Social Media Risk and ISACA. All Rights Reserved.

Transcription

1 Social Media Risk and Mitigation Guidance

2 SPEAKER BIOGRAPHIES Rumy Jaleel Khan, CISA, CRISC, is a senior manager in the Houston AERS practice with 10 years of experience in performing internal controls for financial reporting (ICFR) audits, operational audits, Sarbanes readiness, Sarbanes remediation, general computer controls reviews and security assessments. Jl Jaleel Khan lkh has performed several system implementation reviews of Oracle, PeopleSoft, JDE ERP implementations and other homegrown software. He has established and performed assessments of various compliance programs such as the North American Electricity Reliability Council s (NERC), Cii Critical linfrastructure Protection (CIP) requirements. He has also performed a comprehensive review of a large multi national company s compliance with the Foreign Corrupt PracticesAct (FCPA). Mike Wyatt, CISA, is a director with Deloitte & Touche LLP within the Center for Security and Privacy Solutions. He has over 22 years of experience designing, building, and managing security management as well as identity and access management solutions. Wyatt serves nationally as a quality assurance director for security and privacy engagements where he provides independent oversight to engagement teams, reviewing project tasks and deliverables for completeness and applicability to the client environment. Wyatt serves on the board of the University of Texas Center for Identity and was the founding chair hifor the International lassociation i of Pi Privacy Professionals (IAPP) Knowledge Network for Central Texas. During the past 15 years, he has presented in the US, Europe, and Asia on a variety of security and identity and access management topics.

3 Contents Overview of Social Media Drivers and Benefits of Social Media A Governance, Risk, and Compliance (GRC) Roadmap to address Social Media Risk Governance Risk Assessment Policy Awareness Communication Controls

4 O i f Overview of Social Media

5 Recent news 45,000 Facebook logins hijacked 760 Companies hit by foreign countries hacking operation 8 out of 10 companies are talked about on Twitter 680,747 Views per corporate YouTube channel 845 million Active Facebook users

6 Social media revolution Social media.it s everywhere! Source: YouTube, Socialnomics 3 [Video].

7 Social media landscape Social media technology involves the creation and dissemination of content through social networks using the Internet. An ISACA Emerging Technology White Paper Entertainment Review & opinion Virtual community Collaboration Multimedia Social Media Conversation 1 The State of the U.S. Mobile Advertising Industry and What Lies Ahead, comscore,june 2011

8 Social media platforms Social media are highly accessible, scalable methods of online communication and social interaction, which allow the creation and exchange of user-generated content. There are 7 main types of social media platforms Wikis Presence and Micro blogging RSS (Rich Site Summary) Blogs Social Media Online Photo and Video Sharing Social Networking Social Book marking and News

9 Evolvement of social networking and media Web 1.0 Inspired by Industrial Age Hierarchical (Hierarchy controls and regulates) Linear interaction simple minded Organizations innovate Organizational segments Web 2.0 Information Age Democratic (Community controls and regulates) Network relationship complex Customers provide the innovation Customers provide the segmentation Web 3.0 The Age of Expertise In the recent years, the end users have taken the control of the Internet transforming its use from a monologue to a dialogue. Collaborative problem solving and innovation is leading to higher productivity. User s expectation of performance are driven by technology. The differences between traditional and social media are defined by the level of interaction and dinteractivity ti it available to the consumer. An ISACA Emerging Technology White Paper

10 Di db fi f Drivers and Benefits of Social Media

11 Why do companies use social network media? To improve customer satisfaction and loyalty To recruit and retain the best talent To enhance brand awareness and perception To strengthen connections and relationships, and access internal expertise and insight Social Media offers an approach to realize these benefits To use social media channels to address any negative publicity or misunderstanding Enterprises that aggressively embrace social media as part of their strategy are more financially i successful. An ISACA Emerging Technology White Paper

12 Use and benefits of social media Social networking could benefit your company by making connections across the network, creating intellectual capital, making collaboration tools more accessible, and significantly increasing the shared content.

