Risk Assessment of Social Media Use

Robert Shullich, CPP, CISSP

2

Agenda

• Who Am I• Rules of Engagement• Social Media• Risk • Case Studies• Recommendations• Q&A

3

Who Am I

• About a year in current job • 8 years in Corporate Security • 16 years at the Stock Exchanges (NYSE/AMEX)• 8 years at a software company• 3+ years in CUNY• IT security for more than 20 years• In IT for 40 years

4

Disclaimer

• I am not a lawyer, any information presented here is not meant to be legal advice. If you need legal advice, please seek counsel with a qualified and licensed professional who practices law in the subject matter and jurisdiction that applies.

• Opinions expressed here are my own, and are not meant to be opinions of ASIS, ISC2, or anyone I work for.

5

Rules of Engagement

• Pure Risk, Not Opportunist• Chicken Little – The Sky is Falling• Objective is to Protect• No Recommendation on Block v. Allow• Legal and Regulatory compliance is focused on

USA• This is NOT legal advice• Suggestions, but Not Solutions

6

Disruptive Technologies

• Social Media• Consumerization of IT (BYOD, BYOT, BYOB)– Bring Your Own • Devices, Technology• Disaster, Toys, Botnet

• Cloud Computing• Mobile

7

Research (Old Way)

8

Research (Today)

9

Social MediaSocial Engineering

• Two different concepts• Both have the adjective “Social”• Social Media can be used as platform for

Social Engineering• Social means “Human”• Largest threat “Human”• No Brain Patches

10

Threat: Humans

11

Early E-Mail FAIL

12

Separation

13

Discretion

14

Behavior

It has long been accepted that online behavior differs from the behavior people would exhibit in the real world due, largely, to the anonymity it allows.

15

Digital Gen Z

“With all of the social media outlets out there-from Facebook and Myspace to Twitter to Instagram to cell phone texting-kids today are communicating and challenging each other in a completely new way, doing and saying things they wouldn't if they were talking face-to-face”.

16

Anonymity

17

Anonymity

18

Lack of Common Sense

• Are people getting dumber?

19

Info-Sec Warning

20

The Dark Knight’s Secrets

21

Where You Are

22

What is Social Media?

• One of the key ingredients is:– User Generated Content

• Earlier Applications– Collaboration– Instant Message– E-Mail– Forums

23

Social Media Not New

• Prior to Internet• BBS• Services

24

Social Media is Big

25

One Stop Shopping

26

Rise of Social Networks

RANK CategoryShare of Time

June 2010Share of Time

June 2009% Change inShare of Time

1 Social Networks 22.7% 15.8% 43%

2 Online Games 10.2% 9.3% 10%

3 E-mail 8.3% 11.5% -28%

4 Portals 4.4% 5.5% -19%

5 Instant Messaging 4.0% 4.7% -15%

6 Videos/Movies** 3.9% 3.5% 12%

7 Search 3.5% 3.4% 1%

27

Social Media Uses

• Media – Sharing of Photos, Videos– Flickr, YouTube

• Networking – Staying Connected– Linkedin, Facebook, Friendster

• Publishing– Blogging, Wikis, MicroBlogging

• Commerce– eBay, Pazap.com, MyStore.com

• Collaboration– Google Apps

28

To Ban or Not to Ban

• Decision should be based on:– Risk and Risk Appetite– Business Need– Business Culture– Business Regulatory Requirements– Other business factors

In the end - It is a business decision

29

What does Block Mean?

30

Blocking Outcome

31

Who is at Risk?

