Bridging the Social Media

Implementation/Audit Gap Jerod Brennen, CISSP CTO and Principal Security Consultant, Jacadis

Agenda

• Perspective

• Preparation

• Implementation

• Monitoring

• Resources

The Five W’s

• Who?

• What?

• When?

• Where?

• Why?

• How?

[Image courtesy of Master Isolated Images / FreeDigitalPhotos.net]

Strategy (Who + Why + When)

• Risk vs. Reward ▫ Customer interaction ▫ Revenue streams ▫ Malware attack vectors ▫ Legal and HR concerns

• While revenue may be on the rise… ▫ … so are social engineering

attacks

Image from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/PublishingImages/Social-Media-Business-Risks.JPG

Risk vs. Reward

FromWAPSM-Social-Media-Research-1Feb2011.doc, pages 11-12

Risks Rewards

• Disclosure of corporate assets and sensitive (privileged) information accessible to unauthorized parties

• Violations of legal and regulatory requirements

• Loss of competitive advantage • Loss of customer confidence • Loss of reputation • Dissemination of false or fraudulent

information • Inappropriate or unapproved use of

company intellectual property such as logos or trademarked material

• Increasing brand recognition • Increasing sales • Immediately connecting with

perspective customers • Exploring new advertising

channels • Monitoring competition • Researching perspective

employees

Regulatory Concerns

• FINRA (Financial Industry Regulatory Authority) ▫ Regulatory Notice 10-06 ▫ Regulatory Notice 11-39

• Advertisements ▫ Public websites & banner ads

• Sales Literature ▫ Email or IM to 25+ prospective retail customers ▫ Password-protected websites

• Correspondence ▫ Email or IM to 1 customer ▫ Email or IM to 1+ existing customers and/or <25 prospective retail

customers • Public Appearances

▫ “Content posted in a real-time interactive electronic forum”

From http://www.finra.org/industry/issues/advertising/p006118

Scope (What + Where)

Scope, per ISACA

• Current social media tools include: ▫ Blogs (e.g., WordPress, Drupal™, TypePad®) ▫ Microblogs (e.g., Twitter, Tumblr) ▫ Instant messaging (e.g., AOL Instant Messenger [AIM™],

Microsoft® Windows Live Messenger) ▫ Online communication systems (e.g., Skype™) ▫ Image and video sharing sites (e.g., Flickr®, YouTube) ▫ Social networking sites (e.g., Facebook, MySpace) ▫ Professional networking sites (e.g., LinkedIn, Plaxo) ▫ Online communities that may be sponsored by the

company itself (Similac.com, “Open” by American Express) ▫ Online collaboration sites (e.g., Huddle)

FromWAPSM-Social-Media-Research-1Feb2011.doc, page 11

Implementation (How)

• Begin at the beginning ▫ Meet with Marketing, HR, Legal, and IT to discuss risks and benefits

• Define policy ▫ More on this later…

• Document training requirements ▫ Employees ▫ Consultants & Contractors ▫ Vendors & Partners

• Document procedures and controls

▫ Access Requests ▫ Monitoring ▫ Assessing

Audit/Assurance Program (1 of 3)

• Available at http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc

• Aligned with COBIT (cross-references)

• Planning and Scoping the Audit ▫ Define the audit/assurance objectives ▫ Define the boundaries of the review ▫ Identify and document risk ▫ Define the change process ▫ Define assignment success ▫ Define the audit/assurance resources required ▫ Define deliverables ▫ Communicate

Audit/Assurance Program (2 of 3)

• Strategy and Governance

▫ Risk Management

▫ Policies

• People

▫ HR Function

▫ Training/Awareness

▫ Staffing

Audit/Assurance Program (3 of 3)

• Processes

▫ Social Media Alignment With Business Processes

▫ Social Media Brand Protection

▫ Access Management of Social Media Data

• Technology

▫ Social Media Technology Infrastructure

▫ Monitoring Social Media and Effect on Technology

Policy and Training • Personal use in the workplace:

▫ Whether it is allowed ▫ The nondisclosure/posting of business-related content ▫ The discussion of workplace-related topics ▫ Inappropriate sites, content or conversations

• Personal use outside the workplace:

▫ The nondisclosure/posting of business-related content ▫ Standard disclaimers if identifying the employer ▫ The dangers of posting too much personal information

• Business use:

▫ Whether it is allowed ▫ The process to gain approval for use ▫ The scope of topics or information permitted to flow through this channel ▫ Disallowed activities (installation of applications, playing games, etc.) ▫ The escalation process for customer issue

From http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf?id=c1f7b9d8-516d-40c1-8087-e3b0e6cd138c

Recurring Assessments

• Risk Assessment

▫ SOX, PCI, HIPAA, etc.

▫ Did your previous assessment(s) include social media?

• Penetration Test

▫ Is social engineering in-scope?

Preventative Controls

• Antivirus > Endpoint Security ▫ Prevent devices from being infected with malware ▫ Also, host-based firewall and URL filtering

• URL Filtering ▫ Prohibit access to certain websites from corporate devices

• Training ▫ How to use social media responsibly ▫ How to identify and respond to social engineering attacks

• Data Loss/Leakage Prevention ▫ Prevent sensitive corporate information from being transmitted

via email, instant messaging, file uploads, etc.

Detective Controls

• Content Filtering ▫ Configure email and web security solution to monitor for

patterns in outbound messages

• Google Hacking ▫ Using powerful customized Google search queries to gather

information

• Monitoring Tools (e.g., Maltego) ▫ Open source intelligence and forensics tool

• Monitoring Services (e.g., RiskIQ) ▫ Monitor web-based content for threats and fraud

Resources • ISACA documents

▫ Social Media Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-

Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc ▫ Social Media: Business Benefits and Security, Governance, and Assurance

Perspectives http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-

Paper-26-May10-Research.pdf

• Related Documents ▫ CDC – Social Media Security Mitigations

http://www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf ▫ Ponemon – Global Survey on Social Media Risks

http://www.websense.com/content/ponemon-institute-research-report-2011.aspx ▫ Social Media Standard, State of California

http://www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66B.pdf ▫ Wikipedia – List of Active Social Networking Sites

http://en.wikipedia.org/wiki/List_of_social_networking_websites

Resources

• FINRA ▫ Regulatory Notice 10-06

http://www.finra.org/Industry/Regulation/Notices/2010/P120760 ▫ Regulatory Notice 11-39

http://www.finra.org/Industry/Regulation/Notices/2011/P124187 ▫ Advertising Information

http://www.finra.org/Industry/Issues/Advertising/index.htm

• Securing Social Media Profiles

▫ Facebook http://slandail.posterous.com/four-steps-to-secure-your-facebook-profile

▫ Twitter http://www.mediabistro.com/alltwitter/twitter-security-101_b11985

▫ LinkedIn http://www.cio.com/article/485489/LinkedIn_Privacy_Settings_What_

You_Need_to_Know

Resources

• Securing Corporate Blogs ▫ Hardening WordPress

http://codex.wordpress.org/Hardening_WordPress ▫ 11 Best Ways to Improve WordPress Security

http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/

• Tools and Services

▫ Google Hacking Database (GHDB) http://www.hackersforcharity.org/ghdb/

▫ Maltego http://www.paterva.com/web5/

▫ Risk IQ http://www.riskiq.com/

▫ Jacadis http://www.jacadis.com/

Questions? Jerod Brennen, CISSP

contact@jacadis.com

614.819.0151

http://www.linkedin.com/in/slandail

http://twitter.com/#!/slandail