13 Human resources example D Street D Street is Deloitte s internal talent networking tool Over 47,000 active profiles with about 120,000 views per month As used in this document, Deloitte means Deloitte LLP and its subsidiaries. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

14 Social lmedia Risks

15 Discussion Point Does your organization have an official policy for social media use? What is the average total productivity decrease for companies allowing employees to access social networking sites at work? 1% 15% 1.5% 12% 52%

16 Social media incidents and risks Employees at a Medical Center in California posted patient information on a social network. Five nurses were subsequently fired. Privacy Risk Regulatory Compliance Risk An employee used a social network to post insulting comments about the city shortly before presenting to the worldwide communications group. Loss of control over content A customer of a big airline carrier shared a video of a detailed complaint online, which caused a $180 million (10%) market cap impact. Brand/reputation Loss Negative Publicity A major news corporation s social networking account was compromised. The hackers posted a false message that an airliner had crashed at Ground Zero. Identity theft Impersonation

17 Social media high-level threat landscape The advent of Social Media into the corporate environment brings along multiple risk to the Data, Technology, People, and Organization. Copyright Issue Unsatisfied Constituents t Identity Theft Lack of Situational Awareness Unauthorized Disclosure Intellectual Property leakage Data Technology Vulnerabilities HR Policy Violations Virus/ Worms/Trojans People Impact network availability (DOS) Loss of Productivity Social Engineering / Impersonation Privacy Risk Loss of Control Over Content Trademark Infringement Brand / Reputation Loss Negative Publicity False Impression/ Misguidance Organization Public

18 Social media High-level threat landscape Techniques Use social networking sites to enumerate users Taking information learned and using it for social engineering schemes such as targeted phishing messages Getting unsuspecting users to install 3rd party fraudulent applications which provide access to entire user profile s with profile pictures from friends are being used to get users to click on links Using short URLs to obfuscate malicious links Using compromised accounts of friends Celebrity impersonation Blogging Chat File sharing Document meta data Open APIs Third party applications Third party services Video Voice chat Threat Vectors Social Networking Exploits Social Networking account hi-jacking Follower spam-spam links on profile pictures Social Networking brand hi-jacking leading to malware Black hat search engine optimization Malicious banner ads Botnet command and control Malicious background images Distributed Denial of Service attacks Spear Phishing Hack for Hire Schemes Man in the Middle Attacks Click-jacking / Cookie Stuffing Full browser control by 3rd party applications

19 Social media attack illustration pretexting+ 1. Pretexting target selection 2. Gain a toehold 3. Deep discovery 4. Exploit leverage The hacker sees that the user has repeatedly mentioned bad experiences with the ATM A hacker looks for information provided on Access to the account provides further The more someone knows about a person, the easier unsecured social media information, including home it is to impersonate them profiles and collects key of Bank Q on a social and mailing address, that both electronically and in info (DOB, Hometown, employer, picture of a new baby or car). network. Using the information gathered in step 1, the hacker can exploit multiple channels to execute a password reset of the user s account at Bank Q. can be used to redirect mail or examine transaction history, giving even more exploitable clues. person to unwitting staff (Helpdesk, physical security personnel, etc.)

20 Detour: Brand and Crisis Management Real-time Social Media Conversations Blogs, News Search Caching, Articles, Engines Permanent Videos Archives

21 Social Media Strategies

22 Discussion i Point What is percentage of American employees watch online videos in the workplace? 2% 19% 51% 64% Do you think your organization is currently prepared to handle social media risks? What areas are currently well covered? What areas are not? What tools do you have in place to help?

23 Current Observations - social media controls The control of social media in the corporate environment lacks consistent practice. Based on our observations, organizations control approach generally falls into the following categories: No Policy Block* Limited Access Controlled Access * It should be noted that blocking and limiting users access to social media sites only work within the corporate network environment. There are no effective ways of restricting users access when they use public Wi-Fi, hotel network, home network, cellular network, etc.

