Transcript How Cyber Criminals Make Use of Social Media to More

How Cyber Criminals make
use of Social Media
© 2012 Deloitte Development LLC. All Rights Reserved.
Contents
• Overview of Social Media
• Drivers and Benefits of Social Media
• Social Media Risks
• A Governance, Risk, and Compliance (GRC) Roadmap
to address Social Media Risk




Governance
Risk Assessment
Policy
Awareness Communication
 Controls
© 2012 Deloitte Development LLC. All Rights Reserved.
Overview of
Social Media
Evolution of social networking and media
Web 1.0 Inspired by Industrial Age
• Hierarchical (Hierarchy controls and regulates)
• Linear interaction – simple minded
• Organizations innovate
• Organizational segments
Web 2.0 Information Age
• Democratic (Community controls and regulates)
• Network relationship – complex
• Customers provide the innovation
• Customers provide the segmentation
•
•
•
•
Web 3.0 The Age of “Expertise”
In the recent years, the end users have taken the control of the Internet transforming its
use from a monologue to a dialogue.
Collaborative problem solving and innovation is leading to higher productivity.
User’s expectation of performance are driven by technology.
SoCoMo – Social, Cloud, Mobile & BYOD – Bring Your Own Device
“The differences between traditional and social media are defined by the level of interaction
and interactivity available to the consumer.” – An ISACA Emerging Technology White Paper
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media revolution
Social media….it’s everywhere!
Source: YouTube, Socialnomics 3 [Video]. http://www.youtube.com/watch?v=fpMZbT1tx2o
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media
Did you know?
Of the Fortune Global 100, 65% have active Twitter accounts, 54% have
facebook fan pages, 50% have YouTube video channels and 33% have
corporate blogs
– 2010 Burson-Marsteller study
75% of Internet users worldwide visit social networks or blogs; 22% of
the time spent on Internet usage is spent on social media activities
– Nielsen Corporation, April 2010
Facebook has more than 845 Million users, making it equivalent in
population to the world’s third largest country
-- Facebook.com, WorldAtlas.com, July 2011
More than 250 million users access Facebook through mobile devices
and are twice as active as non-mobile users
-- Facebook.com
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media landscape
“Social media technology involves the creation and dissemination of content
through social networks using the Internet.”
– An ISACA Emerging Technology White Paper
Entertainment
Review & opinion
Virtual
Collaboration
community
Multimedia
Conversation
Social
Media
1‘The
State of the U.S. Mobile Advertising
Industry and What Lies Ahead”,
comScore,June 2011
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media platforms
Social media are highly accessible, scalable methods of online communication and
social interaction, which allow the creation and exchange of user-generated content.
There are 7 main types of social media platforms
Presence
and
Micro
blogging
RSS
(Rich Site
Summary)
Wikis
Social Media
Online
Photo and
Video
Sharing
Blogs
Social
Networking
© 2012 Deloitte Development LLC. All Rights Reserved.
Social
Book
marking
and
News
Drivers and Benefits of
Social Media
Business drivers for social media
The adoption of social media as a business tool is
rapidly increasing and can bring tremendous value
1
Increase productivity
and operational efficiencies
through collaboration and
communication
2
Foster creativity, innovation,
and collaboration
3
Enhance customer and
stakeholder relationships
© 2012 Deloitte Development LLC. All Rights Reserved.
Human resources example – D Street
• D Street is Deloitte’s internal talent networking tool
• Over 47,000 active profiles with about 120,000 views per month
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
Certain services may not be available to attest clients under the rules and regulations of public accounting.
© 2012 Deloitte Development LLC. All Rights Reserved.
Social Media Risks
Discussion Point
•Does your organization have an official policy for social media use?
•What is the average total productivity decrease for companies
allowing employees to access social networking sites at work?
1%
1.5%
12%
52%
Social media incidents and risks
Employees at a Medical Center in California
posted patient information on a social network.
Five nurses were subsequently fired.