• Each Individual– Shoot yourself in the foot

• Organizations– Employee puts organization at risk– Insider

• Third-Party Observers– Put target at risk– Outsider

32

Individual

• Write Blog entry about themselves– Teacher Loses Job After Commenting About

Students, Parents on Facebook• Post Picture about themselves– Drunken Pirate – Student can’t get Teaching License

• Tweet about themselves– Cisco just offered me a job! Now I have to weigh the

utility of a fatty paycheck against the daily commute to San Jose and hating the work

33

Drunken Pirate

34

WeinerGate

35

Tweeting

36

Organizations

• Tweet Gives up Location– IT Consultant tweet’s Osama Bin Laden Raid

• Linkedin– Company’s Configuration exposed– Spam attacks with malicious code to linkedin

communities (Spear Phishing)– Know who is looking for job, ready to jump ship

37

Third-Party Observers

• Drive by paparazzi– Cop Undone By Photos Of Bikini Girls On Facebook– Falsely Tagged Facebook Photo Gets Palestinian

Jail Time And Trial• Rodney King• Occupy Movements• Hacktivism• Facial Recognition

38

Objective

39

Risk Management

• Can’t Assess unless Threats are Known• Have to keep up with the news• Social Media Policy has to be customized

40

How to Address Risk

• Avoid• Mitigate• Transfer• Accept

41

Reputation

42

Scarlet Letter

43

Negative Brand

44

I have been burned

• Forums for unsatisfied customers to report their negative experiences

• If a company is running a scam, it is a good way to get the word out

45

Information Leakage

• Data Loss• Piracy and Infringement, IP• Corporate Espionage• Reconnaissance• Organizational Financials

46

VIP Protection

• Also Executive Protection• Movement sometimes restricted

47

Credential Leakage

• ID Cards for Olympic Village, no special protection, standard bar codes, tweet your safety away!

48

Content

• Printed word• Photographs• Images• Music • Video • Content imbedded in Content

49

Content Management

• Litigation Lawyers looking for the Smoking Gun

• Social Media rich in discoverable information (e-discovery) and the courts are willing to accept it

50

Public Relations

• Who Speaks for the Corporation?

• 1/3 Employees Disciplined for Inappropriate comments about company made on personal social media sites.

51

Content Management

• Permanence

• Stale or Outdated Information

52

Content

Censorship“Everyone is entitled to his own opinion but not

his own facts” (Daniel Patrick Moynihan)

53

Content Management

• Ownership• Control• Moderation• Forensics

54

Recording & Archiving

• Various regulations require archiving and retention of communications

• This has included e-mail and instant messenger

• Social Media is all about communications• Example: Facebook has a chat feature and e-

mail offering – How do you capture those communications?

55

Privacy

56

Privacy Issues

• Lack of Awareness• Trust

• Application (games)

57

Background Checks

• A lot of Information on a lot of sites• Easily Collected through search engines• But– Due Diligence v. Discrimination– Information not vetted – may not be accurate– Martin Gaskell – University of Kentucky• $125K out of court settlement

58

Hiring Practices

• NLRB stepping in and saying FCRA Notice is required if Social Media used in hiring decision

59

Geotagging

• Wikipedia: Geotagging (also written as GeoTagging) is the

process of adding geographical identification metadata to various media such as photographs, videos, websites, SMS messages, or RSS feeds and is a form of geospatial metadata

60

Geotagging

• Photo taken inside factory (or outside) with GPS coordinates, uploaded to social networking where metadata might not be stripped

• Anyone downloading the photo, and gets metadata has location also

• Can find out where your secret factory is located• Photo might be taken by someone you don’t have

control over

61

GPS Tracking

• Each day device collects and stores data of where the device was located

• GPS devices used in cars can track at intervals where the device has been. Used in GPS forensics to get Travel history

• All of a sudden people were surprised that Apple and Google did the tracking in phones as well.

62

Facebook Places

• Lets you share where you are• And you can find out where friends are as well• Are you at risk because someone knows where you

are?• Are you at risk because you are not where you are

supposed to be?• If they know where you are, then they know where

you aren’t – like your house is empty!• Facebook Timeline – where have you been?• Is a badge on Foursquare worth your life?