24 Current observations technology usage There is no single technology that can control the access and usage of social media. Organizations need to establish a control matrix based on use scenarios and set clear policy and guidance. Personal Device Social Media Sites Corporate Network Personal Device Corporate Device Corporate Device Outside Corporate Network Sample Control Matrix Outside Corp Network Inside Corp network Corporate Control Monitor Device Access Personal Device Monitor Not Allowed Corporate or Personal Device

25 Fact check - Deloitte LLP s Ethics and Workplace Survey 74% of working Americans believe it is easy to damage a brand s reputation via social networking sites, though relatively few organizations are actively creating strategies and policies; 1/3 stated they never consider what their boss, colleagues, or clients think before posting materials online; 53% of employees believe that their social networking activity is none of the employers business; VS 60 % of executives state the organization has a right to know how employees portray themselves and their organizations online, with 30% acknowledging informal monitoring practices; 49% indicate that, even if there were a policy in place, it would not affect their behavior. As used in this document, Deloitte means Deloitte LLP and its subsidiaries. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Source:

26 Auditing social media from a GRC perspective Strategy and Governance Strategic Plan Policy Education An implementation ti includes: Evaluation of the entity s involvement in social media Alignment of strategy and the business objectives Identification of the target audience and how each uses social media Risk Identification and Analysis Monitoring Mapping of risks to the social media practice Prioritization of organizational resources to address the risks Align the control activities to the overall strategy Establish Responsibility and Ownership Establishing accountability and ownership of the controls Supervision of the release of content to social sites Implementation of process and technology controls

27 Auditing social media - strategy and governance Has a risk assessment been conducted to map the risks to the enterprise presented by the use of social media? Is there an established policy (and supporting standards) that addresses social media use? Do the policies address all aspects of social media use in the workplace both business and personal? Has effective trainings been delivered to all users? Do users (including employees) receive regular awareness communications regarding policies and risks? Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].

28 Auditing social media - risk assessment The company should consider the following when identifying social media risks: Risks of using social media as a business tool to communicate with customers or constituents Risks of employee accessing to social media sites while on the corporate network Risks of using social media tools from their corporate issued mobile devices Risks of employee personal user of social media from home and personal computing devices Analyse Risk Impact: How will it adversely affect the organization? What functions would get impacted? How likely would it happen? Examples: People Loss of Productivity Data Unauthorized Disclosure Organization Reputational Loss Technology Virus/Worms

29 Auditing social media - social media policy Key Guidelines Business Use of Social Media Does the policy address intellectual property rights? Does the policy require monitoring of all content posted on social media sites? Does the policy give a careful consideration to review and accept the social media provider s terms of service? Does the policy specify whether only public information can be posted on social media websites? + Employees Personal Use of Social Media Does the policy specify what the employees can and cannot do on a social network? Such as sharing non-public or confidential information. Does the social media policy connect with other policies that might be affected by social media (including IT, Ethics, IP, Privacy, Antidiscrimination, harassment, etc)? Does the policy clarify consequences? Bottom Line Do NOT disclose confidential information Do NOT share information that may violate copyright laws Do show respect, honesty, and transparency during your social media activities

30 Auditing social media - risk awareness program Develop the training curriculum: Establish the training program committee: marketing, legal, IT, HR Take into consideration the organization needs and resources when designing the training program In house or e-learning? Mandatory or optional? Organization wide or particular department focused? Develop a curriculum tailored to the level of social media involvement of your company Update the curriculum regularly Establish a social media facilitator: Responsible for the organization s social media awareness program Conduct social media training with employees Develop and maintain awareness communications regarding social media policies and risks Provide consultation to employees with social media questions Consider the role of this facilitator in incident response processes

31 Auditing social media - risk awareness program (Cont d) ISACA recommends any strategy to address the risks of social media usage should first focus on user behavior through the development of policies and supporting training and awareness program that covers: Whether it is allowed Personal use in the The nondisclosure/posting of business-related content workplace The discussion of workplace-related topics Inappropriate sites, content or conversations Personal use outside the workplace Whether it is allowed The nondisclosure/posting of business-related content The discussion of workplace-related topics Inappropriate sites, content or conversations Business use Whether it is allowed The process to gain approval for use The scope of topics or information permitted to flow through this channel Disallowed activities (installation of applications, playing games, etc.) The escalation process for customer issues

32 Auditing social media - control implementation ISACA Business Model People Has effective trainings been delivered to all users? Do users (including employees) receive regular awareness communications regarding policies and risks? Process/Data Technology Have business processes that utilize social media been reviewed to determine that they are aligned with policies and standards of the enterprise? Are content control processes in place to determine that social communications intended to represent the company are approved before dissemination? Does IT have a strategy and the supporting capabilities to manage technical risks presented by social media? Do technical controls and processes adequately support social media policies and standards? Does the enterprise have an established process to address the risk of unauthorized/fraudulent use of its brand on social media sites? Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].