An employee used a social network to post
insulting comments about the city shortly before
presenting to the worldwide communications
group.
A customer of a big airline carrier shared a video of
a detailed complaint online, which caused a $180
million (10%) market cap impact.
A major news corporation’s social networking
account was compromised . The hackers posted a
false message that an airliner had crashed at
Ground Zero.
© 2012 Deloitte Development LLC. All Rights Reserved.
 Privacy Risk
 Regulatory Compliance
Risk
 Loss of control over
content
 Brand/reputation Loss
 Negative Publicity
 Identity theft
 Impersonation
Social media – high-level threat landscape
The advent of Social Media into the corporate environment brings along multiple
risk to the Data, Technology, People, and Organization.
Unsatisfied Constituents
Copyright Issue
Lack of Situational
Awareness
Identity Theft
Vulnerabilities
Unauthorized Disclosure
Intellectual Property
leakage
Data
Virus/
Worms/Trojans
Impact network
availability
(DOS)
Social
Engineering /
Impersonation
Technology
Loss of
Productivity
People
Organization
© 2012 Deloitte Development LLC. All Rights Reserved.
Privacy
Risk
HR Policy
Violations
Negative
Publicity
Loss of Control Over
Content
Trademark
Infringement
Brand / Reputation
Loss
Public
False
Impression/
Misguidance
Social media attack illustration – pretexting+
1. Pretexting target
selection
Hacker looks for info
provided on unsecured
social media profiles and
collects key info
(DOB, Hometown,
employer, picture of a new
baby or car).
2. Gain a toehold
The hacker sees user has
repeatedly mentioned bad
experiences with the ATM
of Bank Q on a social
network.
Using the information
gathered the hacker can
exploit multiple channels to
execute a password reset
of the user’s account at
Bank Q.
© 2012 Deloitte Development LLC. All Rights Reserved.
3. Deep discovery
Access to the account
provides further
information, including
home and mailing address,
that can be used to redirect
mail or examine
transaction history, giving
even more exploitable
clues.
4. Exploit leverage
The more someone knows
about a person, the easier
it is to impersonate them
both electronically and in
person to unwitting staff
(Helpdesk, physical
security personnel, etc.)
Detour: Brand and Crisis Management
Real-time
Social Media
Conversations
Blogs, News
Articles,
Videos
Search
Engines
Caching,
Permanent
Archives
© 2012 Deloitte Development LLC. All Rights Reserved.
Social Media Strategies
Discussion Point
•What is percentage of American employees watch online videos
in the workplace?
2%
19%
51%
64%
•Do you think your organization is currently prepared to handle social
media risks?
•What areas are currently well covered? What areas are not?
•What tools do you have in place to help?
Current Observations - social media controls
The control of social media in the corporate environment lacks consistent practice. Based on our
observations, organizations’ control approach generally falls into the following categories:
No Policy
Limited
Access
Block*
Controlled
Access
* It should be noted that blocking and limiting users’ access to social media sites only work within the corporate
network environment. There are no effective ways of restricting users’ access when they use public Wi-Fi, hotel
network, home network, cellular network, etc.
© 2012 Deloitte Development LLC. All Rights Reserved.
Fact check - Deloitte LLP’s Ethics and Workplace Survey
• 74% of working Americans believe it is easy to damage a brand’s
reputation via social networking sites, though relatively few organizations
are actively creating strategies and policies;
• 1/3 stated they never consider what their boss, colleagues, or clients
think before posting materials online;
• 53% of employees believe that their social networking activity is none of
the employers’ business;
VS
• 60 % of executives state the organization has a “right to know” how
employees portray themselves and their organizations online, with 30%
acknowledging informal monitoring practices;
• 49% indicate that, even if there were a policy in place, it would not affect
their behavior.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of
Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Source: http://www.deloitte.com/view/en_US/us/About/Ethics-Independence/
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – from a GRC perspective
Strategy and Governance
An implementation includes:


Strategic Plan
Risk Identification
and Analysis
Align the
control
activities to
the overall
strategy
Policy
Education


Monitoring

Establish
Responsibility
and Ownership
© 2012 Deloitte Development LLC. All Rights Reserved.



Evaluation of the entity’s involvement
in social media
Alignment of strategy and the business
objectives
Identification of the target audience
and how each uses social media
Mapping of risks to the social media
practice
Prioritization of organizational
resources to address the risks
Establishing accountability and
ownership of the controls
Supervision of the release of content
to social sites
Implementation of process and
technology controls
Auditing social media - strategy and governance
• Has a risk assessment been conducted to map the
risks to the enterprise presented by the use of social
media?
• Is there an established policy (and supporting
standards) that addresses social media use?
• Do the policies address all aspects of social media use
in the workplace—both business and personal?
• Have effective trainings been delivered to all users?
• Do users (including employees) receive regular
awareness communications regarding policies and
risks?
Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - risk assessment
The agency should consider the following when identifying
social media risks:
 Risks of using social media as a business tool to communicate with customers or
constituents
 Risks of employee accessing to social media sites while on the corporate network
 Risks of using social media tools from their corporate issued mobile devices
 Risks of employee personal user of social media from home and personal computing
devices
Analyse



Risk Impact:
How will it adversely affect the organization?
What functions would get impacted?
How likely would it happen?
Examples:
 People | Loss of Productivity
 Data | Unauthorized Disclosure
 Organization | Reputational Loss
 Technology | Virus/Worms
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - social media policy
Key Guidelines
Business Use of
Social Media
•
•
•
•
Does the policy address intellectual property
rights?
Does the policy require monitoring of all
content posted on social media sites?
Does the policy give a careful consideration
to review and accept the social media
provider’s terms of service?
Does the policy specify whether only public
information can be posted on social media
websites?
Employees’ Personal Use of
Social Media

+


Does the policy specify what the employees
can and cannot do on a social network? Such
as sharing non-public or confidential
information.
Does the social media policy connect with
other policies that might be affected by social
media (including IT, Ethics, IP, Privacy, Antidiscrimination, harassment, etc)?
Does the policy clarify consequences?
Bottom Line
Do NOT disclose confidential information
 Do NOT share information that may violate copyright laws
 Do show respect, honesty, and transparency during your social media activities

© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - risk awareness program
Develop the training curriculum:
 Establish the training program committee: marketing, legal, IT, HR
 Take into consideration the organization needs and resources when designing the
training program
 In house or e-learning?
 Mandatory or optional?
 Organization wide or particular department focused?
 Develop a curriculum tailored to the level of social media involvement of your company
 Update the curriculum regularly
Establish a social media facilitator:
 Responsible for the organization’s social media awareness program
 Conduct social media training with employees
 Develop and maintain awareness communications regarding social media policies and
risks
 Provide consultation to employees with social media questions
 Consider the role of this facilitator in incident response processes
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - risk awareness program (Cont’d)
ISACA recommends any strategy to address the risks of social media usage should first focus on user behavior
through the development of policies and supporting training and awareness program that covers:
Personal use in the
workplace
•
•
•
•
Whether it is allowed
The nondisclosure/posting of business-related content
The discussion of workplace-related topics
Inappropriate sites, content or conversations
Personal use outside the
workplace
•
•
•
•
Whether it is allowed
The nondisclosure/posting of business-related content
The discussion of workplace-related topics
Inappropriate sites, content or conversations
Business use
•
•
•
•
•
Whether it is allowed
The process to gain approval for use
The scope of topics or information permitted to flow through this channel
Disallowed activities (installation of applications, playing games, etc.)
The escalation process for customer issues
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - control implementation
ISACA Business Model
People
Process/Data
•
•
• Have business processes that utilize social media been reviewed
to determine that they are aligned with policies and standards of the
enterprise?
• Are content control processes in place to determine that social
communications intended to represent the company are approved
before dissemination?
•
•
Technology
Has effective trainings been delivered to all users?
Do users (including employees) receive regular awareness
communications regarding policies and risks?
•
Does IT have a strategy and the supporting capabilities to manage
technical risks presented by social media?
Do technical controls and processes adequately support social
media policies and standards?
Does the enterprise have an established process to address the
risk of unauthorized/fraudulent use of its brand on social media
sites?
Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | people
Risk
Control
Identity theft
Objective:
Employees, contractors and customers
are aware of their responsibilities relating
to social media.
Loss of Productivity
Activities:
• Establish user agreements for social
media use
• Conduct awareness training to inform
users of the risks involved using social
media websites
• Use content-filtering technology such
as DLP (Data Loss Prevention)
• Limit access to social media sites
Social Engineering
HR Policy Violations
Responsible parties:
HR, Information Security
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | process
Risk
Regulatory Compliance Risk
(i.e. Copyright, trademark infringement, and
privacy issues)
Reputational Loss
False Impression
Control
Objective:
The enterprise brand is protected from
negative publicity or regulation violation
Activities:
• Establish policies to ensure legalsensitive communications are tracked
and archived
• Conduct awareness training to inform
users of the risks involved using social
media websites
• Scan the internet for misuse of the
enterprise brand
Responsible parties:
Legal, HR, Information Security
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | data
Risk
Improper Content
Unauthorized Disclosure
Control
Objective:
Enterprise information is protected from
unauthorized access or leakage
through/by social media.
Activities:
• Establish user agreements for social
media sites
• Develop policies on the use of
enterprise-wide intellectual property
• Ensure there is a capability to log all
the communications
Intellectual Property leakage
Responsible parties:
Legal, HR, Information Security
* Please bear in mind that these risk control mapping are being presented to help illustrate the approach in
evaluating your business involvement in social media practice. It is not designed to include a comprehensive listing
of risks and control activities.
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | technology
Risk
Control
Virus/Worms via the social media
sites
Objective:
IT infrastructure supports risks introduced
by social media.
Constraining network bandwidth
Data theft from mobile devices
© 2012 Deloitte Development LLC. All Rights Reserved.
Activities:
• Install anti-virus applications on all
systems including mobile devices
• Use content-filtering technology such
as DLP
• Limit access to social media sites
during business hours
Responsible parties:
Information Security
Additional considerations
Cyber Threat Profile Analysis
• Perform a study on what organization specific foot printing information is available on the Internet, and how it
might be used to produce an exploit that targets the organization’s IT or Industrial Systems.
Suspicious Program Diagnostics
• Use available industry hash data sets and cyber intelligence to match against a generated inventory of system
files endeavoring to identify hidden exploits. Perform digital forensic analysis on suspect computers including
examining system memory.
Social Media Impact Survey
• A policy assessment is performed to assess how social media is being used within the organization.
Intranet Cyber Compromise Diagnostic
• Security event logs and infrastructure logs are analyzed to look for evidence of internal machines that may
have been compromised and are attempting to communicate with miscreant controlled devices on the Internet.
Anti-Phishing Capability Diagnostic
• Assess organizations’ anti-phishing program in order to help identify gaps and improvement opportunities. It
includes looking at recent phishing incidents, intelligence services, and the organization’s incident handling
procedures.
© 2012 Deloitte Development LLC. All Rights Reserved.
Questions?
Footer
Reference and Additional Resource
• “Web 2.0 reinvents corporate networking.” Gopal, Raj et al. Deloitte Consulting LLP
• “Market Intelligence and Content Curating.” Eric Openshaw, Deloitte & Touche LLP
• “Social Media Audit/Assurance Program “ ISACA
• “Social Media: Business Benefits and Security, Governance and Assurance Perspective” ISACA
• “2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier” Javelin
Strategy & Research
• “Auditing Social Media: A Governance and Risk Guide” by Peter R. Scott and J. Mike Jacka
• “Security, Mobility, and Social Media: Minimizing Risk in the Era of Sharing “ by Partha Mukherjee,
Lawrence J. Bolick and Brian Cain
• “Securing the Clicks: Network Security in the Age of Social Media” by Gary Bahadur, Jason Inasi, and
Alex de Carvalho
• “Sophos Security Threat Report – 2011” by Graham Cluley
• Cisco 2010 Annual Security Report
• “KOOBFACE – Inside a Crimeware Network “by Nart Villeneuve of the Information War Monitor
© 2012 Deloitte Development LLC. All Rights Reserved.
Contact info
Mike Wyatt
Director
Deloitte & Touche LLP
+1 512 771 8062
[email protected]
© 2012 Deloitte Development LLC. All Rights Reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Member of Deloitte Touche Tohmatsu Limited