63

Please Rob Me dot Com

64

Legal

65

Regulatory Compliance

• Payment Card Industry (PCI)• The Health Insurance Portability and Accountability Act

(HIPAA) of 1996• Securities and Exchange Commission (SEC) Rule 17-a• Financial Industry Regulatory Authority (FINRA) Notice

10-06 and Notice 07-59• Sarbanes-Oxley Act• The Federal Energy Regulatory Commission (FERC)• The Gramm-Leach-Bliley Act (GLBA)• 21 CFR Part 11 (FDA)

66

Facebook Pictures

67

More HIPAA

• Nurses Fired Over Cell Phone Photos Of Patient• Shark Attack Victim Photos Put Hospital

Employees in Hot Water• Photos taken in ER room of dying man• Patient-Doctor Facebook “Friends” Could Be A

HIPAA Violation

68

Illegal Activities

• Harassment – Bullying, Stalking, Sexting, Extortion, Blackmail

• Discrimination• Unfair Competition• Criminal Activity (Cybercrime)• Civil Unrest, Riots, Demonstrations• Click Fraud

69

Get out of Jail Free Card

• Applies to Social Media Sites, ISP’s and Cloud Computing Storage Providers

• Copyright Infringement – Digital Millennium Copyright Act (DCMA)– Block or remove (Take-downs)

• Third Party Posted Content – Communications Decency Act– Not responsible for content posted by third party

70

Block Social Media?

• How do you block at the office?– BYOD (Bring your own device – Consumerization

of IT)• Cell Phone with Internet• Tablet with Internet

• How do you block outside of the office?– Can control company issued assets– Can’t control personal non-company assets– Can’t control outsiders

71

Attack Vectors

• Viruses and Malware• Scams• Phishing• Account Hijacking (Evil Twin)• Shortened URLs• Password Breaches of SM Sites• Search Engine Poisoning• Technology Moves Fast, Crime too Widespread• Blended Attacks

72

Scams

73

Shortened URL

• URL posted in tweets and also used in other social networking sites are shortened

• Example: Tinyurl.com, Bit.ly, Cli.gs, Zi.ma• Some provide tracking services as well• Shortened URL’s can direct anywhere:– Porn Sites– Malware Sites– Spam Sites– Phishing sites

74

FB SPAM - Virus

• OMG! Its unbeliveable now you can get to know who views your facebook profile.. i can see my top profile visitors and i am so shocked that my EX is still creeping my profile every hour. click below

• 21 hours ago via Reviews ·LikeUnlike · · See Friendship · CLICK 2 SEE YOUR STALKERS

75

Passwords Hacked

• Linkedin – 6M (June 2012)• Formspring – 420K (July 2012)• eHarmony – 1.5M (June 2012)• Yahoo 400K – July 2012• Phandriod’s AndroidForums 1M – (July 2012)• Dropbox (Aug 2012)• Battle.net (Aug 2012) (Blizzard’s multiplayer)• NVIDIA Developer Forum (July 2013)• Twitter – 55K (May 2012)

76

Firesheep

• Simple Firefox browser plug-in• Wireless sniffer to pick up social media

passwords.

77

Operational

78

Operations

• Employee Productivity• Resource Usage• Monitoring Costs

79

What is the Solution?

• Assume it can’t be blocked effectively• The damage may be caused by someone NOT

in the company – a third party outsider• For the employees, contractors, and

temporary workers – a Social Media Policy, and Security Awareness Training

• For anyone else – monitoring and surveillance• Moderation of Publication for SM Posts

80

Data Loss Prevention

• Data Loss (Leak) Prevention can be used to detect data leaving the site

• Most Web 2.0 data is unstructured• May provide some protection for company

issued assets, but does not provide protection for employee owned assets not under the company’s control

81

What is Needed

• May require software• May require a service• Requires Policy!• Requires Awareness Training!

82

Q&A

83

Contact Info

• E-mail: Robert.Shullich@SystemExperts.com• Twitter: rshullic

• Related whitepaper:http://www.sans.org/reading_room/whitepapers/privacy/risk-assessment-social-media_33940