Security Awareness for Social Media in Business. Scott Wright

Transcription

1 Security Awareness for Social Media in Business Scott Wright Security Perspectives Inc COUNTERMEASURE /29/2012 Copyright Security Perspectives Inc. 1

2 10/29/2012 Copyright Security Perspectives Inc. 2

3 What happened? 10/29/2012 Copyright Security Perspectives Inc. 3

4 Here s what really happened in 2009 to a US financial institution The Facebook Springboard Attack 10/29/2012 Copyright Security Perspectives Inc. 4

5 What do our IT Security experts think? 1. How many of you believe this kind of targeted attack is becoming more common? 2. How many of you believe it could have and should have been prevented, probably with technical safeguards? 10/29/2012 Copyright Security Perspectives Inc. 5

6 Why do attackers like Social Media so much? 10/29/2012 Copyright Security Perspectives Inc. 6

7 Symantec s Assessment One reason is likely the vast adoption of social networks as a propagation vector. Today these sites attract millions of users and provide fertile ground for cyber criminals. The very nature of social networks make users feel that they are amongst friends and perhaps not at risk. Unfortunately, it s exactly the opposite and attackers are turning to these sites to target new victims. Also, due to social engineering techniques and the viral nature social networks, it s much easier for threats to spread from one person to the next. -Symantec Internet Security Threat Report /29/2012 Copyright Security Perspectives Inc. 7

8 What exactly do we mean by a targeted attack? Targeted attacks use customized malware and refined targeted social engineering to gain unauthorized access to sensitive information. This is the next evolution of social engineering, where victims are researched in advanced and specifically targeted. - Symantec Internet Security Threat Report /29/2012 Copyright Security Perspectives Inc. 8

9 If you can convince somebody who s authorized to do something they wouldn t normally do Yes, of course I ll help you with that Request from the CIO 10/29/2012 Copyright Security Perspectives Inc. 9

10 Getting back to our case study, what was at risk? 1. Customer information 2. Financial transactions 3. Company reputation 4. Loss of productivity 10/29/2012 Copyright Security Perspectives Inc. 10

11 How was it done? What were the failure points in the Facebook Springboard Attack? 1. Facebook credentials pwned by research, or bought 2. Compelling phishing message 3. Clicked on link 4. Infected laptop with keylogger 5. Single factor VPN authentication 6. Exploitable desktop 10/29/2012 Copyright Security Perspectives Inc. 11

12 What kinds of safeguards could have been used to stop it 1. Policies deterrents, not reliable 2. Technologies reliable, rigid 3. Users Σ (intelligent, forgetful, fickle, stupid, informed/uninformed, hung-over, etc ) 10/29/2012 Copyright Security Perspectives Inc. 12

13 Why didn t technology prevent this breach 1.Lack of, or poor policy definition? 2.Cost of safeguards? 3.Poor management of safeguards? 10/29/2012 Copyright Security Perspectives Inc. 13

14 What s the best we can hope for from our security technologies? 1. Assume you ve got a good idea of what needs protecting 2. Assume you ve got a good architecture 3. You have enough capital budget, right? maybe next year? 4. Don t forget the Operations and Maintenance budget! 5. Oh, you need personnel budget? That s a different pot of $$$ 6. And, you need specialized training budget? A few months more You are hiring right now, right? (OK, maybe it will be a while before your technology will be ready. In the meantime?...) 10/29/2012 Copyright Security Perspectives Inc. 14

15 Won t social media sites eventually mature and provide adequate security? Remember the business model for social media: It adds more value for the site if people share their information. Who is it adding value for? Social media customers = Advertisers who pay for exposure Social media product = Personal information of users 10/29/2012 Copyright Security Perspectives Inc. 15

16 What can we realistically achieve with security education and awareness? Cost of a malware incident =??? (some say $50k to $100k) Couldn t we prevent a few a year? 10/29/2012 Copyright Security Perspectives Inc. 16

17 Risks from social media that can be addressed with awareness 1. Fake identities and imposters >50% of new profiles fake Don t accept invitations from strangers! 2. Passwords (Re-used and weakly protected) Makes hackers job so much easier Clues to password or recovery questions (Sarah Palin case) Use different, strong passwords for different accounts 3. Oversharing See the Belgian psychic on Youtube Clues to password or recovery questions (Sarah Palin case) Don t post too anything you wouldn t want your mother or employer to see 10/29/2012 Copyright Security Perspectives Inc. 17

18 Risks from social media that can be addressed with awareness 4. Privacy controls Oops they changed again Oops we slipped up! Adjust your privacy controls, in case they work 5. Deception URL shorteners Scams Just be cautious before you click! Clues /29/2012 Copyright Security Perspectives Inc. 18

19 Risks from social media that can be addressed with awareness 6. Mobile Always logged in >80% of phones lost in Honey Stick Project were snooped Geolocation New features like find my friend (nearby) Use a password and protect it! 10/29/2012 Copyright Security Perspectives Inc. 19

20 Business Practices at Risk 1. Policies Internet Posting, acceptable use (confidentiality and malware risks) Eg. Centers for Disease Control 10/29/2012 Copyright Security Perspectives Inc. 20

21 Business Practices at Risk 1. HR Screening doing it right Stupidity is not protected information But be careful of discrimination risks Censored 10/29/2012 Copyright Security Perspectives Inc. 21

22 Business Practices at Risk 1. Marketing verging on fraud Inflated advertising prices based on followers Click-fraud 10/29/2012 Copyright Security Perspectives Inc. 22

23 But how do we get people to remember all the risks? We should tell stories (eg. The Facebook Springboard) 10/29/2012 Copyright Security Perspectives Inc. 23

24 Make Your Messages Memorable BOOK RECOMMENDATION: Made to Stick by Chip and Dan Heath 1.Simple 2.Unexpected 3.Concrete 4.Credible 5.Emotional 6.Stories Example: 10/29/2012 Copyright Security Perspectives Inc. 24

25 With all these risks, what approach should we be taking to awareness for social media? 1. Hit the low hanging fruit with general awareness training on policies and best practices 2. Make sure everyone knows where to get trusted guidance 3. Follow up with situational awareness or risk-based training 4. Provide ongoing reinforcement with additional communications 5. Use social media internally for collaboration 10/29/2012 Copyright Security Perspectives Inc. 25

26 How well do you remember? (FTW) 1. Who remembers what the Facebook Springboard Attack is? 2. What term did I use to describe showing off on social media by posting everything you do? 3. What term did I use to describe the technique used by hackers to trick users into giving information or doing something they wouldn t otherwise have done? 10/29/2012 Copyright Security Perspectives Inc. 26

27 How is awareness for social media different in business from personal? Personal risks are small but they can be stepping stones Business risks are much larger they are often the end target 10/29/2012 Copyright Security Perspectives Inc. 27

28 What are 3 main ways we can secure businesses from social media risks? We need a balance of safeguards: 1.Policies 2.Technology 3.Good human risk decisions 10/29/2012 Copyright Security Perspectives Inc. 28

29 What will you do next time you are: 1.Choosing and using passwords? 2.Posting to Facebook, Twitter or other social media about work topics? 3.Carrying portable devices with access to sensitive information? 4.Using a corporate laptop to view Facebook or log in to a corporate network? 10/29/2012 Copyright Security Perspectives Inc. 29

30 Conclusions There is a need for awareness and education; Social Media just makes it more important to understand the basic risks; You might be a springboard to disaster! 10/29/2012 Copyright Security Perspectives Inc. 30

31 Questions? Contact: Scott Wright /29/2012 Copyright Security Perspectives Inc. 31