Bridging the Social Media Implementation/Audit Gap
Post on 16-May-2015
2818 Views
Preview:
DESCRIPTION
Transcript
Bridging the Social Media
Implementation/Audit Gap Jerod Brennen, CISSP CTO and Principal Security Consultant, Jacadis
Agenda
• Perspective
• Preparation
• Implementation
• Monitoring
• Resources
The Five W’s
• Who?
• What?
• When?
• Where?
• Why?
• How?
[Image courtesy of Master Isolated Images / FreeDigitalPhotos.net]
Strategy (Who + Why + When)
• Risk vs. Reward ▫ Customer interaction ▫ Revenue streams ▫ Malware attack vectors ▫ Legal and HR concerns
• While revenue may be on the rise… ▫ … so are social engineering
attacks
Image from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/PublishingImages/Social-Media-Business-Risks.JPG
Risk vs. Reward
FromWAPSM-Social-Media-Research-1Feb2011.doc, pages 11-12
Risks Rewards
• Disclosure of corporate assets and sensitive (privileged) information accessible to unauthorized parties
• Violations of legal and regulatory requirements
• Loss of competitive advantage • Loss of customer confidence • Loss of reputation • Dissemination of false or fraudulent
information • Inappropriate or unapproved use of
company intellectual property such as logos or trademarked material
• Increasing brand recognition • Increasing sales • Immediately connecting with
perspective customers • Exploring new advertising
channels • Monitoring competition • Researching perspective
employees
Regulatory Concerns
• FINRA (Financial Industry Regulatory Authority) ▫ Regulatory Notice 10-06 ▫ Regulatory Notice 11-39
• Advertisements ▫ Public websites & banner ads
• Sales Literature ▫ Email or IM to 25+ prospective retail customers ▫ Password-protected websites
• Correspondence ▫ Email or IM to 1 customer ▫ Email or IM to 1+ existing customers and/or <25 prospective retail
customers • Public Appearances
▫ “Content posted in a real-time interactive electronic forum”
From http://www.finra.org/industry/issues/advertising/p006118
Scope (What + Where)
Scope, per ISACA
• Current social media tools include: ▫ Blogs (e.g., WordPress, Drupal™, TypePad®) ▫ Microblogs (e.g., Twitter, Tumblr) ▫ Instant messaging (e.g., AOL Instant Messenger [AIM™],
Microsoft® Windows Live Messenger) ▫ Online communication systems (e.g., Skype™) ▫ Image and video sharing sites (e.g., Flickr®, YouTube) ▫ Social networking sites (e.g., Facebook, MySpace) ▫ Professional networking sites (e.g., LinkedIn, Plaxo) ▫ Online communities that may be sponsored by the
company itself (Similac.com, “Open” by American Express) ▫ Online collaboration sites (e.g., Huddle)
FromWAPSM-Social-Media-Research-1Feb2011.doc, page 11
Implementation (How)
• Begin at the beginning ▫ Meet with Marketing, HR, Legal, and IT to discuss risks and benefits
• Define policy ▫ More on this later…
• Document training requirements ▫ Employees ▫ Consultants & Contractors ▫ Vendors & Partners
• Document procedures and controls
▫ Access Requests ▫ Monitoring ▫ Assessing
Audit/Assurance Program (1 of 3)
• Available at http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc
• Aligned with COBIT (cross-references)
• Planning and Scoping the Audit ▫ Define the audit/assurance objectives ▫ Define the boundaries of the review ▫ Identify and document risk ▫ Define the change process ▫ Define assignment success ▫ Define the audit/assurance resources required ▫ Define deliverables ▫ Communicate
Audit/Assurance Program (2 of 3)
• Strategy and Governance
▫ Risk Management
▫ Policies
• People
▫ HR Function
▫ Training/Awareness
▫ Staffing
Audit/Assurance Program (3 of 3)
• Processes
▫ Social Media Alignment With Business Processes
▫ Social Media Brand Protection
▫ Access Management of Social Media Data
• Technology
▫ Social Media Technology Infrastructure
▫ Monitoring Social Media and Effect on Technology
Policy and Training • Personal use in the workplace:
▫ Whether it is allowed ▫ The nondisclosure/posting of business-related content ▫ The discussion of workplace-related topics ▫ Inappropriate sites, content or conversations
• Personal use outside the workplace:
▫ The nondisclosure/posting of business-related content ▫ Standard disclaimers if identifying the employer ▫ The dangers of posting too much personal information
• Business use:
▫ Whether it is allowed ▫ The process to gain approval for use ▫ The scope of topics or information permitted to flow through this channel ▫ Disallowed activities (installation of applications, playing games, etc.) ▫ The escalation process for customer issue
From http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf?id=c1f7b9d8-516d-40c1-8087-e3b0e6cd138c
Recurring Assessments
• Risk Assessment
▫ SOX, PCI, HIPAA, etc.
