SOCIAL NETWORKING IN TODAY S BUSINESS WORLD
AGENDA Review the use of social networking applications within the business environment Review current trends in threats, attacks and incidents Understand how social networking can expose corporate data Discuss strategies to help mitigate these risks Conclusion Q & A
SOURCES DarkReading.com CSOOnline.com SCMagazineUS.com ITSecurity.com FaceTime.com Forrester.com
WEB 2.0 AND INTERNET APPLICATIONS Facilitates improved communication and collaboration on the World Wide Web Evolution of the Internet as we know it today What is the internet used for today? Instant Messaging 86% Media 85% File Sharing 54% Collaboration 93% Internet Telephony 69%
WHAT ARE COMPANIES MONITORING? 1 to 99 100 to 999 1000 to 4,999 5,000 or more Corporate Email 72% 76% 77% 84% Instant Messaging 25% 36% 40% 45% P2P 28% 41% 44% 40% Web Browsing 54% 59% 70% 72% Social Networking 30% 30% 36% 42% Web 2.0 23% 26% 20% 28% None of these 21% 18% 15% 8%
WHAT ARE COMPANIES MONITORING? 1 to 99 100 to 999 1000 to 4,999 5,000 or more Corporate Email 72% 76% 77% 84% Instant Messaging 25% 36% 40% 45% P2P 28% 41% 44% 40% Web Browsing 54% 59% 70% 72% Social Networking 30% 30% 36% 42% Web 2.0 23% 26% 20% 28% None of these 21% 18% 15% 8%
SOCIAL NETWORK USAGE AT WORK
SOCIAL NETWORKING SITES ACCESSED Work Related Personal Reasons LinkedIn 62% 33% YouTube 34% 55% Facebook 18% 35% Twitter 13% 11% Digg 12% 10% Del.ic.io.us 10% 9% MySpace 8% 27% Other 1% 3%
SOCIAL NETWORKING: COMMON THREATS Malware, bots, and worms Phishing attacks Social engineering
MALWARE, BOTS, AND WORMS Implied trust creates additional exposures Koobface Facebook and MySpace worm, malware Creates a message claiming a video has been found about the given user. Upon a user click, the user is directed to download a new version of Adobe Flash. Instead, malware is installed Twitter worms escalating rapidly
PHISHING Targets users to capture sensitive information Specially crafted emails or messages Malicious website links Leverages 3 rd party applications Handling of user information is often not disclosed Default privacy settings can leave user profiles exposed to extended social networks
SOCIAL ENGINEERING Disclosure of private information can Lead an attacker to guess password challenge questions Provide credibility for other targeted attacks Lead to identity theft Allow an attacker to impersonate an employee Information leakage Business information can be disclosed unknowingly via social networks
SOCIAL ENGINEERING VIOPOINT often farms Facebook for emails during testing A recent study disclosed that: Remotely exploitable network vulnerabilities declining Client-side and web application attacks skyrocketing Supports findings that Social Networking threats are reaching critical status
SOCIAL NETWORK USAGE AT WORK
IMPACT Reputation risk 37% of IT managers reported users violated policy by disclosing corporate data through social networking and Instant Messaging Employee reputation Larger organizations experience an exponential increase in eradication and remediation cost. Dated policies leave too much room for gray areas Dated technologies do not protect against Web 2.0
AVAILABLE SOCIAL ENGINEERING DATA TO TARGET EMPLOYEES
OTHER PROBLEMS Productivity loss - Over 50% of users in a business use social networking sites every day Bandwidth loss - 30 to 40% of bandwidth within a business is lost to social networking such as YouTube, twitter, etc. Risk of discrimination - Some hiring managers have advocated searching candidates personal social networking profiles Social Networking Bandwidth
TODAY S TECHNICAL REMEDIATION Web Site Address Filtering Due to the nature of social networking sites, most application layer data is not filtered URL whitelisting/blacklisting Anti-Virus May not handle zero-day web malware
POTENTIAL SOLUTIONS 1. Block social networking sites 2. Conduct security awareness training 3. Assess and update acceptable use policies 4. Enforce policy through technology (monitor and enforce web browsing and social networking site usage)
1. BLOCK SOCIAL NETWORKING SITES Facts: Pros: Cons: 62% of employee s use LinkedIn on a work asset Most social networking sites would no longer be a threat to a business Companies are increasingly dependent on using social networking for business purposes Impossible to block all social networking sites using URL IT departments may use blogging sites, Microsoft TechNet, etc. Marketing team may use Twitter or LinkedIn to discuss and promote new ideas
2. CONDUCT SECURITY AWARENESS TRAINING Facts: Pros: Cons: 37% of IT managers report that confidential information is being leaked Encourage users to be aware of information disclosure Increase social networking site security settings Create or enhance company policy to include social networks Relies primarily on the user to employ good practice
3. ASSESS AND UPDATE ACCEPTABLE USE POLICIES Facts: Pros: Cons: 51% of users access social networking sites one or more times per day Prevents: Damage to company reputation Potential for data leakage Damage to other employees Still requires good practice on the user side
4. ENFORCE POLICY THROUGH TECHNOLOGY Facts: Pros: Cons: Roughly 70% of companies are not monitoring information published on social networking sites Still allows users access to sites for business reasons Enables businesses to manage the risk of data leakage Limits malware, virus, and social engineering potential Not guaranteed to prevent every piece of data from leaving the network
RECOMMENDATIONS Define acceptable business use for social networking applications Update or change policy and decide how to enforce it Can be enforced through monitoring or blocking entirely Potentially requires updated technology to allow access to sites while monitoring and filtering Web 2.0 content Awareness training refresh Include social engineering testing results Educate users about reputation risk and about protecting themselves
BEST PRACTICES Understand how your environment uses social networking sites Utilize multilevel user policies Deploy a technology to enforce policies as they pertain to your business model Educate users and employees about the dangers social networking can present not only to a business, but to the personal well-being of users Test the effectiveness of awareness training and countermeasures through client side testing
VIOPOINT APPROACH Social Networking Threat and Risk Assessment Online survey Best practice questions to help focus time/energy Strategy discussion Business case for sites / blocking Policy gap analysis Discussions regarding acceptable use policy Awareness training refresh Critical discussion points for users
VIOPOINT APPROACH Technology assessment What technologies help enforce policy Social engineering testing Client side attacks (phishing, fake social networking, etc) Reputation risk assessment Analysis of publically available information and associated risks Nathan Ouellette, CISSP, CISM nouellette@viopoint.com
Q/A