33 Auditing social media controls people Risk Identity theft Loss of Productivity Social Engineering HR Policy Violations Control Objective: Employees, contractors and customers are aware of their responsibilities relating to social media. Activities: Establish user agreements for social media use Conduct awareness training to inform users of the risks involved using social media websites Use content-filtering technology such as DLP (Data Loss Prevention) Limit access to social media sites Responsible parties: HR, Information Security

34 Auditing social media controls process Risk Regulatory Compliance Risk (i.e. Copyright, trademark infringement, and privacy issues) Reputational Loss False Impression Control Objective: The enterprise brand is protected from negative publicity or regulation violation Activities: Establish policies to ensure legalsensitive communications are tracked and archived Conduct awareness training to inform users of the risks involved using social media websites Scan the internet for misuse of the enterprise brand Responsible parties: Legal, HR, Information Security

35 Auditing social media controls data Risk Improper Content Control Objective: Enterprise information is protected from unauthorized access or leakage through/by social media. Unauthorized Disclosure Intellectual Property leakage Activities: Establish user agreements for social media sites Develop policies on the use of enterprise-wide intellectual property Ensure there is a capability to log all the communications Responsible parties: Legal, HR, Information Security * Please bear in mind that these risk control mapping are being presented to help illustrate the approach in evaluating your business involvement in social media practice. It is not designed to include a comprehensive listing of risks and control activities.

36 Auditing social media controls technology Risk Virus/Worms via the social media sites Control Objective: IT infrastructure supports risks introduced by social media. Constraining network bandwidth Activities: Install anti-virus applications on all systems including mobile devices Use content-filtering technology such as DLP Limit access to social media sites during business hours Data theft from mobile devices Responsible parties: Information Security

37 Additional considerations Cyber Threat Profile Analysis Perform a study on what organization specific foot printing information is available on the Internet, and how it might be used to produce an exploit that targets the organization s IT or Industrial Systems. Suspicious Program Diagnostics Use available industry hash data sets and cyber intelligence to match against a generated inventory of system files endeavoring to identify hidden exploits. Perform digital forensic analysis on suspect computers including examining system memory. Social Media Impact Survey A policy assessment is performed to assess how social media is being used within the organization. Intranet Cyber Compromise Diagnostic Security event logs and infrastructure logs are analyzed to look for evidence of internal machines that may have been compromised and are attempting to communicate with miscreant controlled devices on the Internet. Anti-Phishing Capability Diagnostic Assess organizations anti-phishing program in order to help identify gaps and improvement opportunities. It includes looking at recent phishing incidents, intelligence services, and the organization s incident handling procedures.

38 Questions? Footer

39 Reference and Additional Resource Web 2.0 reinvents corporate networking. Gopal, Raj et al. Deloitte Consulting LLP Market Intelligence and Content Curating. Eric Openshaw, Deloitte & Touche LLP Social Media Audit/Assurance Program ISACA Social Media: Business Benefits and Security, Governance and Assurance Perspective ISACA 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier Javelin Strategy & Research Auditing Social Media: A Governance and Risk Guide by Peter R. Scott and J. Mike Jacka Security, Mobility, and Social Media: Minimizing Risk in the Era of Sharing by Partha Mukherjee, Lawrence J. Bolick and Brian Cain Securing the Clicks: Network Security in the Age of Social Media by Gary Bahadur, Jason Inasi, and Alex de Carvalho Sophos Security Threat Report 2011 by Graham Cluley Cisco 2010 Annual Security Report KOOBFACE Inside a Crimeware Network by Nart Villeneuve of the Information War Monitor

40 Contact info Mike Wyatt Director Deloitte & Touche LLP Rumy Jaleel-Khan Senior Manager Deloitte & Touche LLP

41 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Member of Deloitte Touche Tohmatsu Limited

42 Collaborate Contribute Connect The Knowledge Center is a collection of resources and online communities that connect ISACA members globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!