This presentation gives an overview of how social networks are used in companies and what are the risks associated with them. Some actions points are proposed to mitigate those risks.
3. $ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not reflect
those of past, present or future employers,
partners or customers”
6. Some Facts
• Technology changed the way people
communicate
• “Usage of social networks by the Fortune 500
companies has seen an explosive growth in
2010 with 83% of the companies using at
least one of the social media sites”
• The usage of blogs has also increased by 50%
(corporate blogs)
• Around 34% have developed policies to
govern blogging by their employees
(Source: socialtimes.com)
10. Definition?
“Social network sites are defined as web-
based services that allow individuals or
organizations to construct a public or semi-
public profile within a bounded system,
articulate a list of other users with whom
they share a connection, and view and
traverse their list of connections and those
made by others within the system. ”
11. Common Usages
• Communication about company & brands
(marketing)
• Live support
• Technology & competition follow-up
• Human Resources
12. Marketing
• Social Networks give a sense of “dynamic”
company
• Direct Reach / Close to customers.
• Extended circle of contacts at low costs
• Personal touch
13. Live Support
• Close contact with customers
• Low Costs
• Give a sense of “Real time”
14. Follow Up
• What are doing my competitors?
• What’s new in my field of activity?
• Almost real-time news trending
18. Barbara Streisand
The “Streisand Effect” is a
primarily online phenomenon
in which an attempt to hide or
remove a piece of information
has the unintended
consequence of publicizing the
information more widely.
19. The Belgian Jeweler
In 2009, a Belgian Jeweler made a buzz with
Belgian Twitter users with a complete
misunderstanding of the social networks
impacts.
20. Domino’s Pizza
A Domino’s Pizza employee inserted nasal
mucus on pizza’s. He was fired but video was
posted on Youtube. 250.000+ views!
23. Malware & Viruses
• Corporate devices used to access Social
Networks
• They are based on Web technologies. All
known attacks are usable
(see the OWASP Top-10)
• URL shorteners / QRcodes (“click”-
generation)
24. Wasted Resources
• In big companies, usage of Social Network
can waste a lot of bandwidth!
Example: Facebook on a network of
10000+ users: 200GB/day
• Waste of time by employees
• Peak of wasted resources during popular
events
25. “Users”
• Users remain the weakest link
• Facebook password same as Active
Directory password?
• Attackers use breaking news
• How many “friends” are really friends?
26. Mobiles & Apps
• People use mobile devices to access Social
Networks
• Suspicious browser extensions or 3rd party
apps
27. Data Leak
• People might post confidential information
• Intentional or not!
• Data Extrusion
• Bypass regular communication channels
(Skype)
29. Social Engineering
• All information to
conduct a social
engineering attack is
already online
• Google is your best
friend
• Tools like Maltego are
gold mines
30. Degraded Brand Image
• It takes years to build a brand image
• It takes minutes to kill it!
32. Reputation & Legal
Liability
• Disgruntled employees
• “My boss is a bastard!”
• “I’m pissed off by this f*cking job...”
• Employers could be held responsible for
failing to protect employees from accessing
“sensitive” material.
34. Official Support
• Information can’t be published by employee
self-initiative
• Social Media must be defined as a regular
communication channel with rules &
guidelines
35. Monitor Your Brand
• Even if not used immediately, register your
account (if not too late!)
• Google Alerts
• Commercial services (buzzcapture.com)
• Monitoring tools
36. Local Policies
• No Social Networks
access from business
critical environments.
• Restrict Social
Networks access
(“read-only”).
• Modern firewalls may
filter based on domains
37. Remote Policies
• Read carefully the Social Networks policies
• Follow updates & fix your profiles
(Ex: LinkedIn can use your profile picture)
• Similarities with cloud services
38. Security Awareness
• Add Social Networks to your existing
security awareness program.
• “What employers and employees need to
know.”
39. pastebin.com
• pastebin.com is a website where people can
anonymously post “pasties” (data)
• Track monitoring about your company
(Example: IP’s, domain names)