▫ Did your previous assessment(s) include social media?
• Penetration Test
▫ Is social engineering in-scope?
Preventative Controls
• Antivirus > Endpoint Security ▫ Prevent devices from being infected with malware ▫ Also, host-based firewall and URL filtering
• URL Filtering ▫ Prohibit access to certain websites from corporate devices
• Training ▫ How to use social media responsibly ▫ How to identify and respond to social engineering attacks
• Data Loss/Leakage Prevention ▫ Prevent sensitive corporate information from being transmitted
via email, instant messaging, file uploads, etc.
Detective Controls
• Content Filtering ▫ Configure email and web security solution to monitor for
patterns in outbound messages
• Google Hacking ▫ Using powerful customized Google search queries to gather
information
• Monitoring Tools (e.g., Maltego) ▫ Open source intelligence and forensics tool
• Monitoring Services (e.g., RiskIQ) ▫ Monitor web-based content for threats and fraud
Resources • ISACA documents
▫ Social Media Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-
Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc ▫ Social Media: Business Benefits and Security, Governance, and Assurance
Perspectives http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-
Paper-26-May10-Research.pdf
• Related Documents ▫ CDC – Social Media Security Mitigations
http://www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf ▫ Ponemon – Global Survey on Social Media Risks
http://www.websense.com/content/ponemon-institute-research-report-2011.aspx ▫ Social Media Standard, State of California
http://www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66B.pdf ▫ Wikipedia – List of Active Social Networking Sites
http://en.wikipedia.org/wiki/List_of_social_networking_websites
Resources
• FINRA ▫ Regulatory Notice 10-06
http://www.finra.org/Industry/Regulation/Notices/2010/P120760 ▫ Regulatory Notice 11-39
http://www.finra.org/Industry/Regulation/Notices/2011/P124187 ▫ Advertising Information
http://www.finra.org/Industry/Issues/Advertising/index.htm
• Securing Social Media Profiles
▫ Facebook http://slandail.posterous.com/four-steps-to-secure-your-facebook-profile
▫ Twitter http://www.mediabistro.com/alltwitter/twitter-security-101_b11985
▫ LinkedIn http://www.cio.com/article/485489/LinkedIn_Privacy_Settings_What_
You_Need_to_Know
Resources
• Securing Corporate Blogs ▫ Hardening WordPress
http://codex.wordpress.org/Hardening_WordPress ▫ 11 Best Ways to Improve WordPress Security
http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/
• Tools and Services
▫ Google Hacking Database (GHDB) http://www.hackersforcharity.org/ghdb/
▫ Maltego http://www.paterva.com/web5/
▫ Risk IQ http://www.riskiq.com/
▫ Jacadis http://www.jacadis.com/
Questions? Jerod Brennen, CISSP
contact@jacadis.com
614.819.0151
http://www.linkedin.com/in/slandail
http://twitter.com/#!/slandail
top related