are?
• Are you at risk because you are not where you
are supposed to be?
• If they know where you are, then they know
where you aren’t – like your house is empty!
• Facebook Timeline – where have you been?
• Is a badge on Foursquare worth your life?
62

63. Please Rob Me dot Com
63

64. Legal
64

65. Regulatory Compliance
• Payment Card Industry (PCI)
• The Health Insurance Portability and Accountability Act
(HIPAA) of 1996
• Securities and Exchange Commission (SEC) Rule 17-a
• Financial Industry Regulatory Authority (FINRA) Notice
10-06 and Notice 07-59
• Sarbanes-Oxley Act
• The Federal Energy Regulatory Commission (FERC)
• The Gramm-Leach-Bliley Act (GLBA)
• 21 CFR Part 11 (FDA)
65

66. Facebook Pictures
66

67. More HIPAA
• Nurses Fired Over Cell Phone Photos Of Patient
• Shark Attack Victim Photos Put Hospital
Employees in Hot Water
• Photos taken in ER room of dying man
• Patient-Doctor Facebook “Friends” Could Be A
HIPAA Violation
67

68. Illegal Activities
• Harassment
– Bullying, Stalking, Sexting, Extortion, Blackmail
• Discrimination
• Unfair Competition
• Criminal Activity (Cybercrime)
• Civil Unrest, Riots, Demonstrations
• Click Fraud
68

69. Get out of Jail Free Card
• Applies to Social Media Sites, ISP’s and Cloud Computing
Storage Providers
• Copyright Infringement – Digital Millennium Copyright Act
(DCMA)
– Block or remove (Take-downs)
• Third Party Posted Content – Communications Decency Act
– Not responsible for content posted by third party
69

70. Block Social Media?
• How do you block at the office?
– BYOD (Bring your own device – Consumerization
of IT)
• Cell Phone with Internet
• Tablet with Internet
• How do you block outside of the office?
– Can control company issued assets
– Can’t control personal non-company assets
– Can’t control outsiders
70

71. Attack Vectors
• Viruses and Malware
• Scams
• Phishing
• Account Hijacking (Evil Twin)
• Shortened URLs
• Password Breaches of SM Sites
• Search Engine Poisoning
• Technology Moves Fast, Crime too Widespread
• Blended Attacks
71

72. Scams
72

73. Shortened URL
• URL posted in tweets and also used in other
social networking sites are shortened
• Example: Tinyurl.com, Bit.ly, Cli.gs, Zi.ma
• Some provide tracking services as well
• Shortened URL’s can direct anywhere:
– Porn Sites
– Malware Sites
– Spam Sites
– Phishing sites
73

74. FB SPAM - Virus
• OMG! Its unbeliveable now you can get to
know who views your facebook profile.. i can
see my top profile visitors and i am so
shocked that my EX is still creeping my profile
every hour. click below
• 21 hours ago via Reviews ·LikeUnlike · · See
Friendship · CLICK 2 SEE YOUR STALKERS
74

75. Passwords Hacked
• Linkedin – 6M (June 2012)
• Formspring – 420K (July 2012)
• eHarmony – 1.5M (June 2012)
• Yahoo 400K – July 2012
• Phandriod’s AndroidForums 1M – (July 2012)
• Dropbox (Aug 2012)
• Battle.net (Aug 2012) (Blizzard’s multiplayer)
• NVIDIA Developer Forum (July 2013)
• Twitter – 55K (May 2012)
75

76. Firesheep
• Simple Firefox browser plug-in
• Wireless sniffer to pick up social media
passwords.
76

77. Operational
77

78. Operations
• Employee Productivity
• Resource Usage
• Monitoring Costs
78

79. What is the Solution?
• Assume it can’t be blocked effectively
• The damage may be caused by someone NOT
in the company – a third party outsider
• For the employees, contractors, and
temporary workers – a Social Media Policy,
and Security Awareness Training
• For anyone else – monitoring and surveillance
• Moderation of Publication for SM Posts
79

80. Data Loss Prevention
• Data Loss (Leak) Prevention can be used to
detect data leaving the site
• Most Web 2.0 data is unstructured
• May provide some protection for company
issued assets, but does not provide protection
for employee owned assets not under the
company’s control
80

81. What is Needed
• May require software
• May require a service
• Requires Policy!
• Requires Awareness Training!
81

82. Q&A
82

83. Contact Info
• E-mail: Robert.Shullich@SystemExperts.com
• Twitter: rshullic
• Related whitepaper:
http://www.sans.org/reading_room/whitepaper
s/privacy/risk-assessment-social-media_33940
83